tweet_live: comparison web/lib/Zend/Feed/Abstract.php

equal deleted inserted replaced

-:5e7a0fedabdf
+:877f952ae2bd
 * obtain it through the world-wide-web, please send an email
 * to license@zend.com so we can send you a copy immediately.
 *
 * @category   Zend
 * @package    Zend_Feed
-* @copyright  Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
+* @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
 * @license    http://framework.zend.com/license/new-bsd     New BSD License
-* @version    $Id: Abstract.php 20096 2010-01-06 02:05:09Z bkarwin $
+* @version    $Id: Abstract.php 25160 2012-12-18 15:17:16Z matthew $
 */
 /**
 * @see Zend_Feed_Element
 * considered to be the entry collection, such that iterating over the
 * feed takes you through each of the feed.s entries.
 *
 * @category   Zend
 * @package    Zend_Feed
-* @copyright  Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
+* @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
 * @license    http://framework.zend.com/license/new-bsd     New BSD License
 */
 abstract class Zend_Feed_Abstract extends Zend_Feed_Element implements Iterator, Countable
 {
 /**
 if ($response->getStatus() !== 200) {
 /**
 * @see Zend_Feed_Exception
 */
 require_once 'Zend/Feed/Exception.php';
-throw new Zend_Feed_Exception('Feed failed to load, got response code ' . $response->getStatus());
+throw new Zend_Feed_Exception('Feed failed to load, got response code ' . $response->getStatus() . '; request: ' . $client->getLastRequest() . "\nresponse: " . $response->asString());
 }
-$this->_element = $response->getBody();
+$this->_element = $this->_importFeedFromString($response->getBody());
 $this->__wakeup();
 } elseif ($string !== null) {
 // Retrieve the feed from $string
 $this->_element = $string;
 $this->__wakeup();
 *
 * @throws Zend_Feed_Exception if headers have already been sent
 * @return void
 */
 abstract public function send();
+/**
+* Import a feed from a string
+*
+* Protects against XXE attack vectors.
+*
+* @param  string $feed
+* @return string
+* @throws Zend_Feed_Exception on detection of an XXE vector
+*/
+protected function _importFeedFromString($feed)
+{
+// Load the feed as an XML DOMDocument object
+$libxml_errflag       = libxml_use_internal_errors(true);
+$libxml_entity_loader = libxml_disable_entity_loader(true);
+$doc = new DOMDocument;
+if (trim($feed) == '') {
+require_once 'Zend/Feed/Exception.php';
+throw new Zend_Feed_Exception('Remote feed being imported'
+. ' is an Empty string or comes from an empty HTTP response');
+}
+$status = $doc->loadXML($feed);
+libxml_disable_entity_loader($libxml_entity_loader);
+libxml_use_internal_errors($libxml_errflag);
+if (!$status) {
+// prevent the class to generate an undefined variable notice (ZF-2590)
+// Build error message
+$error = libxml_get_last_error();
+if ($error && $error->message) {
+$errormsg = "DOMDocument cannot parse XML: {$error->message}";
+} else {
+$errormsg = "DOMDocument cannot parse XML";
+}
+/**
+* @see Zend_Feed_Exception
+*/
+require_once 'Zend/Feed/Exception.php';
+throw new Zend_Feed_Exception($errormsg);
+}
+return $doc->saveXML($doc->documentElement);
+}
 }

changeset 807	877f952ae2bd
parent 207	621fa6caec0c
child 1230	68c69c656a2c