From e60d4802347fc1e3e68a88c6789bfd01f5e6310a Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Mon, 12 Jan 2015 17:50:32 +0000
Subject: [PATCH] Disable the loading of external entities in XML documents.

To prevent local and remote file inclusion attacks. This is in most cases
already disabled by default in system libraries, so this will be a no-op to
most systems, but to be safe we explicitly disable it also.

Fixes #74
---
 lib/SimpleSAML/Utilities.php | 11 +++++++++++
 www/_include.php             |  4 ++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index f94580ef4..af36ed752 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1930,6 +1930,17 @@ class SimpleSAML_Utilities {
 		date_default_timezone_set($serverTimezone);
 	}
 
+	/**
+	 * Disable the loading of external entities in XML documents to prevent local and
+	 * remote file inclusion attacks. This is in most cases already disabled by default
+	 * in system libraries, but to be safe we explicitly disable it also.
+	 */
+	public static function disableXMLEntityLoader() {
+		/* Function only present in PHP >= 5.2.11 while we support 5.2+ */
+		if ( function_exists('libxml_disable_entity_loader') ) {
+			libxml_disable_entity_loader();
+		}
+	}
 
 	/**
 	 * Atomically write a file.
diff --git a/www/_include.php b/www/_include.php
index d0e483b2f..4e9b35541 100644
--- a/www/_include.php
+++ b/www/_include.php
@@ -107,5 +107,5 @@ if (!file_exists($configdir . '/config.php')) {
 
 /* Set the timezone. */
 SimpleSAML_Utilities::initTimezone();
-
-?>
\ No newline at end of file
+/* Disable XML external entity loading explicitly. */
+SimpleSAML_Utilities::disableXMLEntityLoader();
-- 
GitLab