Merge commit from fork

Author: Progi1984

docs/changes/0.3.1.md

@@ -0,0 +1,17 @@
+# 0.3.1
+
+## Enhancements
+
+- N/A
+
+## Bug fixes
+
+- N/A
+
+## Miscellaneous
+
+- N/A
+
+## Security fixes
+
+- Fixed XXE when processing an XML file in the MathML format by [@012git012](https://github/012git012) & [@Progi1984](https://github/Progi1984) in [GHSA-42hm-pq2f-3r7m](https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m)

src/Math/Exception/SecurityException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace PhpOffice\Math\Exception;
+
+class SecurityException extends MathException
+{
+}

src/Math/Reader/MathML.php

@@ -10,6 +10,7 @@
 use PhpOffice\Math\Exception\InvalidInputException;
 use PhpOffice\Math\Exception\NotImplementedException;
 use PhpOffice\Math\Math;
+use PhpOffice\Math\Reader\Security\XmlScanner;
 
 class MathML implements ReaderInterface
 {
@@ -22,8 +23,17 @@ class MathML implements ReaderInterface
     /** @var DOMXPath */
     private $xpath;
 
+    /** @var XmlScanner */
+    private $xmlScanner;
+
+    public function __construct()
+    {
+        $this->xmlScanner = XmlScanner::getInstance();
+    }
+
     public function read(string $content): ?Math
     {
+        $content = $this->xmlScanner->scan($content);
         $content = str_replace(
             [
                 '⁢',
@@ -35,7 +45,7 @@ public function read(string $content): ?Math
         );
 
         $this->dom = new DOMDocument();
-        $this->dom->loadXML($content, LIBXML_DTDLOAD);
+        $this->dom->loadXML($content);
 
         $this->math = new Math();
         $this->parseNode(null, $this->math);

src/Math/Reader/Security/XmlScanner.php

@@ -0,0 +1,77 @@
+<?php
+
+namespace PhpOffice\Math\Reader\Security;
+
+use PhpOffice\Math\Exception\SecurityException;
+
+class XmlScanner
+{
+    public static function getInstance(): self
+    {
+        return new self();
+    }
+
+    /**
+     * Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
+     */
+    public function scan(string $xml): string
+    {
+        // Don't rely purely on libxml_disable_entity_loader()
+        $searchDoctype = static::mb_str_split('<!DOCTYPE', 1, 'UTF-8');
+        $patternDoctype = '/\0*' . implode('\0*', is_array($searchDoctype) ? $searchDoctype : []) . '\0*/';
+        $searchDoctypeMath = static::mb_str_split('<!DOCTYPE math', 1, 'UTF-8');
+        $patternDoctypeMath = '/\0*' . implode('\0*', is_array($searchDoctypeMath) ? $searchDoctypeMath : []) . '\0*/';
+
+        if (preg_match($patternDoctype, $xml) && !preg_match($patternDoctypeMath, $xml)) {
+            throw new SecurityException('Detected use of ENTITY in XML, loading aborted to prevent XXE/XEE attacks');
+        }
+
+        return $xml;
+    }
+
+    /**
+     * @param string $string
+     * @param int<1, max> $split_length
+     * @param string|null $encoding
+     *
+     * @return array<string>|bool|null
+     */
+    public static function mb_str_split(string $string, int $split_length = 1, ?string $encoding = null)
+    {
+        if (extension_loaded('mbstring')) {
+            if (function_exists('mb_str_split')) {
+                return mb_str_split($string, $split_length, $encoding);
+            }
+        }
+        // @phpstan-ignore-next-line
+        if (null !== $string && !\is_scalar($string) && !(\is_object($string) && method_exists($string, '__toString'))) {
+            trigger_error('mb_str_split() expects parameter 1 to be string, ' . \gettype($string) . ' given', \E_USER_WARNING);
+
+            return null;
+        }
+
+        // @phpstan-ignore-next-line
+        if (1 > $split_length = (int) $split_length) {
+            trigger_error('The length of each segment must be greater than zero', \E_USER_WARNING);
+
+            return false;
+        }
+
+        if (null === $encoding) {
+            $encoding = mb_internal_encoding();
+        }
+
+        if ('UTF-8' === $encoding || \in_array(strtoupper($encoding), ['UTF-8', 'UTF8'], true)) {
+            return preg_split("/(.{{$split_length}})/u", $string, -1, \PREG_SPLIT_DELIM_CAPTURE | \PREG_SPLIT_NO_EMPTY);
+        }
+
+        $result = [];
+        $length = mb_strlen($string, $encoding);
+
+        for ($i = 0; $i < $length; $i += $split_length) {
+            $result[] = mb_substr($string, $i, $split_length, $encoding);
+        }
+
+        return $result;
+    }
+}

