diff options
Diffstat (limited to 'library/vendor/Zend/Xml/Security.php')
-rw-r--r-- | library/vendor/Zend/Xml/Security.php | 486 |
1 files changed, 486 insertions, 0 deletions
diff --git a/library/vendor/Zend/Xml/Security.php b/library/vendor/Zend/Xml/Security.php new file mode 100644 index 0000000..321e1e6 --- /dev/null +++ b/library/vendor/Zend/Xml/Security.php @@ -0,0 +1,486 @@ +<?php +/** + * Zend Framework + * + * LICENSE + * + * This source file is subject to the new BSD license that is bundled + * with this package in the file LICENSE.txt. + * It is also available through the world-wide-web at this URL: + * http://framework.zend.com/license/new-bsd + * If you did not receive a copy of the license and are unable to + * obtain it through the world-wide-web, please send an email + * to license@zend.com so we can send you a copy immediately. + * + * @category Zend + * @package Zend_Xml + * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com) + * @license http://framework.zend.com/license/new-bsd New BSD License + * @version $Id$ + */ + + +/** + * @category Zend + * @package Zend_Xml_SecurityScan + * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com) + * @license http://framework.zend.com/license/new-bsd New BSD License + */ +class Zend_Xml_Security +{ + const ENTITY_DETECT = 'Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks'; + + /** + * Heuristic scan to detect entity in XML + * + * @param string $xml + * @throws Zend_Xml_Exception If entity expansion or external entity declaration was discovered. + */ + protected static function heuristicScan($xml) + { + foreach (self::getEntityComparison($xml) as $compare) { + if (strpos($xml, $compare) !== false) { + throw new Zend_Xml_Exception(self::ENTITY_DETECT); + } + } + } + + /** + * @param integer $errno + * @param string $errstr + * @param string $errfile + * @param integer $errline + * @return bool + */ + public static function loadXmlErrorHandler($errno, $errstr, $errfile, $errline) + { + if (substr_count($errstr, 'DOMDocument::loadXML()') > 0) { + return true; + } + return false; + } + + /** + * Scan XML string for potential XXE and XEE attacks + * + * @param string $xml + * @param DomDocument $dom + * @throws Zend_Xml_Exception + * @return SimpleXMLElement|DomDocument|boolean + */ + public static function scan($xml, DOMDocument $dom = null) + { + // If running with PHP-FPM we perform an heuristic scan + // We cannot use libxml_disable_entity_loader because of this bug + // @see https://bugs.php.net/bug.php?id=64938 + if (self::isPhpFpm()) { + self::heuristicScan($xml); + } + + if (null === $dom) { + $simpleXml = true; + $dom = new DOMDocument(); + } + + if (!self::isPhpFpm()) { + $loadEntities = libxml_disable_entity_loader(true); + $useInternalXmlErrors = libxml_use_internal_errors(true); + } + + // Load XML with network access disabled (LIBXML_NONET) + // error disabled with @ for PHP-FPM scenario + set_error_handler(array('Zend_Xml_Security', 'loadXmlErrorHandler'), E_WARNING); + + $result = $dom->loadXml($xml, LIBXML_NONET); + restore_error_handler(); + + if (!$result) { + // Entity load to previous setting + if (!self::isPhpFpm()) { + libxml_disable_entity_loader($loadEntities); + libxml_use_internal_errors($useInternalXmlErrors); + } + return false; + } + + // Scan for potential XEE attacks using ENTITY, if not PHP-FPM + if (!self::isPhpFpm()) { + foreach ($dom->childNodes as $child) { + if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { + if ($child->entities->length > 0) { + throw new Zend_Xml_Exception(self::ENTITY_DETECT); + } + } + } + } + + // Entity load to previous setting + if (!self::isPhpFpm()) { + libxml_disable_entity_loader($loadEntities); + libxml_use_internal_errors($useInternalXmlErrors); + } + + if (isset($simpleXml)) { + $result = simplexml_import_dom($dom); + if (!