Mercurial Mercurial > tweet_live / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
web/lib/Zend/Feed/Abstract.php
changeset 807 877f952ae2bd
parent 207 621fa6caec0c
child 1230 68c69c656a2c 
--- a/web/lib/Zend/Feed/Abstract.php	Thu Mar 21 17:31:31 2013 +0100
+++ b/web/lib/Zend/Feed/Abstract.php	Thu Mar 21 19:50:53 2013 +0100
@@ -15,9 +15,9 @@
  *
  * @category   Zend
  * @package    Zend_Feed
- * @copyright  Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
- * @version    $Id: Abstract.php 20096 2010-01-06 02:05:09Z bkarwin $
+ * @version    $Id: Abstract.php 25160 2012-12-18 15:17:16Z matthew $
  */
 
 
@@ -37,7 +37,7 @@
  *
  * @category   Zend
  * @package    Zend_Feed
- * @copyright  Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
 abstract class Zend_Feed_Abstract extends Zend_Feed_Element implements Iterator, Countable
@@ -81,9 +81,9 @@
                  * @see Zend_Feed_Exception
                  */
                 require_once 'Zend/Feed/Exception.php';
-                throw new Zend_Feed_Exception('Feed failed to load, got response code ' . $response->getStatus());
+                throw new Zend_Feed_Exception('Feed failed to load, got response code ' . $response->getStatus() . '; request: ' . $client->getLastRequest() . "\nresponse: " . $response->asString());
             }
-            $this->_element = $response->getBody();
+            $this->_element = $this->_importFeedFromString($response->getBody());
             $this->__wakeup();
         } elseif ($string !== null) {
             // Retrieve the feed from $string
@@ -256,4 +256,49 @@
      * @return void
      */
     abstract public function send();
+
+    /**
+     * Import a feed from a string
+     *
+     * Protects against XXE attack vectors.
+     * 
+     * @param  string $feed 
+     * @return string
+     * @throws Zend_Feed_Exception on detection of an XXE vector
+     */
+    protected function _importFeedFromString($feed)
+    {
+        // Load the feed as an XML DOMDocument object
+        $libxml_errflag       = libxml_use_internal_errors(true);
+        $libxml_entity_loader = libxml_disable_entity_loader(true);
+        $doc = new DOMDocument;
+        if (trim($feed) == '') {
+            require_once 'Zend/Feed/Exception.php';
+            throw new Zend_Feed_Exception('Remote feed being imported'
+            . ' is an Empty string or comes from an empty HTTP response');
+        }
+        $status = $doc->loadXML($feed);
+        libxml_disable_entity_loader($libxml_entity_loader);
+        libxml_use_internal_errors($libxml_errflag);
+
+        if (!$status) {
+            // prevent the class to generate an undefined variable notice (ZF-2590)
+            // Build error message
+            $error = libxml_get_last_error();
+            if ($error && $error->message) {
+                $errormsg = "DOMDocument cannot parse XML: {$error->message}";
+            } else {
+                $errormsg = "DOMDocument cannot parse XML";
+            }
+
+
+            /**
+             * @see Zend_Feed_Exception
+             */
+            require_once 'Zend/Feed/Exception.php';
+            throw new Zend_Feed_Exception($errormsg);
+        }
+
+        return $doc->saveXML($doc->documentElement);
+    }
 }
tweet_live