current/SOURCES/ZendFramework-1.11.11-CVE-2012-3363.diff

--- ZendFramework-1.11.11/library/Zend/XmlRpc/Response.php      2012-07-10 14:56:04.422364249 -0400
+++ ZendFramework-1.11.12/library/Zend/XmlRpc/Response.php      2012-06-19 12:03:28.000000000 -0400
@@ -14,7 +14,7 @@
  *
  * @category   Zend
  * @package    Zend_Controller
- * @copyright  Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
 
@@ -35,9 +35,9 @@
  *
  * @category Zend
  * @package  Zend_XmlRpc
- * @copyright  Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
- * @version $Id: Response.php 23775 2011-03-01 17:25:24Z ralph $
+ * @version $Id: Response.php 24976 2012-06-19 16:03:28Z matthew $
  */
 class Zend_XmlRpc_Response
 {
@@ -176,11 +176,15 @@
             return false;
         }
 
+        // @see ZF-12293 - disable external entities for security purposes
+        $loadEntities         = libxml_disable_entity_loader(true);
+        $useInternalXmlErrors = libxml_use_internal_errors(true);
         try {
-            $useInternalXmlErrors = libxml_use_internal_errors(true);
             $xml = new SimpleXMLElement($response);
+            libxml_disable_entity_loader($loadEntities);
             libxml_use_internal_errors($useInternalXmlErrors);
         } catch (Exception $e) {
+            libxml_disable_entity_loader($loadEntities);
             libxml_use_internal_errors($useInternalXmlErrors);
             // Not valid XML
             $this->_fault = new Zend_XmlRpc_Fault(651);
@@ -205,6 +209,7 @@
 
         try {
             if (!isset($xml->params) || !isset($xml->params->param) || !isset($xml->params->param->value)) {
+                require_once 'Zend/XmlRpc/Value/Exception.php';
                 throw new Zend_XmlRpc_Value_Exception('Missing XML-RPC value in XML');
             }
             $valueXml = $xml->params->param->value->asXML();
--- ZendFramework-1.11.11/library/Zend/XmlRpc/Request.php       2011-03-01 12:25:24.000000000 -0500
+++ ZendFramework-1.11.12/library/Zend/XmlRpc/Request.php       2012-06-19 12:03:28.000000000 -0400
@@ -14,7 +14,7 @@
  *
  * @category   Zend
  * @package    Zend_Controller
- * @copyright  Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
 
@@ -41,9 +41,9 @@
  *
  * @category Zend
  * @package  Zend_XmlRpc
- * @copyright  Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
- * @version $Id: Request.php 23775 2011-03-01 17:25:24Z ralph $
+ * @version $Id: Request.php 24976 2012-06-19 16:03:28Z matthew $
  */
 class Zend_XmlRpc_Request
 {
@@ -303,12 +303,16 @@
             return false;
         }
 
+        // @see ZF-12293 - disable external entities for security purposes
+        $loadEntities = libxml_disable_entity_loader(true);
         try {
             $xml = new SimpleXMLElement($request);
+            libxml_disable_entity_loader($loadEntities);
         } catch (Exception $e) {
             // Not valid XML
             $this->_fault = new Zend_XmlRpc_Fault(631);
             $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
             return false;
         }
 
1	spuhler	300298	--- ZendFramework-1.11.11/library/Zend/XmlRpc/Response.php 2012-07-10 14:56:04.422364249 -0400
2			+++ ZendFramework-1.11.12/library/Zend/XmlRpc/Response.php 2012-06-19 12:03:28.000000000 -0400
3			@@ -14,7 +14,7 @@
4			*
5			* @category Zend
6			* @package Zend_Controller
7			- * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
8			+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
9			* @license http://framework.zend.com/license/new-bsd New BSD License
10			*/
11
12			@@ -35,9 +35,9 @@
13			*
14			* @category Zend
15			* @package Zend_XmlRpc
16			- * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
17			+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
18			* @license http://framework.zend.com/license/new-bsd New BSD License
19			- * @version $Id: Response.php 23775 2011-03-01 17:25:24Z ralph $
20			+ * @version $Id: Response.php 24976 2012-06-19 16:03:28Z matthew $
21			*/
22			class Zend_XmlRpc_Response
23			{
24			@@ -176,11 +176,15 @@
25			return false;
26			}
27
28			+ // @see ZF-12293 - disable external entities for security purposes
29			+ $loadEntities = libxml_disable_entity_loader(true);
30			+ $useInternalXmlErrors = libxml_use_internal_errors(true);
31			try {
32			- $useInternalXmlErrors = libxml_use_internal_errors(true);
33			$xml = new SimpleXMLElement($response);
34			+ libxml_disable_entity_loader($loadEntities);
35			libxml_use_internal_errors($useInternalXmlErrors);
36			} catch (Exception $e) {
37			+ libxml_disable_entity_loader($loadEntities);
38			libxml_use_internal_errors($useInternalXmlErrors);
39			// Not valid XML
40			$this->_fault = new Zend_XmlRpc_Fault(651);
41			@@ -205,6 +209,7 @@
42
43			try {
44			if (!isset($xml->params) \|\| !isset($xml->params->param) \|\| !isset($xml->params->param->value)) {
45			+ require_once 'Zend/XmlRpc/Value/Exception.php';
46			throw new Zend_XmlRpc_Value_Exception('Missing XML-RPC value in XML');
47			}
48			$valueXml = $xml->params->param->value->asXML();
49			--- ZendFramework-1.11.11/library/Zend/XmlRpc/Request.php 2011-03-01 12:25:24.000000000 -0500
50			+++ ZendFramework-1.11.12/library/Zend/XmlRpc/Request.php 2012-06-19 12:03:28.000000000 -0400
51			@@ -14,7 +14,7 @@
52			*
53			* @category Zend
54			* @package Zend_Controller
55			- * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
56			+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
57			* @license http://framework.zend.com/license/new-bsd New BSD License
58			*/
59
60			@@ -41,9 +41,9 @@
61			*
62			* @category Zend
63			* @package Zend_XmlRpc
64			- * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
65			+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
66			* @license http://framework.zend.com/license/new-bsd New BSD License
67			- * @version $Id: Request.php 23775 2011-03-01 17:25:24Z ralph $
68			+ * @version $Id: Request.php 24976 2012-06-19 16:03:28Z matthew $
69			*/
70			class Zend_XmlRpc_Request
71			{
72			@@ -303,12 +303,16 @@
73			return false;
74			}
75
76			+ // @see ZF-12293 - disable external entities for security purposes
77			+ $loadEntities = libxml_disable_entity_loader(true);
78			try {
79			$xml = new SimpleXMLElement($request);
80			+ libxml_disable_entity_loader($loadEntities);
81			} catch (Exception $e) {
82			// Not valid XML
83			$this->_fault = new Zend_XmlRpc_Fault(631);
84			$this->_fault->setEncoding($this->getEncoding());
85			+ libxml_disable_entity_loader($loadEntities);
86			return false;
87			}
88