탐색 도움말
가입하기 로그인
chengwenliang
/
newsupernova
2
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: c9405dd336
브랜치 태그
newsupernova
/
vendor
/
magento
/
framework
/
Xml
/
Security.php

Security.php 2.3 KB
히스토리 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * Copyright © Magento, Inc. All rights reserved.
    4. 

  4.  * See COPYING.txt for license details.
    5. 

  5.  */
    6. 

  6. namespace Magento\Framework\Xml;
    7. 

  7. 

  8. use DOMDocument;
    9. 

  9. 

  10. /**
    11. 

  11.  * Class Security
    12. 

  12.  */
    13. 

  13. class Security
    14. 

  14. {
    15. 

  15.     /**
    16. 

  16.      * Heuristic scan to detect entity in XML
    17. 

  17.      *
    18. 

  18.      * @param string $xmlContent
    19. 

  19.      * @return bool
    20. 

  20.      */
    21. 

  21.     private function heuristicScan($xmlContent)
    22. 

  22.     {
    23. 

  23.         return strpos($xmlContent, '<!ENTITY') === false;
    24. 

  24.     }
    25. 

  25. 

  26.     /**
    27. 

  27.      * Return true if PHP is running with PHP-FPM
    28. 

  28.      *
    29. 

  29.      * @return bool
    30. 

  30.      */
    31. 

  31.     private function isPhpFpm()
    32. 

  32.     {
    33. 

  33.         return substr(php_sapi_name(), 0, 3) === 'fpm';
    34. 

  34.     }
    35. 

  35. 

  36.     /**
    37. 

  37.      * Security check loaded XML document
    38. 

  38.      *
    39. 

  39.      * @param string $xmlContent
    40. 

  40.      * @return bool
    41. 

  41.      *
    42. 

  42.      * @SuppressWarnings(PHPMD.UnusedLocalVariable)
    43. 

  43.      */
    44. 

  44.     public function scan($xmlContent)
    45. 

  45.     {
    46. 

  46.         /**
    47. 

  47.          * If running with PHP-FPM we perform an heuristic scan
    48. 

  48.          * We cannot use libxml_disable_entity_loader because of this bug
    49. 

  49.          * @see https://bugs.php.net/bug.php?id=64938
    50. 

  50.          */
    51. 

  51.         if ($this->isPhpFpm()) {
    52. 

  52.             return $this->heuristicScan($xmlContent);
    53. 

  53.         }
    54. 

  54. 

  55.         $document = new DOMDocument();
    56. 

  56. 

  57.         $loadEntities = libxml_disable_entity_loader(true);
    58. 

  58.         $useInternalXmlErrors = libxml_use_internal_errors(true);
    59. 

  59. 

  60.         /**
    61. 

  61.          * Load XML with network access disabled (LIBXML_NONET)
    62. 

  62.          * error disabled with @ for PHP-FPM scenario
    63. 

  63.          */
    64. 

  64.         set_error_handler(
    65. 

  65.             function ($errno, $errstr) {
    66. 

  66.                 if (substr_count($errstr, 'DOMDocument::loadXML()') > 0) {
    67. 

  67.                     return true;
    68. 

  68.                 }
    69. 

  69.                 return false;
    70. 

  70.             },
    71. 

  71.             E_WARNING
    72. 

  72.         );
    73. 

  73. 

  74.         $result = (bool)$document->loadXML($xmlContent, LIBXML_NONET);
    75. 

  75.         restore_error_handler();
    76. 

  76.         // Entity load to previous setting
    77. 

  77.         libxml_disable_entity_loader($loadEntities);
    78. 

  78.         libxml_use_internal_errors($useInternalXmlErrors);
    79. 

  79. 

  80.         if (!$result) {
    81. 

  81.             return false;
    82. 

  82.         }
    83. 

  83. 

  84.         foreach ($document->childNodes as $child) {
    85. 

  85.             if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
    86. 

  86.                 if ($child->entities->length > 0) {
    87. 

  87.                     return false;
    88. 

  88.                 }
    89. 

  89.             }
    90. 

  90.         }
    91. 

  91. 

  92.         return true;
    93. 

  93.     }
    94. 

  94. }
    95.