Enhanced XML Security for Magento 2
wubinworks/module-xml-security
Replaces Magento's Xml\Security class with a hardened version that correctly detects XML entities even when the input is not UTF-8 encoded under php-fpm, closing a potential XXE gap.
Build Tests
Code Quality
Tested on Magento 2.4.9
Recent Test History
Each release is tested against the latest Magento version at that time.
Top Contributors
View Leaderboard
Share This Module's Status
README
Loaded from GitHubEnhanced XML Security for Magento 2
A replacement of \Magento\Framework\Xml\Security for Magento 2 with enhanced security.
Background
When the SAPI is php-fpm, \Magento\Framework\Xml\Security cannot detect entity if the XML string is not encoded in UTF-8.
This is a potential security issue and many developers forget to detect the XML encoding before using this class.
Note: the above class works correctly in CLI.
A note about CVE-2024-2961
XML string with encoding="ISO-2022-CN-EXT" won't cause the buffer overflow. So we don't forbid this encoding.
Features
After installing this extension, \Magento\Framework\Xml\Security is preferenced, and you don't need to worry about the XML encoding anymore.
/** @var \Magento\Framework\Xml\Security $xmlSecurity */
$xmlSecurity->scan($xmlString);
That's it.
Requirements
Magento 2.3
Magento 2.4
Installation
composer require wubinworks/module-xml-security
This extension requires dependencies that are not included in default Magento installation, so you need to use composer.
♥
If you like this extension or this extension helped you, please ★star☆ this repository.
You may also like:
Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)
This content is fetched directly from the module's GitHub repository. We are not the authors of this content and take no responsibility for its accuracy, completeness, or any consequences arising from its use.