jenkins-bot has submitted this change and it was merged.
Change subject: Disable external entities in Import
......................................................................
Disable external entities in Import
Temporarily disable loading entities in XMLReader when calling read()
during import.
(cherry picked from commit 77a8d576918b6a47b80a67a3653662a2d705d6c3)
Conflicts:
includes/Import.php
bug: 47251
Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964
---
M includes/Import.php
1 file changed, 7 insertions(+), 0 deletions(-)
Approvals:
MarkAHershberger: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/Import.php b/includes/Import.php
index fee636f..bb5d634 100644
--- a/includes/Import.php
+++ b/includes/Import.php
@@ -441,9 +441,15 @@
* @return bool
*/
public function doImport() {
+
+ // Calls to reader->read need to be wrapped in calls to
+ // libxml_disable_entity_loader() to avoid local file
+ // inclusion attacks (bug 46932).
+ $oldDisable = libxml_disable_entity_loader( true );
$this->reader->read();
if ( $this->reader->name != 'mediawiki' ) {
+ libxml_disable_entity_loader( $oldDisable );
throw new MWException( "Expected <mediawiki> tag, got ".
$this->reader->name );
}
@@ -482,6 +488,7 @@
}
}
+ libxml_disable_entity_loader( $oldDisable );
return true;
}
--
To view, visit https://gerrit.wikimedia.org/r/59377
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_21
Gerrit-Owner: PleaseStand <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: MarkAHershberger <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
