Merge branch '2.0'

* 2.0:
  updated VERSION for 2.0.17
  updated CHANGELOG for 2.0.17
  updated vendors for 2.0.17
  fixed XML decoding attack vector through external entities
  prevents injection of malicious doc types
  disabled network access when loading XML documents
  refined previous commit
  prevents injection of malicious doc types
  standardized the way we handle XML errors
  Redirects are now absolute

Conflicts:
	CHANGELOG-2.0.md
	src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php
	src/Symfony/Component/DomCrawler/Crawler.php
	src/Symfony/Component/HttpKernel/Kernel.php
	tests/Symfony/Tests/Component/DependencyInjection/Loader/XmlFileLoaderTest.php
	tests/Symfony/Tests/Component/Routing/Loader/XmlFileLoaderTest.php
	tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php
	tests/Symfony/Tests/Component/Translation/Loader/XliffFileLoaderTest.php
	tests/Symfony/Tests/Component/Validator/Mapping/Loader/XmlFileLoaderTest.php
	vendors.php

Author: fabpot

Encoder/XmlEncoder.php

@@ -58,10 +58,20 @@ public function decode($data, $format)
         $disableEntities = libxml_disable_entity_loader(true);
         libxml_clear_errors();
 
-        $xml = simplexml_load_string($data);
+        $dom = new \DOMDocument();
+        $dom->loadXML($data, LIBXML_NONET);
+
         libxml_use_internal_errors($internalErrors);
         libxml_disable_entity_loader($disableEntities);
 
+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                throw new UnexpectedValueException('Document types are not allowed.');
+            }
+        }
+
+        $xml = simplexml_import_dom($dom);
+
         if ($error = libxml_get_last_error()) {
             throw new UnexpectedValueException($error->message);
         }

Tests/Encoder/XmlEncoderTest.php

@@ -50,6 +50,15 @@ public function testSetRootNodeName()
         $this->assertEquals($expected, $this->encoder->encode($obj, 'xml'));
     }
 
+    /**
+     * @expectedException        UnexpectedValueException
+     * @expectedExceptionMessage Document types are not allowed.
+     */
+    public function testDocTypeIsNotAllowed()
+    {
+        $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE foo><foo></foo>', 'foo');
+    }
+
     public function testAttributes()
     {
         $obj = new ScalarDummy;
@@ -242,20 +251,22 @@ public function testDecodeArray()
         $this->assertEquals($expected, $this->encoder->decode($source, 'xml'));
     }
 
-    /**
-     * @expectedException Symfony\Component\Serializer\Exception\UnexpectedValueException
-     */
     public function testPreventsComplexExternalEntities()
     {
         $oldCwd = getcwd();
         chdir(__DIR__);
 
         try {
-            $decoded = $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE scan[<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=XmlEncoderTest.php">]><scan>&test;</scan>', 'xml');
+            $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE scan[<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=XmlEncoderTest.php">]><scan>&test;</scan>', 'xml');
             chdir($oldCwd);
-        } catch (UnexpectedValueException $e) {
+
+            $this->fail('No exception was thrown.');
+        } catch (\Exception $e) {
             chdir($oldCwd);
-            throw $e;
+
+            if (!$e instanceof UnexpectedValueException) {
+                $this->fail('Expected UnexpectedValueException');
+            }
         }
     }