search

dodgepudding / wechat-php-sdk

微信公众平台php开发包, weixin developer SDK.
4.44k stars 2.33k forks source link

XXE外部实体注入漏洞 #269

Closed ghost closed 8 years ago

ghost commented 8 years ago

https://github.com/dodgepudding/wechat-php-sdk/blob/master/wechat.class.php 文件使用了simplexml_load_string()的时候。 (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); 可以libxml_disable_entity_loader(true)