diff options
| author | Pierre Schmitz <pierre@archlinux.de> | 2013-04-16 05:29:15 +0200 |
|---|---|---|
| committer | Pierre Schmitz <pierre@archlinux.de> | 2013-04-16 05:29:15 +0200 |
| commit | d43bf442ab472de9ad9db6b62e9f7b02e580f466 (patch) | |
| tree | ff4eeb631d4b5cce4789df92c905cc42b106a63d /includes/Import.php | |
| parent | 0edd6983ba69e8195fa7cade96eca27df9ebf237 (diff) | |
Update to MediaWiki 1.20.4
Diffstat (limited to 'includes/Import.php')
| -rw-r--r-- | includes/Import.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/includes/Import.php b/includes/Import.php index 11f37952..c32c6793 100644 --- a/includes/Import.php +++ b/includes/Import.php @@ -432,9 +432,15 @@ class WikiImporter { * @return bool */ public function doImport() { + + // Calls to reader->read need to be wrapped in calls to + // libxml_disable_entity_loader() to avoid local file + // inclusion attacks (bug 46932). + $oldDisable = libxml_disable_entity_loader( true ); $this->reader->read(); if ( $this->reader->name != 'mediawiki' ) { + libxml_disable_entity_loader( $oldDisable ); throw new MWException( "Expected <mediawiki> tag, got ". $this->reader->name ); } @@ -473,6 +479,7 @@ class WikiImporter { } } + libxml_disable_entity_loader( $oldDisable ); return true; } |