From: csteipp <csteipp@wikimedia.org>
Date: Fri, 13 Mar 2015 23:52:18 +0000 (-0700)
Subject: SECURITY: Don't allow directly calling Xml::isWellFormed
X-Git-Tag: 1.31.0-rc.0~11896^2
X-Git-Url: http://git.cyclocoop.org//%22%22._DIR_PLUGIN_FULLCALENDAR.%22prive/themes/spip/images/event_edit.png/%22?a=commitdiff_plain;h=00bd303b6048213bb75ee0d0307256a678a91cc9;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Don't allow directly calling Xml::isWellFormed

Changing Xml::isWellFormed to private. In WMF hosted repos, there are
no callers to isWellFormed directly.

Bug: T85848
Change-Id: I104427989b89c386de571b8e60642095331a1132
---

diff --git a/includes/Xml.php b/includes/Xml.php
index 78b8715921..f0bd70b23b 100644
--- a/includes/Xml.php
+++ b/includes/Xml.php
@@ -703,13 +703,15 @@ class Xml {
 	/**
 	 * Check if a string is well-formed XML.
 	 * Must include the surrounding tag.
+	 * This function is a DoS vector if an attacker can define
+	 * entities in $text.
 	 *
 	 * @param string $text String to test.
 	 * @return bool
 	 *
 	 * @todo Error position reporting return
 	 */
-	public static function isWellFormed( $text ) {
+	private static function isWellFormed( $text ) {
 		$parser = xml_parser_create( "UTF-8" );
 
 		# case folding violates XML standard, turn it off