diff options
Diffstat (limited to 'includes')
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/Import.php | 7 | ||||
-rw-r--r-- | includes/media/SVGMetadataExtractor.php | 11 | ||||
-rw-r--r-- | includes/parser/Parser.php | 5 |
4 files changed, 22 insertions, 3 deletions
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 426c11ad..ed566b3b 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -59,7 +59,7 @@ if( !defined( 'MEDIAWIKI' ) ) { $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.20.3'; +$wgVersion = '1.20.4'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/Import.php b/includes/Import.php index 11f37952..c32c6793 100644 --- a/includes/Import.php +++ b/includes/Import.php @@ -432,9 +432,15 @@ class WikiImporter { * @return bool */ public function doImport() { + + // Calls to reader->read need to be wrapped in calls to + // libxml_disable_entity_loader() to avoid local file + // inclusion attacks (bug 46932). + $oldDisable = libxml_disable_entity_loader( true ); $this->reader->read(); if ( $this->reader->name != 'mediawiki' ) { + libxml_disable_entity_loader( $oldDisable ); throw new MWException( "Expected <mediawiki> tag, got ". $this->reader->name ); } @@ -473,6 +479,7 @@ class WikiImporter { } } + libxml_disable_entity_loader( $oldDisable ); return true; } diff --git a/includes/media/SVGMetadataExtractor.php b/includes/media/SVGMetadataExtractor.php index 851fe428..e0740385 100644 --- a/includes/media/SVGMetadataExtractor.php +++ b/includes/media/SVGMetadataExtractor.php @@ -77,7 +77,12 @@ class SVGReader { // Expand entities, since Adobe Illustrator uses them for xmlns // attributes (bug 31719). Note that libxml2 has some protection // against large recursive entity expansions so this is not as - // insecure as it might appear to be. + // insecure as it might appear to be. However, it is still extremely + // insecure. It's necessary to wrap any read() calls with + // libxml_disable_entity_loader() to avoid arbitrary local file + // inclusion, or even arbitrary code execution if the expect + // extension is installed (bug 46859). + $oldDisable = libxml_disable_entity_loader( true ); $this->reader->setParserProperty( XMLReader::SUBST_ENTITIES, true ); $this->metadata['width'] = self::DEFAULT_WIDTH; @@ -99,9 +104,11 @@ class SVGReader { // Note, if this happens, the width/height will be taken to be 0x0. // Should we consider it the default 512x512 instead? wfRestoreWarnings(); + libxml_disable_entity_loader( $oldDisable ); throw $e; } wfRestoreWarnings(); + libxml_disable_entity_loader( $oldDisable ); } /** @@ -115,7 +122,7 @@ class SVGReader { * Read the SVG * @return bool */ - public function read() { + protected function read() { $keepReading = $this->reader->read(); /* Skip until first element */ diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php index 2a24bee7..10765de2 100644 --- a/includes/parser/Parser.php +++ b/includes/parser/Parser.php @@ -490,6 +490,11 @@ class Parser { "Highest expansion depth: {$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n". $PFreport; wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) ); + + // Sanitize for comment. Note '‐' in the replacement is U+2010, + // which looks much like the problematic '-'. + $limitReport = str_replace( array( '-', '&' ), array( '‐', '&' ), $limitReport ); + $text .= "\n<!-- \n$limitReport-->\n"; } $this->mOutput->setText( $text ); |