From 824ca5b0309eef4229f3b8640114d889fd4a9b87 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Wed, 6 Aug 2014 17:40:17 +0000 Subject: [PATCH] Ignore entities in XML-RPC requests. Merges [29404] to the 3.9 branch. props mdawaffe, nacin. Built from https://develop.svn.wordpress.org/branches/3.9@29405 git-svn-id: http://core.svn.wordpress.org/branches/3.9@29183 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-IXR.php | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/wp-includes/class-IXR.php b/wp-includes/class-IXR.php index 7264db6efb..f576719c87 100644 --- a/wp-includes/class-IXR.php +++ b/wp-includes/class-IXR.php @@ -203,11 +203,37 @@ class IXR_Message { // first remove the XML declaration // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages - $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1); - $this->message = substr_replace($this->message, $header, 0, 100); - if (trim($this->message) == '') { + $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 ); + $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) ); + if ( '' == $this->message ) { return false; } + + // Then remove the DOCTYPE + $header = preg_replace( '/^]*+>/i', '', substr( $this->message, 0, 200 ), 1 ); + $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) ); + if ( '' == $this->message ) { + return false; + } + + // Check that the root tag is valid + $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) ); + if ( 'message, '<' ) ) { + return false; + } + $this->_parser = xml_parser_create(); // Set XML parser to take the case of tags in to account xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);