Commit 9748c636 authored by Hugh Davenport's avatar Hugh Davenport
Browse files

Fix Leap2A import from Moodle



Related to bug #1047111

That bug fixed the XXE attack by setting the following to true
 libxml_disable_entity_loader

This caused issues with the leap2a importer used by mnet, which
used the simplexml_load to load the xml which relies on file
based remote entities. For this situation, a the following flag
is used, which stops network based XXE attacks
 LIBXML_NONET

Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
parent c3fb9200
......@@ -119,10 +119,17 @@ class PluginImportLeap extends PluginImport {
LIBXML_COMPACT | // Reported to greatly speed XML parsing
LIBXML_NONET // Disable network access - security check
;
if (function_exists('libxml_disable_entity_loader')) {
// The LIBXML_NONET stops proper network based XXE attacks from happening
libxml_disable_entity_loader(false);
}
if (!$this->xml = simplexml_load_file($this->filename, 'SimpleXMLElement', $options)) {
// TODO: bail out in a much nicer way...
throw new ImportException($this, "FATAL: XML file is not well formed! Please consult Mahara's error log for more information");
}
if (function_exists('libxml_disable_entity_loader')) {
libxml_disable_entity_loader(true);
}
$this->namespaces = array_flip($this->xml->getDocNamespaces());
$this->registerXpathNamespaces($this->xml);
$this->trace("Document loaded, entries: " . count($this->xml->entry));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment