mattm 14/06/25 20:44:15 Added: zbx8151.patch Log: Upstream version bump with patch for Security bug 513814, Cleanup for prior security bug 509898 (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 786037A7)
Revision Changes Path 1.1 net-analyzer/zabbix/files/2.2/patches/zbx8151.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch?rev=1.1&content-type=text/plain Index: zbx8151.patch =================================================================== Index: frontends/php/include/defines.inc.php =================================================================== --- frontends/php/include/defines.inc.php (revision 46596) +++ frontends/php/include/defines.inc.php (revision 46655) @@ -835,6 +835,14 @@ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); +// XML import flags +// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed +// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml +// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND +// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name - +// so this flag is not needed here. +define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); + // API errors define('ZBX_API_ERROR_INTERNAL', 111); define('ZBX_API_ERROR_PARAMETERS', 100); Index: frontends/php/include/classes/import/readers/CXmlImportReader.php =================================================================== --- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) +++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655) @@ -32,7 +32,8 @@ */ public function read($string) { libxml_use_internal_errors(true); - $result = simplexml_load_string($string); + libxml_disable_entity_loader(true); + $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); if (!$result) { $errors = libxml_get_errors(); libxml_clear_errors(); Index: frontends/php/include/classes/import/CXmlImport18.php =================================================================== --- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) +++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655) @@ -390,12 +390,13 @@ return $array; } - public static function import($file) { + public static function import($source) { libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); $xml = new DOMDocument(); - if (!$xml->loadXML($file)) { + if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { $text = ''; foreach (libxml_get_errors() as $error) { switch ($error->level) {
