prevents injection of malicious doc types

symfony · Aug 28, 2012 · cb3439f · cb3439f
1 parent ccd8a86
commit cb3439f
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/Loader/XliffFileLoader.php b/Loader/XliffFileLoader.php
@@ -64,6 +64,14 @@ private function parseFile($file)
             throw new \RuntimeException(implode("\n", $this->getXmlErrors($internalErrors)));
         }
 
+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                libxml_use_internal_errors($internalErrors);
+
+                throw new \RuntimeException('Document types are not allowed.');
+            }
+        }
+
         $location = str_replace('\\', '/', __DIR__).'/schema/dic/xliff-core/xml.xsd';
         $parts = explode('/', $location);
         if (0 === stripos($location, 'phar://')) {