fix #1227 SECISSUE

- XXE 취약점 문제 해결 - Drupal의 소스코드를 참고하여 `Security::detectingXEE()` 추가 - 90e884ad0f - blogapi 애드온 및 `Context::_setXmlRpcArgument()`에서 취약점 방어 - 제보 : 한국인터넷진흥원
2026-01-03 16:51:40 +09:00 · 2015-02-04 13:49:21 +09:00 · 2015-02-04 13:49:21 +09:00 · a33a4b3081
commit a33a4b3081
parent 14ffdbe5f0
3 changed files with 68 additions and 3 deletions
--- a/addons/blogapi/blogapi.addon.php
+++ b/addons/blogapi/blogapi.addon.php
@ -30,8 +30,10 @@ if($_REQUEST['act'] != 'api')
 // Read func file
 require_once(_XE_PATH_ . 'addons/blogapi/blogapi.func.php');

+$xml = $GLOBALS['HTTP_RAW_POST_DATA'];
+
 // If HTTP_RAW_POST_DATA is NULL, Print error message
-if(!$GLOBALS['HTTP_RAW_POST_DATA'])
+if(!$xml)
 {
 	$content = getXmlRpcFailure(1, 'Invalid Method Call');
 	printContent($content);
@ -39,7 +41,14 @@ if(!$GLOBALS['HTTP_RAW_POST_DATA'])

 // xmlprc parsing
 // Parse the requested xmlrpc
-$xml = new SimpleXMLElement($GLOBALS['HTTP_RAW_POST_DATA']);
+if(Security::detectingXEE($xml))
+{
+	header("HTTP/1.0 400 Bad Request");
+	exit;
+}
+
+if(version_compare(PHP_VERSION, '5.2.11', '<=')) libxml_disable_entity_loader(true);
+$xml = new SimpleXMLElement($xml, LIBXML_NONET | LIBXML_NOENT);

 $method_name = (string)$xml->methodName;
 $params = $xml->params->param;
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@ -1240,8 +1240,15 @@ class Context
 			return;
 		}

+		$xml = $GLOBALS['HTTP_RAW_POST_DATA'];
+		if(Security::detectingXEE($xml))
+		{
+			header("HTTP/1.0 400 Bad Request");
+			exit;
+		}
+
 		$oXml = new XmlParser();
-		$xml_obj = $oXml->parse();
+		$xml_obj = $oXml->parse($xml);

 		$params = $xml_obj->methodcall->params;
 		unset($params->node_name, $params->attrs, $params->body);
--- a/classes/security/Security.class.php
+++ b/classes/security/Security.class.php
@ -175,6 +175,55 @@ class Security
 		return $var;
 	}

+	/**
+	 * @brief check XML External Entity
+	 *
+	 * @see from drupal. https://github.com/drupal/drupal/commit/90e884ad0f7f2cf269d953f7d70966de9fd821ff
+	 *
+	 * @param string $xml
+	 * @return bool
+	 */
+	static function detectingXEE($xml)
+	{
+		if(!$xml) return FALSE;
+
+		if(strpos($xml, '<!ENTITY') !== FALSE)
+		{
+			return TRUE;
+		}
+
+		// Strip XML declaration.
+		$header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xml, 0, 100), 1);
+		$xml = trim(substr_replace($xml, $header, 0, 100));
+		if($xml == '')
+		{
+			return TRUE;
+		}
+
+		// Strip DTD.
+		$header = preg_replace('/^<!DOCTYPE[^>]*+>/i', '', substr($xml, 0, 200), 1);
+		$xml = trim(substr_replace($xml, $header, 0, 200));
+		if($xml == '')
+		{
+			return TRUE;
+		}
+
+		// Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n]
+		$root_tag = substr($xml, 0, strcspn(substr($xml, 0, 20), "> \t\r\n"));
+
+		// Reject a second DTD.
+		if(strtoupper($root_tag) == '<!DOCTYPE')
+		{
+			return TRUE;
+		}
+
+		if(!in_array($root_tag, array('<methodCall', '<methodResponse', '<fault')))
+		{
+			return TRUE;
+		}
+
+		return FALSE;
+	}
 }
 /* End of file : Security.class.php */
 /* Location: ./classes/security/Security.class.php */