fix(apps): Fix loading info.xml file

Ref: https://bugs.php.net/bug.php?id=62577 Signed-off-by: Joas Schilling <[email protected]>
nextcloud · Jul 20, 2023 · 5574c12 · 5574c12
1 parent 7d870b5
commit 5574c12
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 4 deletions.
diff --git a/lib/base.php b/lib/base.php
@@ -552,6 +552,11 @@ private static function performSameSiteCookieProtection() {
 	}
 
 	public static function init() {
+		// prevent any XML processing from loading external entities
+		libxml_set_external_entity_loader(static function () {
+			return null;
+		});
+
 		// calculate the root directories
 		OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
 

diff --git a/lib/private/App/CodeChecker/DatabaseSchemaChecker.php b/lib/private/App/CodeChecker/DatabaseSchemaChecker.php
@@ -42,7 +42,7 @@ public function analyse($appId) {
 
 		libxml_use_internal_errors(true);
 		$loadEntities = libxml_disable_entity_loader(false);
-		$xml = simplexml_load_file($appPath . '/appinfo/database.xml');
+		$xml = simplexml_load_string(file_get_contents($appPath . '/appinfo/database.xml'));
 		libxml_disable_entity_loader($loadEntities);
 
 

diff --git a/lib/private/App/CodeChecker/InfoChecker.php b/lib/private/App/CodeChecker/InfoChecker.php
@@ -44,6 +44,14 @@ public function analyse($appId): array {
 			throw new \RuntimeException("No app with given id <$appId> known.");
 		}
 
+		libxml_set_external_entity_loader(static function ($public, $system, $context) {
+			if ($system === \OC::$SERVERROOT . '/resources/app-info.xsd'
+				|| \OC::$SERVERROOT . '/resources/app-info-shipped.xsd') {
+				return $system;
+			}
+			return null;
+		});
+
 		$xml = new \DOMDocument();
 		$xml->load($appPath . '/appinfo/info.xml');
 
@@ -68,6 +76,10 @@ public function analyse($appId): array {
 			}
 		}
 
+		libxml_set_external_entity_loader(static function () {
+			return null;
+		});
+
 		return $errors;
 	}
 

diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php
@@ -62,7 +62,7 @@ public function parse($file) {
 
 		libxml_use_internal_errors(true);
 		$loadEntities = libxml_disable_entity_loader(false);
-		$xml = simplexml_load_file($file);
+		$xml = simplexml_load_string(file_get_contents($file));
 
 		libxml_disable_entity_loader($loadEntities);
 		if ($xml === false) {

diff --git a/lib/private/DB/MDB2SchemaReader.php b/lib/private/DB/MDB2SchemaReader.php
@@ -67,7 +67,7 @@ public function __construct(IConfig $config, AbstractPlatform $platform) {
 	 */
 	public function loadSchemaFromFile($file, Schema $schema) {
 		$loadEntities = libxml_disable_entity_loader(false);
-		$xml = simplexml_load_file($file);
+		$xml = simplexml_load_string(file_get_contents($file));
 		libxml_disable_entity_loader($loadEntities);
 		foreach ($xml->children() as $child) {
 			/**

diff --git a/lib/private/Installer.php b/lib/private/Installer.php
@@ -316,7 +316,7 @@ public function downloadApp($appId, $allowUnstable = false) {
 
 						// Check if appinfo/info.xml has the same app ID as well
 						$loadEntities = libxml_disable_entity_loader(false);
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+						$xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
 						libxml_disable_entity_loader($loadEntities);
 						if ((string)$xml->id !== $appId) {
 							throw new \Exception(