diff options
Diffstat (limited to 'net-analyzer/zabbix/files/2.2/patches/zbx8151.patch')
| -rw-r--r-- | net-analyzer/zabbix/files/2.2/patches/zbx8151.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch b/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch deleted file mode 100644 index 076e10ab75a4..000000000000 --- a/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch +++ /dev/null @@ -1,53 +0,0 @@ -Index: frontends/php/include/defines.inc.php -=================================================================== ---- frontends/php/include/defines.inc.php (revision 46596) -+++ frontends/php/include/defines.inc.php (revision 46655) -@@ -835,6 +835,14 @@ - - define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); - -+// XML import flags -+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed -+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml -+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND -+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name - -+// so this flag is not needed here. -+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); -+ - // API errors - define('ZBX_API_ERROR_INTERNAL', 111); - define('ZBX_API_ERROR_PARAMETERS', 100); -Index: frontends/php/include/classes/import/readers/CXmlImportReader.php -=================================================================== ---- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) -+++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655) -@@ -32,7 +32,8 @@ - */ - public function read($string) { - libxml_use_internal_errors(true); -- $result = simplexml_load_string($string); -+ libxml_disable_entity_loader(true); -+ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); - if (!$result) { - $errors = libxml_get_errors(); - libxml_clear_errors(); -Index: frontends/php/include/classes/import/CXmlImport18.php -=================================================================== ---- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) -+++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655) -@@ -390,12 +390,13 @@ - return $array; - } - -- public static function import($file) { -+ public static function import($source) { - - libxml_use_internal_errors(true); -+ libxml_disable_entity_loader(true); - - $xml = new DOMDocument(); -- if (!$xml->loadXML($file)) { -+ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) { - $text = ''; - foreach (libxml_get_errors() as $error) { - switch ($error->level) { |