Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #24158 Docman import tool fails to load XML
    Actions
    Infos
    #24158
    Aurélien Tisné (atisne)
    2021-11-19 14:07
    2021-11-19 14:04
    25702
    Details
    Docman import tool fails to load XML

    When using the docman import tool to import an external Docman, the load of the XML file fails :

    PHP Warning:  DOMDocument::load(): I/O warning : failed to load external entity "/data/tmp/docman_surfass/docman_surfass.xml" in /usr/share/tuleap/plugins/docman/bin/DocmanImport/XMLDocmanImport.class.php on line 148
error Failed to load XML document.
error Unable to load the following XML document : /data/tmp/docman_surfass/docman_surfass.xml

    I guess this is linked to the vulnerability 'External XML Entity Injection'.

    Steps to reproduce:

    1. Export the docman of a project
    2. Import the exported docman into another project
    Empty
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    New
    Empty
    Attachments
    Artifact links
    Empty
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Aurélien Tisné (atisne)2021-11-19 14:07

    FYI, I quickly fixed using libxml_disable_entity_loader

            libxml_disable_entity_loader(false);
        $dom = new DOMDocument();
        if (! $dom->load($rootPath . '/' . $archiveName . '.xml')) {
            $this->logger->error("Failed to load XML document.");
            throw new Exception("Unable to load the following XML document : " . $rootPath . "/" . $archiveName . ".xml");
        }
        libxml_disable_entity_loader(true);

    I'm not sure this is the best way. This function is flaggued deprecated in php 8.0.