Use a custom XML entity loader

This allows us to still validate XML documents (disabling the entity loader makes it impossible, as we have multiple schemas in different files), while protecting against schemas trying to import from URLs.

Use a custom XML entity loader
ea77240b · Jaime Pérez Crespo · 00716eb4 · ea77240b
Commit ea77240b authored 5 years ago by Jaime Pérez Crespo
--- a/lib/SimpleSAML/Utils/XML.php
+++ b/lib/SimpleSAML/Utils/XML.php
@@ -449,6 +449,15 @@ class XML
            $schemaPath = $config->resolvePath('schemas');
            $schemaFile = $schemaPath . '/' . $schema;
+            libxml_set_external_entity_loader(
+                function ($public, $system, $context) {
+                    if (filter_var($system, FILTER_VALIDATE_URL) === $system) {
+                        return null;
+                    }
+                    return $system;
+                }
+            );
            $res = $dom->schemaValidate($schemaFile);
            if ($res) {
                Errors::end();