[Serializer] Fix XML decoding attack vector through external entities

Seldaek · fabpot · commit 0943a06a663b · 2012-02-24T22:50:04.000+01:00
diff --git a/Encoder/XmlEncoder.php b/Encoder/XmlEncoder.php
@@ -54,7 +54,18 @@ public function encode($data, $format)
      */
     public function decode($data, $format)
     {
+        $internalErrors = libxml_use_internal_errors(true);
+        $disableEntities = libxml_disable_entity_loader(true);
+        libxml_clear_errors();
+
         $xml = simplexml_load_string($data);
+        libxml_use_internal_errors($internalErrors);
+        libxml_disable_entity_loader($disableEntities);
+
+        if ($error = libxml_get_last_error()) {
+            throw new UnexpectedValueException($error->message);
+        }
+
         if (!$xml->count()) {
             if (!$xml->attributes()) {
                 return (string) $xml;
