修复微信官方发布的XML外部实体注入漏洞

mengwb · mengwb · commit 53fa83a8b175 · 2018-07-10T16:43:16.000+08:00
diff --git a/Wechat/Lib/Tools.php b/Wechat/Lib/Tools.php
@@ -137,7 +137,10 @@ static private function _data_to_xml($data, $item = 'item', $id = 'id', $content
      */
     static public function xml2arr($xml)
     {
-        return json_decode(Tools::json_encode(simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOCDATA)), true);
+        $disableEntities = libxml_disable_entity_loader(true);
+        $result = json_decode(Tools::json_encode(simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOCDATA)), true);
+        libxml_disable_entity_loader($disableEntities);
+        return $result;
     }
 
     /**
diff --git a/Wechat/WechatPay.php b/Wechat/WechatPay.php
@@ -208,7 +208,9 @@ public function createMicroPay($auth_code, $out_trade_no, $total_fee, $body, $go
      */
     public function getNotify()
     {
+        $disableEntities = libxml_disable_entity_loader(true);
         $notifyInfo = (array)simplexml_load_string(file_get_contents("php://input"), 'SimpleXMLElement', LIBXML_NOCDATA);
+        libxml_disable_entity_loader($disableEntities);
         if (empty($notifyInfo)) {
             Tools::log('Payment notification forbidden access.', "ERR - {$this->appid}");
             $this->errCode = '404';

Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,10 @@ static private function _data_to_xml($data, $item = 'item', $id = 'id', $content`
`137`	`137`	`*/`
`138`	`138`	`static public function xml2arr($xml)`
`139`	`139`	`{`
`140`		`- return json_decode(Tools::json_encode(simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOCDATA)), true);`
	`140`	`+ $disableEntities = libxml_disable_entity_loader(true);`
	`141`	`+ $result = json_decode(Tools::json_encode(simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOCDATA)), true);`
	`142`	`+ libxml_disable_entity_loader($disableEntities);`
	`143`	`+ return $result;`
`141`	`144`	`}`
`142`	`145`
`143`	`146`	`/**`