stable

Clone or download

Read-only

Fix request #7458: External XML Entity Injection

A authenticated user in position to exploit this issue would be able to read the files from the system and thus affect it’s confidentiality. More details on XXE: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing This impacts: - load of xml configuration (agiledashboard, trackers, …) - soap documentation - migration tv3 β‡’ tv5 - Instant Messaging Please note that the fix is based on php function libxml_disable_entity_loader() which: - is available since PHP 5.2.11 (PHP 5.1.6 will have to upgrade to PHP 5.3) http://php.net/libxml-disable-entity-loader - is not thread safe https://bugs.php.net/bug.php?id=64938 Change-Id: I6fb08c070de8f14bafc122d43a074a747d845fb6

Modified Files

Name
M plugins/IM/include/jabbex_api/lib/loadconf/JabberServerConf.php +9 βˆ’4 Go to diff View file
M plugins/statistics/include/statisticsPlugin.class.php +1 βˆ’1 Go to diff View file
M plugins/tracker/bin/import_all_xml.php +2 βˆ’1 Go to diff View file
M plugins/tracker/bin/import_tracker_xml_template.php +11 βˆ’16 Go to diff View file
M plugins/tracker/include/Tracker/Artifact/XMLImport.class.php +3 βˆ’1 Go to diff View file
M plugins/tracker/include/Tracker/Migration/MigrationManager.php +3 βˆ’0 Go to diff View file
M plugins/tracker/include/Tracker/TrackerFactory.class.php +6 βˆ’1 Go to diff View file
M plugins/tracker/include/Tracker/TrackerManager.class.php +3 βˆ’1 Go to diff View file
M plugins/tracker/www/resources/templates/index.php +4 βˆ’3 Go to diff View file
M plugins/tracker/www/soap/index.php +1 βˆ’1 Go to diff View file
M plugins/tracker/www/soap/view-wsdl.php +3 βˆ’13 Go to diff View file
M src/common/XmlValidator/XmlValidator.class.php +7 βˆ’1 Go to diff View file
M src/common/autoload.php +4 βˆ’2 Go to diff View file
M src/common/soap/SOAP_WSDLRenderer.class.php +5 βˆ’1 Go to diff View file
R documentation/tools/doc_version.php Go to diff View file
M src/common/xml/RNGValidator.class.php +7 βˆ’1 Go to diff View file
A src/common/xml/Security.class.php +69 βˆ’0 Go to diff View file
M src/utils/TrackerV3-data-exporter.php +4 βˆ’0 Go to diff View file
M src/www/include/pre.php +2 βˆ’0 Go to diff View file
M src/www/soap/index.php +1 βˆ’1 Go to diff View file
M src/www/soap/project/index.php +1 βˆ’1 Go to diff View file
M src/www/soap/project/wsdl-viewer.php +2 βˆ’11 Go to diff View file
M src/www/soap/svn/index.php +1 βˆ’1 Go to diff View file
M src/www/soap/svn/wsdl-viewer.php +2 βˆ’11 Go to diff View file
M src/www/soap/wsdl.php +4 βˆ’10 Go to diff View file
A tests/simpletest/common/xml/SecurityTestPHP53.php +55 βˆ’0 Go to diff View file