$result instanceof SimpleXMLElement) { + return false; + } + return $result; + } + return $dom; + } + + /** + * Scan XML file for potential XXE/XEE attacks + * + * @param string $file + * @param DOMDocument $dom + * @throws Zend_Xml_Exception + * @return SimpleXMLElement|DomDocument + */ + public static function scanFile($file, DOMDocument $dom = null) + { + if (!file_exists($file)) { + throw new Zend_Xml_Exception( + "The file $file specified doesn't exist" + ); + } + return self::scan(file_get_contents($file), $dom); + } + + /** + * Return true if PHP is running with PHP-FPM + * + * This method is mainly used to determine whether or not heuristic checks + * (vs libxml checks) should be made, due to threading issues in libxml; + * under php-fpm, threading becomes a concern. + * + * However, PHP versions 5.5.22+ and 5.6.6+ contain a patch to the + * libxml support in PHP that makes the libxml checks viable; in such + * versions, this method will return false to enforce those checks, which + * are more strict and accurate than the heuristic checks. + * + * @return boolean + */ + public static function isPhpFpm() + { + $isVulnerableVersion = ( + version_compare(PHP_VERSION, '5.5.22', 'lt') + || ( + version_compare(PHP_VERSION, '5.6', 'gte') + && version_compare(PHP_VERSION, '5.6.6', 'lt') + ) + ); + + if (substr(php_sapi_name(), 0, 3) === 'fpm' && $isVulnerableVersion) { + return true; + } + return false; + } + + /** + * Determine and return the string(s) to use for the <!ENTITY comparison. + * + * @param string $xml + * @return string[] + */ + protected static function getEntityComparison($xml) + { + $encodingMap = self::getAsciiEncodingMap(); + return array_map( + array(__CLASS__, 'generateEntityComparison'), + self::detectXmlEncoding($xml, self::detectStringEncoding($xml)) + ); + } + + /** + * Determine the string encoding. + * + * Determines string encoding from either a detected BOM or a + * heuristic. + * + * @param string $xml + * @return string File encoding + */ + protected static function detectStringEncoding($xml) + { + $encoding = self::detectBom($xml); + return ($encoding) ? $encoding : self::detectXmlStringEncoding($xml); + } + + /** + * Attempt to match a known BOM. + * + * Iterates through the return of getBomMap(), comparing the initial bytes + * of the provided string to the BOM of each; if a match is determined, + * it returns the encoding. + * + * @param string $string + * @return false|string Returns encoding on success. + */ + protected static function detectBom($string) + { + foreach (self::getBomMap() as $criteria) { + if (0 === strncmp($string, $criteria['bom'], $criteria['length'])) { + return $criteria['encoding']; + } + } + return false; + } + + /** + * Attempt to detect the string encoding of an XML string. + * + * @param string $xml + * @return string Encoding + */ + protected static function detectXmlStringEncoding($xml) + { + foreach (self::getAsciiEncodingMap() as $encoding => $generator) { + $prefix = call_user_func($generator, '<' . '?xml'); + if (0 === strncmp($xml, $prefix, strlen($prefix))) { + return $encoding; + } + } + + // Fallback + return 'UTF-8'; + } + + /** + * Attempt to detect the specified XML encoding. + * + * Using the file's encoding, determines if an "encoding" attribute is + * present and well-formed in the XML declaration; if so, it returns a + * list with both the ASCII representation of that declaration and the + * original file encoding. + * + * If not, a list containing only the provided file encoding is returned. + * + * @param string $xml + * @param string $fileEncoding + * @return string[] Potential XML encodings + */ + protected static function detectXmlEncoding($xml, $fileEncoding) + { + $encodingMap = self::getAsciiEncodingMap(); + $generator = $encodingMap[$fileEncoding]; + $encAttr = call_user_func($generator, 'encoding="'); + $quote = call_user_func($generator, '"'); + $close = call_user_func($generator, '>'); + + $closePos = strpos($xml, $close); + if (false === $closePos) { + return array($fileEncoding); + } + + $encPos = strpos($xml, $encAttr); + if (false === $encPos + || $encPos > $closePos + ) { + return array($fileEncoding); + } + + $encPos += strlen($encAttr); + $quotePos = strpos($xml, $quote, $encPos); + if (false === $quotePos) { + return array($fileEncoding); + } + + $encoding = self::substr($xml, $encPos, $quotePos); + return