Headline
CVE-2023-45152: Schedule import: Show error message on schedule parsing errors · engelsystem/engelsystem@ee7d30b
Engelsystem is a shift planning system for chaos events. A Blind SSRF in the “Import schedule” functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Notifications
Fork 227
Code
Issues 169
Pull requests 14
Actions
Projects 3
Security
Insights
Commit
Permalink
Browse files
Browse the repository at this point in the history
Schedule import: Show error message on schedule parsing errors
- Loading branch information
Showing 3 changed files with 14 additions and 4 deletions.
- XmlParser.php
- schedule-invalid.html
- XmlParserTest.php
3 changes: 1 addition & 2 deletions src/Helpers/Schedule/XmlParser.php
Expand Up
@@ -15,8 +15,7 @@ class XmlParser
public function load(string $xml): bool
{
$scheduleXML = simplexml_load_string($xml);
$scheduleXML = simplexml_load_string($xml, 'SimpleXMLElement’, LIBXML_NOWARNING | LIBXML_NOERROR);
if (!$scheduleXML) {
return false;
}
Expand Down
10 changes: 10 additions & 0 deletions tests/Unit/Helpers/Schedule/Assets/schedule-invalid.html
@@ -0,0 +1,10 @@
<!DOCTYPE html>
<html lang="">
<head>
<title>I’m HTML!</title>
</head>
<body>
This is not a schedule<br>
and thus must be ignored.
</body>
</html>
5 changes: 3 additions & 2 deletions tests/Unit/Helpers/Schedule/XmlParserTest.php
Expand Up
@@ -23,12 +23,13 @@ class XmlParserTest extends TestCase
*/
public function testLoad(): void
{
libxml_use_internal_errors(true);
$parser = new XmlParser();
// Invalid XML
$this->assertFalse($parser->load(‘foo’));
// Invalid schedule
$this->assertFalse($parser->load(file_get_contents(__DIR__ . ‘/Assets/schedule-invalid.html’)));
// Minimal import
$this->assertTrue($parser->load(file_get_contents(__DIR__ . ‘/Assets/schedule-minimal.xml’)));
// Basic import
Expand Down
0 comments on commit ee7d30b
Please sign in to comment.