merged 2.0
This commit is contained in:
Fabien Potencier
commit
07edc3ee03
@ -7,6 +7,17 @@ in 2.0 minor versions.
|
||||
To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
|
||||
To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.0.0...v2.0.1
|
||||
|
||||
* 2.0.11 (2012-02-24)
|
||||
|
||||
* 3e64d36: [Serializer] Fix XML decoding attack vector through external entities
|
||||
* 66d0d3d: [FrameworkBundle] Fix a bug in the RedirectableUrlMatcher
|
||||
* 24a3cd3: Finder - allow sorting when searching in multiple directories
|
||||
* 6e75fd1: Resolves issue with spl_autoload_register creating new copies of the container and passing that into the closure.
|
||||
* d02ca25: [MonologBundle] Fixed a bug when adding a processor on a service handler
|
||||
* 2434552: [Translation] Fixed fallback location if location is longer than three characters (possibly by mistake).
|
||||
* ec7fb0b: [Routing] added a proper exception when a route pattern references the same variable more than once (closes #3344)
|
||||
* beb4fc0: [WIP][Locale] StubIntlDateFormatter::parse was throwing exception instead of returning Boolean false like intl implementation
|
||||
|
||||
* 2.0.10 (2012-02-06)
|
||||
|
||||
* 8e13095: Fixed the unescaping of parameters to handle arrays
|
||||
|
||||
@ -502,7 +502,8 @@ class Finder implements \IteratorAggregate
|
||||
}
|
||||
|
||||
if ($this->sort) {
|
||||
$iterator = new Iterator\SortableIterator($iterator, $this->sort);
|
||||
$iteratorAggregate = new Iterator\SortableIterator($iterator, $this->sort);
|
||||
$iterator = $iteratorAggregate->getIterator();
|
||||
}
|
||||
|
||||
return $iterator;
|
||||
|
||||
@ -54,7 +54,18 @@ class XmlEncoder extends SerializerAwareEncoder implements EncoderInterface, Dec
|
||||
*/
|
||||
public function decode($data, $format)
|
||||
{
|
||||
$internalErrors = libxml_use_internal_errors(true);
|
||||
$disableEntities = libxml_disable_entity_loader(true);
|
||||
libxml_clear_errors();
|
||||
|
||||
$xml = simplexml_load_string($data);
|
||||
libxml_use_internal_errors($internalErrors);
|
||||
libxml_disable_entity_loader($disableEntities);
|
||||
|
||||
if ($error = libxml_get_last_error()) {
|
||||
throw new UnexpectedValueException($error->message);
|
||||
}
|
||||
|
||||
if (!$xml->count()) {
|
||||
if (!$xml->attributes()) {
|
||||
return (string) $xml;
|
||||
|
||||
@ -9,6 +9,7 @@ use Symfony\Tests\Component\Serializer\Fixtures\Dummy;
|
||||
use Symfony\Tests\Component\Serializer\Fixtures\ScalarDummy;
|
||||
use Symfony\Component\Serializer\Encoder\XmlEncoder;
|
||||
use Symfony\Component\Serializer\Serializer;
|
||||
use Symfony\Component\Serializer\Exception\UnexpectedValueException;
|
||||
use Symfony\Component\Serializer\Normalizer\CustomNormalizer;
|
||||
|
||||
/*
|
||||
@ -244,6 +245,23 @@ class XmlEncoderTest extends \PHPUnit_Framework_TestCase
|
||||
$this->assertEquals($expected, $this->encoder->decode($source, 'xml'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException Symfony\Component\Serializer\Exception\UnexpectedValueException
|
||||
*/
|
||||
public function testPreventsComplexExternalEntities()
|
||||
{
|
||||
$oldCwd = getcwd();
|
||||
chdir(__DIR__);
|
||||
|
||||
try {
|
||||
$decoded = $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE scan[<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=XmlEncoderTest.php">]><scan>&test;</scan>', 'xml');
|
||||
chdir($oldCwd);
|
||||
} catch (UnexpectedValueException $e) {
|
||||
chdir($oldCwd);
|
||||
throw $e;
|
||||
}
|
||||
}
|
||||
|
||||
protected function getXmlSource()
|
||||
{
|
||||
return '<?xml version="1.0"?>'."\n".
|
||||
|
||||
Reference in New Issue
Block a user