From 90e884ad0f7f2cf269d953f7d70966de9fd821ff Mon Sep 17 00:00:00 2001 From: David Rothstein Date: Wed, 6 Aug 2014 13:14:03 -0400 Subject: Drupal 7.31 --- includes/xmlrpc.inc | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'includes/xmlrpc.inc') diff --git a/includes/xmlrpc.inc b/includes/xmlrpc.inc index b1c6f39c6..dc69dd99f 100644 --- a/includes/xmlrpc.inc +++ b/includes/xmlrpc.inc @@ -178,7 +178,41 @@ function xmlrpc_message_parse($xmlrpc_message) { xml_set_element_handler($xmlrpc_message->_parser, 'xmlrpc_message_tag_open', 'xmlrpc_message_tag_close'); xml_set_character_data_handler($xmlrpc_message->_parser, 'xmlrpc_message_cdata'); xmlrpc_message_set($xmlrpc_message); - if (!xml_parse($xmlrpc_message->_parser, $xmlrpc_message->message)) { + + // Strip XML declaration. + $header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xmlrpc_message->message, 0, 100), 1); + $xml = trim(substr_replace($xmlrpc_message->message, $header, 0, 100)); + if ($xml == '') { + return FALSE; + } + // Strip DTD. + $header = preg_replace('/^]*+>/i', '', substr($xml, 0, 200), 1); + $xml = trim(substr_replace($xml, $header, 0, 200)); + if ($xml == '') { + return FALSE; + } + // Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n] + $root_tag = substr($xml, 0, strcspn(substr($xml, 0, 20), "> \t\r\n")); + // Reject a second DTD. + if (strtoupper($root_tag) == 'loadXML($xml); + if ($dom->getElementsByTagName('*')->length > variable_get('xmlrpc_message_maximum_tag_count', 30000)) { + return FALSE; + } + } + catch (Exception $e) { + return FALSE; + } + + if (!xml_parse($xmlrpc_message->_parser, $xml)) { return FALSE; } xml_parser_free($xmlrpc_message->_parser); -- cgit v1.2.3