Make WordPress Core

Changeset 29404


Ignore:
Timestamp:
08/06/2014 05:37:22 PM (10 years ago)
Author:
nacin
Message:

Ignore entities in XML-RPC requests.

props mdawaffe, nacin.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-IXR.php

    r27552 r29404  
    204204        // first remove the XML declaration
    205205        // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
    206         $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
    207         $this->message = substr_replace($this->message, $header, 0, 100);
    208         if (trim($this->message) == '') {
     206        $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
     207        $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
     208        if ( '' == $this->message ) {
    209209            return false;
    210210        }
     211
     212        // Then remove the DOCTYPE
     213        $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
     214        $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
     215        if ( '' == $this->message ) {
     216            return false;
     217        }
     218
     219        // Check that the root tag is valid
     220        $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
     221        if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
     222            return false;
     223        }
     224        if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
     225            return false;
     226        }
     227
     228        // Bail if there are too many elements to parse
     229        $element_limit = 30000;
     230        if ( function_exists( 'apply_filters' ) ) {
     231            $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
     232        }
     233        if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
     234            return false;
     235        }
     236
    211237        $this->_parser = xml_parser_create();
    212238        // Set XML parser to take the case of tags in to account
Note: See TracChangeset for help on using the changeset viewer.