stable
Clone or download
Read-only
Fix request #7458: External XML Entity Injection
A authenticated user in position to exploit this issue would be able to read the files from the system and thus affect itβs confidentiality. More details on XXE: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing This impacts: - load of xml configuration (agiledashboard, trackers, β¦) - soap documentation - migration tv3 β tv5 - Instant Messaging Please note that the fix is based on php function libxml_disable_entity_loader() which: - is available since PHP 5.2.11 (PHP 5.1.6 will have to upgrade to PHP 5.3) http://php.net/libxml-disable-entity-loader - is not thread safe https://bugs.php.net/bug.php?id=64938 Change-Id: I6fb08c070de8f14bafc122d43a074a747d845fb6
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/IM/include/jabbex_api/lib/loadconf/JabberServerConf.php | +9 | β4 | Go to diff View file |
| M | plugins/statistics/include/statisticsPlugin.class.php | +1 | β1 | Go to diff View file |
| M | plugins/tracker/bin/import_all_xml.php | +2 | β1 | Go to diff View file |
| M | plugins/tracker/bin/import_tracker_xml_template.php | +11 | β16 | Go to diff View file |
| M | plugins/tracker/include/Tracker/Artifact/XMLImport.class.php | +3 | β1 | Go to diff View file |
| M | plugins/tracker/include/Tracker/Migration/MigrationManager.php | +3 | β0 | Go to diff View file |
| M | plugins/tracker/include/Tracker/TrackerFactory.class.php | +6 | β1 | Go to diff View file |
| M | plugins/tracker/include/Tracker/TrackerManager.class.php | +3 | β1 | Go to diff View file |
| M | plugins/tracker/www/resources/templates/index.php | +4 | β3 | Go to diff View file |
| M | plugins/tracker/www/soap/index.php | +1 | β1 | Go to diff View file |
| M | plugins/tracker/www/soap/view-wsdl.php | +3 | β13 | Go to diff View file |
| M | src/common/XmlValidator/XmlValidator.class.php | +7 | β1 | Go to diff View file |
| M | src/common/autoload.php | +4 | β2 | Go to diff View file |
| M | src/common/soap/SOAP_WSDLRenderer.class.php | +5 | β1 | Go to diff View file |
| R | documentation/tools/doc_version.php | Go to diff View file | ||
| M | src/common/xml/RNGValidator.class.php | +7 | β1 | Go to diff View file |
| A | src/common/xml/Security.class.php | +69 | β0 | Go to diff View file |
| M | src/utils/TrackerV3-data-exporter.php | +4 | β0 | Go to diff View file |
| M | src/www/include/pre.php | +2 | β0 | Go to diff View file |
| M | src/www/soap/index.php | +1 | β1 | Go to diff View file |
| M | src/www/soap/project/index.php | +1 | β1 | Go to diff View file |
| M | src/www/soap/project/wsdl-viewer.php | +2 | β11 | Go to diff View file |
| M | src/www/soap/svn/index.php | +1 | β1 | Go to diff View file |
| M | src/www/soap/svn/wsdl-viewer.php | +2 | β11 | Go to diff View file |
| M | src/www/soap/wsdl.php | +4 | β10 | Go to diff View file |
| A | tests/simpletest/common/xml/SecurityTestPHP53.php | +55 | β0 | Go to diff View file |