search

Tucker-Eric / laravel-xml-middleware

A Laravel Middleware to accept XML requests
MIT License
18 stars 10 forks source link

Sending invalid XML causes an exception #9

Open judgej opened 6 years ago

judgej commented 6 years ago

Sending broken XML to the application throws an exception. The middleware must not trust the XML so much that it assumes it is valid. That's a potential attack vector.

{
    "message": "simplexml_load_string(): Entity: line 1: parser error : Opening and ending tag mismatch: Document line 1 and xDocument",
    "exception": "ErrorException",
    "file": "/.../vendor/tucker-eric/laravel-xml-middleware/src/XmlRequestServiceProvider.php",
    "line": 27,
    "trace": [
        {
            "function": "handleError",
            "class": "Illuminate\\Foundation\\Bootstrap\\HandleExceptions",
            "type": "->"
        },
        {
            "file": "/.../vendor/tucker-eric/laravel-xml-middleware/src/XmlRequestServiceProvider.php",
            "line": 27,
            "function": "simplexml_load_string"
        },
        {
            "function": "XmlMiddleware\\{closure}",
            "class": "Illuminate\\Http\\Request",
            "type": "->"
        },
        ...
}
Tucker-Eric commented 6 years ago

Good point. We'll add some error handling. I'd be happy to merge a PR for this.

judgej commented 6 years ago

Okay, I'm just putting some project stuff together at the moment. If/when I make the necessary changes, I'll make sure it's a PR.