equal
deleted
inserted
replaced
12 * obtain it through the world-wide-web, please send an email |
12 * obtain it through the world-wide-web, please send an email |
13 * to license@zend.com so we can send you a copy immediately. |
13 * to license@zend.com so we can send you a copy immediately. |
14 * |
14 * |
15 * @category Zend |
15 * @category Zend |
16 * @package Zend_Controller |
16 * @package Zend_Controller |
17 * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) |
17 * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com) |
18 * @license http://framework.zend.com/license/new-bsd New BSD License |
18 * @license http://framework.zend.com/license/new-bsd New BSD License |
19 */ |
19 */ |
20 |
20 |
21 /** |
21 /** |
22 * Zend_XmlRpc_Value |
22 * Zend_XmlRpc_Value |
26 /** |
26 /** |
27 * Zend_XmlRpc_Fault |
27 * Zend_XmlRpc_Fault |
28 */ |
28 */ |
29 require_once 'Zend/XmlRpc/Fault.php'; |
29 require_once 'Zend/XmlRpc/Fault.php'; |
30 |
30 |
|
31 /** @see Zend_Xml_Security */ |
|
32 require_once 'Zend/Xml/Security.php'; |
|
33 |
|
34 /** @see Zend_Xml_Exception */ |
|
35 require_once 'Zend/Xml/Exception.php'; |
|
36 |
31 /** |
37 /** |
32 * XmlRpc Request object |
38 * XmlRpc Request object |
33 * |
39 * |
34 * Encapsulates an XmlRpc request, holding the method call and all parameters. |
40 * Encapsulates an XmlRpc request, holding the method call and all parameters. |
35 * Provides accessors for these, as well as the ability to load from XML and to |
41 * Provides accessors for these, as well as the ability to load from XML and to |
39 * generated and stored in {@link $_fault}; developers may check for it using |
45 * generated and stored in {@link $_fault}; developers may check for it using |
40 * {@link isFault()} and {@link getFault()}. |
46 * {@link isFault()} and {@link getFault()}. |
41 * |
47 * |
42 * @category Zend |
48 * @category Zend |
43 * @package Zend_XmlRpc |
49 * @package Zend_XmlRpc |
44 * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) |
50 * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com) |
45 * @license http://framework.zend.com/license/new-bsd New BSD License |
51 * @license http://framework.zend.com/license/new-bsd New BSD License |
46 * @version $Id: Request.php 25033 2012-08-17 19:50:08Z matthew $ |
52 * @version $Id$ |
47 */ |
53 */ |
48 class Zend_XmlRpc_Request |
54 class Zend_XmlRpc_Request |
49 { |
55 { |
50 /** |
56 /** |
51 * Request character encoding |
57 * Request character encoding |
301 $this->_fault = new Zend_XmlRpc_Fault(635); |
307 $this->_fault = new Zend_XmlRpc_Fault(635); |
302 $this->_fault->setEncoding($this->getEncoding()); |
308 $this->_fault->setEncoding($this->getEncoding()); |
303 return false; |
309 return false; |
304 } |
310 } |
305 |
311 |
306 // @see ZF-12293 - disable external entities for security purposes |
|
307 $loadEntities = libxml_disable_entity_loader(true); |
|
308 try { |
312 try { |
309 $dom = new DOMDocument; |
313 $xml = Zend_Xml_Security::scan($request); |
310 $dom->loadXML($request); |
314 } catch (Zend_Xml_Exception $e) { |
311 foreach ($dom->childNodes as $child) { |
|
312 if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { |
|
313 require_once 'Zend/XmlRpc/Exception.php'; |
|
314 throw new Zend_XmlRpc_Exception( |
|
315 'Invalid XML: Detected use of illegal DOCTYPE' |
|
316 ); |
|
317 } |
|
318 } |
|
319 $xml = simplexml_import_dom($dom); |
|
320 libxml_disable_entity_loader($loadEntities); |
|
321 } catch (Exception $e) { |
|
322 // Not valid XML |
315 // Not valid XML |
323 $this->_fault = new Zend_XmlRpc_Fault(631); |
316 $this->_fault = new Zend_XmlRpc_Fault(631); |
324 $this->_fault->setEncoding($this->getEncoding()); |
317 $this->_fault->setEncoding($this->getEncoding()); |
325 libxml_disable_entity_loader($loadEntities); |
|
326 return false; |
318 return false; |
327 } |
319 } |
328 |
320 |
329 // Check for method name |
321 // Check for method name |
330 if (empty($xml->methodName)) { |
322 if (empty($xml->methodName)) { |