diff --git a/CHANGELOG-2.0.md b/CHANGELOG-2.0.md index 25e5a85e1b..e6642d20ca 100644 --- a/CHANGELOG-2.0.md +++ b/CHANGELOG-2.0.md @@ -7,6 +7,17 @@ in 2.0 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.0.0...v2.0.1 +* 2.0.11 (2012-02-24) + + * 3e64d36: [Serializer] Fix XML decoding attack vector through external entities + * 66d0d3d: [FrameworkBundle] Fix a bug in the RedirectableUrlMatcher + * 24a3cd3: Finder - allow sorting when searching in multiple directories + * 6e75fd1: Resolves issue with spl_autoload_register creating new copies of the container and passing that into the closure. + * d02ca25: [MonologBundle] Fixed a bug when adding a processor on a service handler + * 2434552: [Translation] Fixed fallback location if location is longer than three characters (possibly by mistake). + * ec7fb0b: [Routing] added a proper exception when a route pattern references the same variable more than once (closes #3344) + * beb4fc0: [WIP][Locale] StubIntlDateFormatter::parse was throwing exception instead of returning Boolean false like intl implementation + * 2.0.10 (2012-02-06) * 8e13095: Fixed the unescaping of parameters to handle arrays diff --git a/src/Symfony/Component/Finder/Finder.php b/src/Symfony/Component/Finder/Finder.php index 7a1edfb1d9..ecf70b710d 100644 --- a/src/Symfony/Component/Finder/Finder.php +++ b/src/Symfony/Component/Finder/Finder.php @@ -502,7 +502,8 @@ class Finder implements \IteratorAggregate } if ($this->sort) { - $iterator = new Iterator\SortableIterator($iterator, $this->sort); + $iteratorAggregate = new Iterator\SortableIterator($iterator, $this->sort); + $iterator = $iteratorAggregate->getIterator(); } return $iterator; diff --git a/src/Symfony/Component/Serializer/Encoder/XmlEncoder.php b/src/Symfony/Component/Serializer/Encoder/XmlEncoder.php index b4b3e65d08..3d531a01d9 100644 --- a/src/Symfony/Component/Serializer/Encoder/XmlEncoder.php +++ b/src/Symfony/Component/Serializer/Encoder/XmlEncoder.php @@ -54,7 +54,18 @@ class XmlEncoder extends SerializerAwareEncoder implements EncoderInterface, Dec */ public function decode($data, $format) { + $internalErrors = libxml_use_internal_errors(true); + $disableEntities = libxml_disable_entity_loader(true); + libxml_clear_errors(); + $xml = simplexml_load_string($data); + libxml_use_internal_errors($internalErrors); + libxml_disable_entity_loader($disableEntities); + + if ($error = libxml_get_last_error()) { + throw new UnexpectedValueException($error->message); + } + if (!$xml->count()) { if (!$xml->attributes()) { return (string) $xml; diff --git a/tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php b/tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php index b995defbc1..e6d4414c7e 100644 --- a/tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php +++ b/tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php @@ -9,6 +9,7 @@ use Symfony\Tests\Component\Serializer\Fixtures\Dummy; use Symfony\Tests\Component\Serializer\Fixtures\ScalarDummy; use Symfony\Component\Serializer\Encoder\XmlEncoder; use Symfony\Component\Serializer\Serializer; +use Symfony\Component\Serializer\Exception\UnexpectedValueException; use Symfony\Component\Serializer\Normalizer\CustomNormalizer; /* @@ -244,6 +245,23 @@ class XmlEncoderTest extends \PHPUnit_Framework_TestCase $this->assertEquals($expected, $this->encoder->decode($source, 'xml')); } + /** + * @expectedException Symfony\Component\Serializer\Exception\UnexpectedValueException + */ + public function testPreventsComplexExternalEntities() + { + $oldCwd = getcwd(); + chdir(__DIR__); + + try { + $decoded = $this->encoder->decode(']>&test;', 'xml'); + chdir($oldCwd); + } catch (UnexpectedValueException $e) { + chdir($oldCwd); + throw $e; + } + } + protected function getXmlSource() { return ''."\n".