SECURITY: Don't allow directly calling Xml::isWellFormed

Changing Xml::isWellFormed to private. In WMF hosted repos, there are
no callers to isWellFormed directly.

Bug: T85848
Change-Id: I104427989b89c386de571b8e60642095331a1132

diff --git a/includes/Xml.php b/includes/Xml.php
index 78b8715..f0bd70b 100644 (file)
--- a/includes/Xml.php
+++ b/includes/Xml.php
@@ -703,13 +703,15 @@ class Xml {
        /**
         * Check if a string is well-formed XML.
         * Must include the surrounding tag.
+        * This function is a DoS vector if an attacker can define
+        * entities in $text.
         *
         * @param string $text String to test.
         * @return bool
         *
         * @todo Error position reporting return
         */
-       public static function isWellFormed( $text ) {
+       private static function isWellFormed( $text ) {
                $parser = xml_parser_create( "UTF-8" );
 
                # case folding violates XML standard, turn it off