From ab3737e56929f90f7a444e076b6a2cbfcfb13ae4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 29 Dec 2023 17:55:09 +0100
Subject: [PATCH] Fix libxml_disable_entity_loader(true) must be called only if
 LIBXML is lower than 20900 (disabled by default for libxml 2.9.0)

---
 htdocs/admin/system/dolibarr.php      | 6 ++++++
 htdocs/admin/system/filecheck.php     | 6 ++++++
 htdocs/admin/tools/update.php         | 6 ++++++
 htdocs/api/class/api_setup.class.php  | 6 ++++++
 htdocs/core/class/rssparser.class.php | 8 ++++++--
 htdocs/core/lib/functions.lib.php     | 6 +++++-
 htdocs/core/tpl/login.tpl.php         | 6 ++++++
 7 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index cc7fc970529..c7f07ad0040 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -52,6 +52,12 @@ if ($action == 'getlastversion') {
 	$result = getURLContent('https://sourceforge.net/projects/dolibarr/rss');
 	//var_dump($result['content']);
 	if (function_exists('simplexml_load_string')) {
+		if (LIBXML_VERSION < 20900) {
+			// Avoid load of external entities (security problem).
+			// Required only if LIBXML_VERSION < 20900
+			libxml_disable_entity_loader(true);
+		}
+
 		$sfurl = simplexml_load_string($result['content'], 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
 	} else {
 		setEventMessages($langs->trans("ErrorPHPDoesNotSupport", "xml"), null, 'errors');
diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php
index b0abc81cf7a..a1e04d8db07 100644
--- a/htdocs/admin/system/filecheck.php
+++ b/htdocs/admin/system/filecheck.php
@@ -176,6 +176,12 @@ if (GETPOST('target') == 'remote') {
 	if (!$xmlarray['curl_error_no'] && $xmlarray['http_code'] != '400' && $xmlarray['http_code'] != '404') {
 		$xmlfile = $xmlarray['content'];
 		//print "xmlfilestart".$xmlfile."xmlfileend";
+		if (LIBXML_VERSION < 20900) {
+			// Avoid load of external entities (security problem).
+			// Required only if LIBXML_VERSION < 20900
+			libxml_disable_entity_loader(true);
+		}
+
 		$xml = simplexml_load_string($xmlfile, 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
 	} else {
 		$errormsg = $langs->trans('XmlNotFound').': '.$xmlremote.' - '.$xmlarray['http_code'].(($xmlarray['http_code'] == 400 && $xmlarray['content']) ? ' '.$xmlarray['content'] : '').' '.$xmlarray['curl_error_no'].' '.$xmlarray['curl_error_msg'];
diff --git a/htdocs/admin/tools/update.php b/htdocs/admin/tools/update.php
index 2bed274fd72..d2b5ed921a8 100644
--- a/htdocs/admin/tools/update.php
+++ b/htdocs/admin/tools/update.php
@@ -63,6 +63,12 @@ if ($action == 'getlastversion') {
 	$result = getURLContent('https://sourceforge.net/projects/dolibarr/rss');
 	//var_dump($result['content']);
 	if (function_exists('simplexml_load_string')) {
+		if (LIBXML_VERSION < 20900) {
+			// Avoid load of external entities (security problem).
+			// Required only if LIBXML_VERSION < 20900
+			libxml_disable_entity_loader(true);
+		}
+
 		$sfurl = simplexml_load_string($result['content'], 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
 	} else {
 		$sfurl = 'xml_not_available';
diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php
index 09837376096..5ec9c9a34aa 100644
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -2052,6 +2052,12 @@ class Setup extends DolibarrApi
 			throw new RestException(500, $langs->trans("ErrorURLMustEndWith", $xmlremote, '.xml'));
 		}
 
+		if (LIBXML_VERSION < 20900) {
+			// Avoid load of external entities (security problem).
+			// Required only if LIBXML_VERSION < 20900
+			libxml_disable_entity_loader(true);
+		}
+
 		if ($target == 'local') {
 			if (dol_is_file($xmlfile)) {
 				$xml = simplexml_load_file($xmlfile);
diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php
index 69ee72acb2c..1a85d324b90 100644
--- a/htdocs/core/class/rssparser.class.php
+++ b/htdocs/core/class/rssparser.class.php
@@ -260,9 +260,13 @@ class RssParser
 			if (getDolGlobalString('EXTERNALRSS_USE_SIMPLEXML')) {
 				//print 'xx'.LIBXML_NOCDATA;
 				libxml_use_internal_errors(false);
-				libxml_disable_entity_loader(true);	// Avoid load of external entities (security problem). Required only if LIBXML_VERSION < 20900
+				if (LIBXML_VERSION < 20900) {
+					// Avoid load of external entities (security problem).
+					// Required only if LIBXML_VERSION < 20900
+					libxml_disable_entity_loader(true);
+				}
 
-				$rss = simplexml_load_string($str, "SimpleXMLElement", LIBXML_NOCDATA|LIBXML_NOENT);
+				$rss = simplexml_load_string($str, "SimpleXMLElement", LIBXML_NOCDATA);
 			} else {
 				if (!function_exists('xml_parser_create')) {
 					$this->error = 'Function xml_parser_create are not supported by your PHP';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index b0386e12ceb..b706c895368 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7613,7 +7613,11 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
 			if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML') && $check != 'restricthtmlallowunvalid') {
 				try {
 					libxml_use_internal_errors(false);	// Avoid to fill memory with xml errors
-					libxml_disable_entity_loader(true);	// Avoid load of external entities (security problem). Required only if LIBXML_VERSION < 20900
+					if (LIBXML_VERSION < 20900) {
+						// Avoid load of external entities (security problem).
+						// Required only if LIBXML_VERSION < 20900
+						libxml_disable_entity_loader(true);
+					}
 
 					$dom = new DOMDocument();
 					// Add a trick to solve pb with text without parent tag
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index 9e247fc1947..05496f0cd57 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -422,6 +422,12 @@ if (getDolGlobalString('MAIN_EASTER_EGG_COMMITSTRIP')) {
 		$resgetcommitstrip = getURLContent("https://www.commitstrip.com/en/feed/");
 	}
 	if ($resgetcommitstrip && $resgetcommitstrip['http_code'] == '200') {
+		if (LIBXML_VERSION < 20900) {
+			// Avoid load of external entities (security problem).
+			// Required only if LIBXML_VERSION < 20900
+			libxml_disable_entity_loader(true);
+		}
+
 		$xml = simplexml_load_string($resgetcommitstrip['content'], 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
 		$little = $xml->channel->item[0]->children('content', true);
 		print preg_replace('/width="650" height="658"/', '', $little->encoded);