array( + // Following line works because we're only supporting 8-bit safe encodings at this time. + str_replace('\0', '', $encoding), // detected encoding + $fileEncoding, // file encoding + ); + } + + /** + * Return a list of BOM maps. + * + * Returns a list of common encoding -> BOM maps, along with the character + * length to compare against. + * + * @link https://en.wikipedia.org/wiki/Byte_order_mark + * @return array + */ + protected static function getBomMap() + { + return array( + array( + 'encoding' => 'UTF-32BE', + 'bom' => pack('CCCC', 0x00, 0x00, 0xfe, 0xff), + 'length' => 4, + ), + array( + 'encoding' => 'UTF-32LE', + 'bom' => pack('CCCC', 0xff, 0xfe, 0x00, 0x00), + 'length' => 4, + ), + array( + 'encoding' => 'GB-18030', + 'bom' => pack('CCCC', 0x84, 0x31, 0x95, 0x33), + 'length' => 4, + ), + array( + 'encoding' => 'UTF-16BE', + 'bom' => pack('CC', 0xfe, 0xff), + 'length' => 2, + ), + array( + 'encoding' => 'UTF-16LE', + 'bom' => pack('CC', 0xff, 0xfe), + 'length' => 2, + ), + array( + 'encoding' => 'UTF-8', + 'bom' => pack('CCC', 0xef, 0xbb, 0xbf), + 'length' => 3, + ), + ); + } + + /** + * Return a map of encoding => generator pairs. + * + * Returns a map of encoding => generator pairs, where the generator is a + * callable that accepts a string and returns the appropriate byte order + * sequence of that string for the encoding. + * + * @return array + */ + protected static function getAsciiEncodingMap() + { + return array( + 'UTF-32BE' => array(__CLASS__, 'encodeToUTF32BE'), + 'UTF-32LE' => array(__CLASS__, 'encodeToUTF32LE'), + 'UTF-32odd1' => array(__CLASS__, 'encodeToUTF32odd1'), + 'UTF-32odd2' => array(__CLASS__, 'encodeToUTF32odd2'), + 'UTF-16BE' => array(__CLASS__, 'encodeToUTF16BE'), + 'UTF-16LE' => array(__CLASS__, 'encodeToUTF16LE'), + 'UTF-8' => array(__CLASS__, 'encodeToUTF8'), + 'GB-18030' => array(__CLASS__, 'encodeToUTF8'), + ); + } + + /** + * Binary-safe substr. + * + * substr() is not binary-safe; this method loops by character to ensure + * multi-byte characters are aggregated correctly. + * + * @param string $string + * @param int $start + * @param int $end + * @return string + */ + protected static function substr($string, $start, $end) + { + $substr = ''; + for ($i = $start; $i < $end; $i += 1) { + $substr .= $string[$i]; + } + return $substr; + } + + /** + * Generate an entity comparison based on the given encoding. + * + * This patch is internal only, and public only so it can be used as a + * callable to pass to array_map. + * + * @internal + * @param string $encoding + * @return string + */ + public static function generateEntityComparison($encoding) + { + $encodingMap = self::getAsciiEncodingMap(); + $generator = isset($encodingMap[$encoding]) ? $encodingMap[$encoding] : $encodingMap['UTF-8']; + return call_user_func($generator, '<!ENTITY'); + } + + /** + * Encode an ASCII string to UTF-32BE + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF32BE($ascii) + { + return preg_replace('/(.)/', "\0\0\0\\1", $ascii); + } + + /** + * Encode an ASCII string to UTF-32LE + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF32LE($ascii) + { + return preg_replace('/(.)/', "\\1\0\0\0", $ascii); + } + + /** + * Encode an ASCII string to UTF-32odd1 + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF32odd1($ascii) + { + return preg_replace('/(.)/', "\0\\1\0\0", $ascii); + } + + /** + * Encode an ASCII string to UTF-32odd2 + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF32odd2($ascii) + { + return preg_replace('/(.)/', "\0\0\\1\0", $ascii); + } + + /** + * Encode an ASCII string to UTF-16BE + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF16BE($ascii) + { + return preg_replace('/(.)/', "\0\\1", $ascii); + } + + /** + * Encode an ASCII string to UTF-16LE + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF16LE($ascii) + { + return preg_replace('/(.)/', "\\1\0", $ascii); + } + + /** + * Encode an ASCII string to UTF-8 + * + * @internal + * @param string $ascii + * @return string + */ + public static function encodeToUTF8($ascii) + { + return $ascii; + } +} |