Index: frontends/php/include/defines.inc.php =================================================================== --- frontends/php/include/defines.inc.php (revision 46596) +++ frontends/php/include/defines.inc.php (revision 46655) @@ -835,6 +835,14 @@ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); +// XML import flags +// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed +// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml +// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND +// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name - +// so this flag is not needed here. +define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); + // API errors define('ZBX_API_ERROR_INTERNAL', 111); define('ZBX_API_ERROR_PARAMETERS', 100); Index: frontends/php/include/classes/import/readers/CXmlImportReader.php =================================================================== --- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) +++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655) @@ -32,7 +32,8 @@ */ public function read($string) { libxml_use_internal_errors(true); - $result = simplexml_load_string($string); + libxml_disable_entity_loader(true); + $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); if (!$result) { $errors = libxml_get_errors(); libxml_clear_errors(); Index: frontends/php/include/classes/import/CXmlImport18.php =================================================================== --- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) +++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655) @@ -390,12 +390,13 @@ return $array; } - public static function import($file) { + public static function import($source) { libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); $xml = new DOMDocument(); - if (!$xml->loadXML($file)) { + if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { $text = ''; foreach (libxml_get_errors() as $error) { switch ($error->level) {