From ea77240b055c67cac97a25fc61afcfef6d24d422 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Tue, 26 Nov 2019 12:46:19 +0100
Subject: [PATCH] Use a custom XML entity loader

This allows us to still validate XML documents (disabling the entity loader makes it impossible, as we have multiple schemas in different files), while protecting against schemas trying to import from URLs.
---
 lib/SimpleSAML/Utils/XML.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/SimpleSAML/Utils/XML.php b/lib/SimpleSAML/Utils/XML.php
index 4b6c3cdfb..28c203cd3 100644
--- a/lib/SimpleSAML/Utils/XML.php
+++ b/lib/SimpleSAML/Utils/XML.php
@@ -449,6 +449,15 @@ class XML
             $schemaPath = $config->resolvePath('schemas');
             $schemaFile = $schemaPath . '/' . $schema;
 
+            libxml_set_external_entity_loader(
+                function ($public, $system, $context) {
+                    if (filter_var($system, FILTER_VALIDATE_URL) === $system) {
+                        return null;
+                    }
+                    return $system;
+                }
+            );
+
             $res = $dom->schemaValidate($schemaFile);
             if ($res) {
                 Errors::end();
-- 
GitLab