Temporarily disable loading entities in XMLReader when calling read()
during import.
bug: 47251
Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964
* @return bool
*/
public function doImport() {
+
+ // Calls to reader->read need to be wrapped in calls to
+ // libxml_disable_entity_loader() to avoid local file
+ // inclusion attacks (bug 46932).
+ $oldDisable = libxml_disable_entity_loader( true );
$this->reader->read();
if ( $this->reader->name != 'mediawiki' ) {
+ libxml_disable_entity_loader( $oldDisable );
throw new MWException( "Expected <mediawiki> tag, got " .
$this->reader->name );
}
}
}
+ libxml_disable_entity_loader( $oldDisable );
return true;
}