CSteipp has submitted this change and it was merged.
Change subject: Prevent xxe when loading feed XML
......................................................................
Prevent xxe when loading feed XML
Turn off external entity loading while parsing feed xml.
bug: 46932
Change-Id: I41006fc10f2da1357d57c1566518c86351f522f1
---
M RSSParser.php
1 file changed, 3 insertions(+), 0 deletions(-)
Approvals:
CSteipp: Verified; Looks good to me, approved
jenkins-bot: Verified
diff --git a/RSSParser.php b/RSSParser.php
index 4144eae..edbfe1a 100644
--- a/RSSParser.php
+++ b/RSSParser.php
@@ -508,7 +508,10 @@
}
wfSuppressWarnings();
+ // Prevent loading external entities when parsing the
XML (bug 46932)
+ $oldDisable = libxml_disable_entity_loader( true );
$this->xml->loadXML( $raw_xml );
+ libxml_disable_entity_loader( $oldDisable );
wfRestoreWarnings();
$this->rss = new RSSData( $this->xml );
--
To view, visit https://gerrit.wikimedia.org/r/59192
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I41006fc10f2da1357d57c1566518c86351f522f1
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/RSS
Gerrit-Branch: master
Gerrit-Owner: CSteipp <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
