From: csteipp <csteipp@wikimedia.org>
Date: Mon, 15 Apr 2013 20:47:10 +0000 (-0700)
Subject: Disable external entities in Import
X-Git-Tag: 1.31.0-rc.0~19995^2
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22auteur_infos%22%2C%20%22id_auteur=%24id%22%29%20.%20%22?a=commitdiff_plain;h=77a8d576918b6a47b80a67a3653662a2d705d6c3;p=lhc%2Fweb%2Fwiklou.git

Disable external entities in Import

Temporarily disable loading entities in XMLReader when calling read()
during import.

bug: 47251

Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964
---

diff --git a/includes/Import.php b/includes/Import.php
index 03a1cfe184..0e12e6d1b2 100644
--- a/includes/Import.php
+++ b/includes/Import.php
@@ -441,9 +441,15 @@ class WikiImporter {
 	 * @return bool
 	 */
 	public function doImport() {
+
+		// Calls to reader->read need to be wrapped in calls to
+		// libxml_disable_entity_loader() to avoid local file
+		// inclusion attacks (bug 46932).
+		$oldDisable = libxml_disable_entity_loader( true );
 		$this->reader->read();
 
 		if ( $this->reader->name != 'mediawiki' ) {
+			libxml_disable_entity_loader( $oldDisable );
 			throw new MWException( "Expected <mediawiki> tag, got " .
 				$this->reader->name );
 		}
@@ -482,6 +488,7 @@ class WikiImporter {
 			}
 		}
 
+		libxml_disable_entity_loader( $oldDisable );
 		return true;
 	}