From dd11c2d468de18cc44fe9880dc6b1cff2e6a6923 Mon Sep 17 00:00:00 2001
From: Michiel Kodde <mkodde@ibuildings.nl>
Date: Mon, 21 Jan 2019 14:16:35 +0100
Subject: [PATCH] Prevent XXE in SPController

By disabling the entity loader, we prevent possible XXE exploitations.
After disabling the loader, the previous state is reset.
---
 src/SpBundle/Controller/SPController.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/SpBundle/Controller/SPController.php b/src/SpBundle/Controller/SPController.php
index 404b793d..8aa489f9 100644
--- a/src/SpBundle/Controller/SPController.php
+++ b/src/SpBundle/Controller/SPController.php
@@ -154,10 +154,12 @@ public function assertionConsumerServiceAction(Request $request)
      */
     private function toFormattedXml($xml)
     {
+        $previous = libxml_disable_entity_loader(true);
         $domxml = new DOMDocument('1.0');
         $domxml->preserveWhiteSpace = false;
         $domxml->formatOutput = true;
         $domxml->loadXML($xml);
+        libxml_disable_entity_loader($previous);
 
         return $domxml->saveXML();
     }