|
Zend Framework
3.0
|
Static Public Member Functions | |
| static | scan ($xml, DOMDocument $dom=null) |
| Scan XML string for potential XXE and XEE attacks. | |
| static | scanFile ($file, DOMDocument $dom=null) |
| Scan XML file for potential XXE/XEE attacks. | |
| static | isPhpFpm () |
| Return true if PHP is running with PHP-FPM. | |
Public Attributes | |
| const | ENTITY_DETECT = 'Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks' |
Static Protected Member Functions | |
| static | heuristicScan ($xml) |
| Heuristic scan to detect entity in XML. | |
| static | getEntityComparison ($xml) |
| Determine and return the string(s) to use for the <!ENTITY comparison. | |
| static | detectStringEncoding ($xml) |
| Determine the string encoding. | |
| static | detectBom ($string) |
| Attempt to match a known BOM. | |
| static | detectXmlStringEncoding ($xml) |
| Attempt to detect the string encoding of an XML string. | |
| static | detectXmlEncoding ($xml, $fileEncoding) |
| Attempt to detect the specified XML encoding. | |
| static | getBomMap () |
| Return a list of BOM maps. | |
| static | getAsciiEncodingMap () |
| Return a map of encoding => generator pairs. | |
| static | substr ($string, $start, $end) |
| Binary-safe substr. | |
|
staticprotected |
Attempt to match a known BOM.
Iterates through the return of getBomMap(), comparing the initial bytes of the provided string to the BOM of each; if a match is determined, it returns the encoding.
| string | $string |
|
staticprotected |
Determine the string encoding.
Determines string encoding from either a detected BOM or a heuristic.
| string | $xml |
|
staticprotected |
Attempt to detect the specified XML encoding.
Using the file's encoding, determines if an "encoding" attribute is present and well-formed in the XML declaration; if so, it returns a list with both the ASCII representation of that declaration and the original file encoding.
If not, a list containing only the provided file encoding is returned.
| string | $xml | |
| string | $fileEncoding |
|
staticprotected |
Attempt to detect the string encoding of an XML string.
| string | $xml |
|
staticprotected |
Return a map of encoding => generator pairs.
Returns a map of encoding => generator pairs, where the generator is a callable that accepts a string and returns the appropriate byte order sequence of that string for the encoding.
|
staticprotected |
Return a list of BOM maps.
Returns a list of common encoding -> BOM maps, along with the character length to compare against.
|
staticprotected |
Determine and return the string(s) to use for the <!ENTITY comparison.
| string | $xml |
|
staticprotected |
Heuristic scan to detect entity in XML.
| string | $xml |
| Exception\RuntimeException | If entity expansion or external entity declaration was discovered. |
|
static |
Return true if PHP is running with PHP-FPM.
This method is mainly used to determine whether or not heuristic checks (vs libxml checks) should be made, due to threading issues in libxml; under php-fpm, threading becomes a concern.
However, PHP versions 5.5.22+ and 5.6.6+ contain a patch to the libxml support in PHP that makes the libxml checks viable; in such versions, this method will return false to enforce those checks, which are more strict and accurate than the heuristic checks.
|
static |
Scan XML string for potential XXE and XEE attacks.
| string | $xml | |
| DomDocument | $dom |
| Exception\RuntimeException |
|
static |
Scan XML file for potential XXE/XEE attacks.
| string | $file | |
| DOMDocument | $dom |
| Exception\InvalidArgumentException |
|
staticprotected |
Binary-safe substr.
substr() is not binary-safe; this method loops by character to ensure multi-byte characters are aggregated correctly.
| string | $string | |
| int | $start | |
| int | $end |
| const ENTITY_DETECT = 'Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks' |
1.8.3