From f4f61f03c9d14eaa16a7a7fcd49f2086dfa56e92 Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Mon, 10 Mar 2014 17:49:47 +0100
Subject: [PATCH] Disable XML entities when parsing XML

---
 lib/private/ocsclient.php | 16 ++++++++++++----
 lib/private/updater.php   |  2 ++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/private/ocsclient.php b/lib/private/ocsclient.php
index fa6e3fac1b..68dc2c2d6e 100644
--- a/lib/private/ocsclient.php
+++ b/lib/private/ocsclient.php
@@ -72,7 +72,9 @@ class OC_OCSClient{
 		if($xml==false) {
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data =	simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data;
 		$cats=array();
@@ -117,7 +119,9 @@ class OC_OCSClient{
 		if($xml==false) {
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data = simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data->content;
 		for($i = 0; $i < count($tmp); $i++) {
@@ -159,7 +163,9 @@ class OC_OCSClient{
 			OC_Log::write('core', 'Unable to parse OCS content', OC_Log::FATAL);
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data = simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data->content;
 		$app=array();
@@ -200,7 +206,9 @@ class OC_OCSClient{
 			OC_Log::write('core', 'Unable to parse OCS content', OC_Log::FATAL);
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data = simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data->content;
 		$app=array();
diff --git a/lib/private/updater.php b/lib/private/updater.php
index f05d5038b7..292752067b 100644
--- a/lib/private/updater.php
+++ b/lib/private/updater.php
@@ -76,7 +76,9 @@ class Updater extends BasicEmitter {
 		if ($xml == false) {
 			return array();
 		}
+		$loadEntities = libxml_disable_entity_loader(true);
 		$data = @simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp = array();
 		$tmp['version'] = $data->version;