tests/Math/Reader/MathMLTest.php

@@ -7,6 +7,7 @@
 use PhpOffice\Math\Element;
 use PhpOffice\Math\Exception\InvalidInputException;
 use PhpOffice\Math\Exception\NotImplementedException;
+use PhpOffice\Math\Exception\SecurityException;
 use PhpOffice\Math\Math;
 use PhpOffice\Math\Reader\MathML;
 use PHPUnit\Framework\TestCase;
@@ -294,4 +295,15 @@ public function testReadNotImplemented(): void
         $reader = new MathML();
         $math = $reader->read($content);
     }
+
+    public function testReadSecurity(): void
+    {
+        $this->expectException(SecurityException::class);
+        $this->expectExceptionMessage('Detected use of ENTITY in XML, loading aborted to prevent XXE/XEE attacks');
+
+        $content = '<?xml version="1.0" encoding="UTF-8"?>     <!DOCTYPE x SYSTEM "php://filter/convert.base64-decode/zlib.inflate/resource=data:,7Ztdb9owFIbv%2bRVZJ9armNjOZ2k7QUaL%2bRYO2nqFUnBFNQaMptP272cnNFuTsBbSskg1iATZzvGxn/ccX3A4fdfoecS7UsrK1A98hV5Rr9FVjlaz1UmlcnM7D9i6MlkufrB1AK79O2bqKltMllMWt96KL6ADwci7sJ4Yu0vr9/tlwKbqan27CPzrOXvevFGrbRvOGIseaCa7TAxok1x44xahXzQEcdKPKZPevap3RZw920I0VscWGLlU1efPsy0c5cbV1AoI7ZuOMCZW12nkcP9Q2%2bQObBNmL6ajg8s6xJqmJTrq5NIArX6zVk8Zcwwt4fPuLvHnbeBSvpdIQ6g93MvUv3CHqKNrmtEW4EYmCr5gDT5QzyNWE4x6xO1/aqQmgMhGYgaVDFUnScKltbFnaJoKHRuHK0L1pIkuaYselMe9cPUqRmm5C51u00kkhy1S3aBougkl7e4d6RGaTYeSehdCjAG/O/p%2bYfKyQsoLmgdlmsFYQFDjh6GWJyGE0ZfMX08EZtwNTdAYud7nLcksnwppA2UnqpCzgyDo1QadAU3vLOQZ82EHMxAi0KVcq7rzas5xD6AQoeqkYkgk02abukkJ/z%2bNvkj%2bjUy16Ba5d/S8anhBLwt44EgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGxWOwW2nF7kt%2by7/Kb3ag2GUTUgBvXAAxiKxt4Is3sB4WniVrOvhwzB0CXerg5GN9esGRQv7RgQdMmMO9sIwtc/sIJUOCsY4ee7f7FIWu2Si4euKan8wg58nFsEIXxYGntgZqMog3Z2FrgPhgyzIOlsmijowqwb0jyMqMoGEbarqdOpP/iqFISMkSVFG1Z5p8f3OK%2bxAZ7gClpgUPg70rq0T2RIkcup/0newQ7NbcUXv/DPl4LL/N7hdfn2dp07pmd8v79YSdVVgwqcyWd8HC/8aOzkunf6r%2b2c8bpSxK/6uPmlf%2br/nSnyrHcduH99iqKiz7HwLxTLMgEM0QWUDjb3ji8NdHPslZmV%2bqR%2bfH56Xyxni1VGbV0m8=" []><foo></foo>M';
+
+        $reader = new MathML();
+        $math = $reader->read($content);
+    }
 }