From ba54cb201c02a651553d48e8568192a57be5779f Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Wed, 12 Jul 2023 09:23:37 +0200
Subject: [PATCH] fix(apps): Fix loading info.xml file

Ref: https://bugs.php.net/bug.php?id=62577

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/base.php                   | 5 +++++
 lib/private/App/InfoParser.php | 6 +++---
 lib/private/Installer.php      | 4 ++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/base.php b/lib/base.php
index 198a870619278..94f83f4c0b90c 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -559,6 +559,11 @@ private static function performSameSiteCookieProtection(\OCP\IConfig $config) {
 	}
 
 	public static function init() {
+		// prevent any XML processing from loading external entities
+		libxml_set_external_entity_loader(static function () {
+			return null;
+		});
+
 		// calculate the root directories
 		OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
 
diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php
index 9d57ef95688d3..227d5568ad37d 100644
--- a/lib/private/App/InfoParser.php
+++ b/lib/private/App/InfoParser.php
@@ -31,7 +31,7 @@
 
 use OCP\ICache;
 use function libxml_disable_entity_loader;
-use function simplexml_load_file;
+use function simplexml_load_string;
 
 class InfoParser {
 	/** @var \OCP\ICache|null */
@@ -63,10 +63,10 @@ public function parse($file) {
 		libxml_use_internal_errors(true);
 		if ((PHP_VERSION_ID < 80000)) {
 			$loadEntities = libxml_disable_entity_loader(false);
-			$xml = simplexml_load_file($file);
+			$xml = simplexml_load_string(file_get_contents($file));
 			libxml_disable_entity_loader($loadEntities);
 		} else {
-			$xml = simplexml_load_file($file);
+			$xml = simplexml_load_string(file_get_contents($file));
 		}
 
 		if ($xml === false) {
diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index 95143656295e1..c141abeac8a4d 100644
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -334,10 +334,10 @@ public function downloadApp($appId, $allowUnstable = false) {
 					// Check if appinfo/info.xml has the same app ID as well
 					if ((PHP_VERSION_ID < 80000)) {
 						$loadEntities = libxml_disable_entity_loader(false);
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+						$xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
 						libxml_disable_entity_loader($loadEntities);
 					} else {
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+						$xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
 					}
 					if ((string)$xml->id !== $appId) {
 						throw new \Exception(