wubinworks / module-xml-security
A replacement of `\Magento\Framework\Xml\Security` for Magento 2 with enhanced security.
Installs: 13
Dependents: 1
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 1
Open Issues: 0
Type:magento2-module
Requires
- php: >=7.1
- laminas/laminas-xml: ^1.2
- magento/magento2-base: ~2.3.0 || ~2.4.0
This package is not auto-updated.
Last update: 2025-01-29 03:49:35 UTC
README
A replacement of \Magento\Framework\Xml\Security for Magento 2 with enhanced security.
Background
When the SAPI is php-fpm, \Magento\Framework\Xml\Security cannot detect entity if the XML string is not encoded in UTF-8.
This is a potential security issue and many developers forget to detect the XML encoding before using this class.
Note: the above class works correctly in CLI.
A note about CVE-2024-2961
XML string with encoding="ISO-2022-CN-EXT" won't cause the buffer overflow. So we don't forbid this encoding.
Features
After installing this extension, \Magento\Framework\Xml\Security is preferenced, and you don't need to worry about the XML encoding anymore.
/** @var \Magento\Framework\Xml\Security $xmlSecurity */ $xmlSecurity->scan($xmlString);
That's it.
Requirements
Magento 2.3
Magento 2.4
Installation
composer require wubinworks/module-xml-security
This extension requires dependencies that are not included in default Magento installation, so you need to use composer.
♥
If you like this extension or this extension helped you, please ★star☆ this repository.
You may also like:
Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)