From 77a8d576918b6a47b80a67a3653662a2d705d6c3 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 15 Apr 2013 13:47:10 -0700
Subject: [PATCH] Disable external entities in Import

Temporarily disable loading entities in XMLReader when calling read()
during import.

bug: 47251

Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964
---
 includes/Import.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/includes/Import.php b/includes/Import.php
index 03a1cfe184..0e12e6d1b2 100644
--- a/includes/Import.php
+++ b/includes/Import.php
@@ -441,9 +441,15 @@ class WikiImporter {
 	 * @return bool
 	 */
 	public function doImport() {
+
+		// Calls to reader->read need to be wrapped in calls to
+		// libxml_disable_entity_loader() to avoid local file
+		// inclusion attacks (bug 46932).
+		$oldDisable = libxml_disable_entity_loader( true );
 		$this->reader->read();
 
 		if ( $this->reader->name != 'mediawiki' ) {
+			libxml_disable_entity_loader( $oldDisable );
 			throw new MWException( "Expected <mediawiki> tag, got " .
 				$this->reader->name );
 		}
@@ -482,6 +488,7 @@ class WikiImporter {
 			}
 		}
 
+		libxml_disable_entity_loader( $oldDisable );
 		return true;
 	}
 
-- 
2.20.1