Merge "SECURITY: Don't allow directly calling Xml::isWellFormed"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)
diff --git a/includes/Xml.php b/includes/Xml.php

index 78b8715..f0bd70b 100644 (file)
--- a/includes/Xml.php
+++ b/includes/Xml.php
@@ -703,13 +703,15 @@ class Xml {
         /**
          * Check if a string is well-formed XML.
          * Must include the surrounding tag.
+        * This function is a DoS vector if an attacker can define
+        * entities in $text.
          *
          * @param string $text String to test.
          * @return bool
          *
          * @todo Error position reporting return
          */
-       public static function isWellFormed( $text ) {
+       private static function isWellFormed( $text ) {
                 $parser = xml_parser_create( "UTF-8" );
  
                 # case folding violates XML standard, turn it off
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)