unitas/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch

Index: frontends/php/include/defines.inc.php
===================================================================
--- frontends/php/include/defines.inc.php	(revision 46596)
+++ frontends/php/include/defines.inc.php	(revision 46655)
@@ -835,6 +835,14 @@
 
 define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
 
+// XML import flags
+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed
+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml
+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND
+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -
+// so this flag is not needed here.
+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
+
 // API errors
 define('ZBX_API_ERROR_INTERNAL',	111);
 define('ZBX_API_ERROR_PARAMETERS',	100);
Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
===================================================================
--- frontends/php/include/classes/import/readers/CXmlImportReader.php	(revision 46596)
+++ frontends/php/include/classes/import/readers/CXmlImportReader.php	(revision 46655)
@@ -32,7 +32,8 @@
 	 */
 	public function read($string) {
 		libxml_use_internal_errors(true);
-		$result = simplexml_load_string($string);
+		libxml_disable_entity_loader(true);
+		$result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
 		if (!$result) {
 			$errors = libxml_get_errors();
 			libxml_clear_errors();
Index: frontends/php/include/classes/import/CXmlImport18.php
===================================================================
--- frontends/php/include/classes/import/CXmlImport18.php	(revision 46596)
+++ frontends/php/include/classes/import/CXmlImport18.php	(revision 46655)
@@ -390,12 +390,13 @@
 		return $array;
 	}
 
-	public static function import($file) {
+	public static function import($source) {
 
 		libxml_use_internal_errors(true);
+		libxml_disable_entity_loader(true);
 
 		$xml = new DOMDocument();
-		if (!$xml->loadXML($file)) {
+		if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
 			$text = '';
 			foreach (libxml_get_errors() as $error) {
 				switch ($error->level) {
weitere Dateien 2014-10-16 09:39:39 +02:00			`Index: frontends/php/include/defines.inc.php`
			`===================================================================`
			`--- frontends/php/include/defines.inc.php (revision 46596)`
			`+++ frontends/php/include/defines.inc.php (revision 46655)`
			`@@ -835,6 +835,14 @@`

			`define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');`

			`+// XML import flags`
			`+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed`
			`+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml`
			`+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND`
			`+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -`
			`+// so this flag is not needed here.`
			`+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);`
			`+`
			`// API errors`
			`define('ZBX_API_ERROR_INTERNAL', 111);`
			`define('ZBX_API_ERROR_PARAMETERS', 100);`
			`Index: frontends/php/include/classes/import/readers/CXmlImportReader.php`
			`===================================================================`
			`--- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596)`
			`+++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655)`
			`@@ -32,7 +32,8 @@`
			`*/`
			`public function read($string) {`
			`libxml_use_internal_errors(true);`
			`- $result = simplexml_load_string($string);`
			`+ libxml_disable_entity_loader(true);`
			`+ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);`
			`if (!$result) {`
			`$errors = libxml_get_errors();`
			`libxml_clear_errors();`
			`Index: frontends/php/include/classes/import/CXmlImport18.php`
			`===================================================================`
			`--- frontends/php/include/classes/import/CXmlImport18.php (revision 46596)`
			`+++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655)`
			`@@ -390,12 +390,13 @@`
			`return $array;`
			`}`

			`- public static function import($file) {`
			`+ public static function import($source) {`

			`libxml_use_internal_errors(true);`
			`+ libxml_disable_entity_loader(true);`

			`$xml = new DOMDocument();`
			`- if (!$xml->loadXML($file)) {`
			`+ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {`
			`$text = '';`
			`foreach (libxml_get_errors() as $error) {`
			`switch ($error->level) {`