Merge pull request #68 from OpenConext/feature/prevent-xxe

Prevent XXE in SPController
OpenConext · Feb 11, 2019 · f983c4b · f983c4b
2 parents 87cdb45 + dd11c2d
commit f983c4b
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/SpBundle/Controller/SPController.php b/src/SpBundle/Controller/SPController.php
@@ -154,10 +154,12 @@ public function assertionConsumerServiceAction(Request $request)
      */
     private function toFormattedXml($xml)
     {
+        $previous = libxml_disable_entity_loader(true);
         $domxml = new DOMDocument('1.0');
         $domxml->preserveWhiteSpace = false;
         $domxml->formatOutput = true;
         $domxml->loadXML($xml);
+        libxml_disable_entity_loader($previous);
 
         return $domxml->saveXML();
     }