diff --git a/lib/base.php b/lib/base.php index c42f427ca40b7..98e05c6a700ab 100644 --- a/lib/base.php +++ b/lib/base.php @@ -545,6 +545,11 @@ private static function performSameSiteCookieProtection(\OCP\IConfig $config) { } public static function init() { + // prevent any XML processing from loading external entities + libxml_set_external_entity_loader(static function () { + return null; + }); + // calculate the root directories OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4)); diff --git a/lib/private/App/CodeChecker/DatabaseSchemaChecker.php b/lib/private/App/CodeChecker/DatabaseSchemaChecker.php index 595a3fe0209c2..8d0dad6379326 100644 --- a/lib/private/App/CodeChecker/DatabaseSchemaChecker.php +++ b/lib/private/App/CodeChecker/DatabaseSchemaChecker.php @@ -42,7 +42,7 @@ public function analyse($appId) { libxml_use_internal_errors(true); $loadEntities = libxml_disable_entity_loader(false); - $xml = simplexml_load_file($appPath . '/appinfo/database.xml'); + $xml = simplexml_load_string(file_get_contents($appPath . '/appinfo/database.xml')); libxml_disable_entity_loader($loadEntities); diff --git a/lib/private/App/CodeChecker/InfoChecker.php b/lib/private/App/CodeChecker/InfoChecker.php index 038fd34f436bc..d46a6dbc54155 100644 --- a/lib/private/App/CodeChecker/InfoChecker.php +++ b/lib/private/App/CodeChecker/InfoChecker.php @@ -44,6 +44,14 @@ public function analyse($appId): array { throw new \RuntimeException("No app with given id <$appId> known."); } + libxml_set_external_entity_loader(static function ($public, $system, $context) { + if ($system === \OC::$SERVERROOT . '/resources/app-info.xsd' + || \OC::$SERVERROOT . '/resources/app-info-shipped.xsd') { + return $system; + } + return null; + }); + $xml = new \DOMDocument(); $xml->load($appPath . '/appinfo/info.xml'); @@ -68,6 +76,10 @@ public function analyse($appId): array { } } + libxml_set_external_entity_loader(static function () { + return null; + }); + return $errors; } diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php index c87dd1ae2a417..60f15f64a1e53 100644 --- a/lib/private/App/InfoParser.php +++ b/lib/private/App/InfoParser.php @@ -33,7 +33,7 @@ use OCP\ICache; use function libxml_disable_entity_loader; -use function simplexml_load_file; +use function simplexml_load_string; class InfoParser { /** @var \OCP\ICache|null */ @@ -65,10 +65,10 @@ public function parse($file) { libxml_use_internal_errors(true); if ((PHP_VERSION_ID < 80000)) { $loadEntities = libxml_disable_entity_loader(false); - $xml = simplexml_load_file($file); + $xml = simplexml_load_string(file_get_contents($file)); libxml_disable_entity_loader($loadEntities); } else { - $xml = simplexml_load_file($file); + $xml = simplexml_load_string(file_get_contents($file)); } if ($xml === false) { diff --git a/lib/private/DB/MDB2SchemaReader.php b/lib/private/DB/MDB2SchemaReader.php index 687438495b196..ba26a7d85767b 100644 --- a/lib/private/DB/MDB2SchemaReader.php +++ b/lib/private/DB/MDB2SchemaReader.php @@ -67,7 +67,7 @@ public function __construct(IConfig $config, AbstractPlatform $platform) { */ public function loadSchemaFromFile($file, Schema $schema) { $loadEntities = libxml_disable_entity_loader(false); - $xml = simplexml_load_file($file); + $xml = simplexml_load_string(file_get_contents($file)); libxml_disable_entity_loader($loadEntities); foreach ($xml->children() as $child) { /** diff --git a/lib/private/Installer.php b/lib/private/Installer.php index 2d09065be5cf3..d4151c48c40cd 100644 --- a/lib/private/Installer.php +++ b/lib/private/Installer.php @@ -344,10 +344,10 @@ public function downloadApp($appId, $allowUnstable = false) { // Check if appinfo/info.xml has the same app ID as well if ((PHP_VERSION_ID < 80000)) { $loadEntities = libxml_disable_entity_loader(false); - $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml'); + $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml')); libxml_disable_entity_loader($loadEntities); } else { - $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml'); + $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml')); } if ((string)$xml->id !== $appId) { throw new \Exception(