Disable external entities in Import

Temporarily disable loading entities in XMLReader when calling read()
during import.

bug: 47251

Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964

diff --git a/includes/Import.php b/includes/Import.php
index 03a1cfe..0e12e6d 100644 (file)
--- a/includes/Import.php
+++ b/includes/Import.php
@@ -441,9 +441,15 @@ class WikiImporter {
         * @return bool
         */
        public function doImport() {
+
+               // Calls to reader->read need to be wrapped in calls to
+               // libxml_disable_entity_loader() to avoid local file
+               // inclusion attacks (bug 46932).
+               $oldDisable = libxml_disable_entity_loader( true );
                $this->reader->read();
 
                if ( $this->reader->name != 'mediawiki' ) {
+                       libxml_disable_entity_loader( $oldDisable );
                        throw new MWException( "Expected <mediawiki> tag, got " .
                                $this->reader->name );
                }
@@ -482,6 +488,7 @@ class WikiImporter {
                        }
                }
 
+               libxml_disable_entity_loader( $oldDisable );
                return true;
        }