diff options
Diffstat (limited to 'includes/Import.php')
| -rw-r--r-- | includes/Import.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/includes/Import.php b/includes/Import.php index 11f37952..c32c6793 100644 --- a/includes/Import.php +++ b/includes/Import.php @@ -432,9 +432,15 @@ class WikiImporter { * @return bool */ public function doImport() { + + // Calls to reader->read need to be wrapped in calls to + // libxml_disable_entity_loader() to avoid local file + // inclusion attacks (bug 46932). + $oldDisable = libxml_disable_entity_loader( true ); $this->reader->read(); if ( $this->reader->name != 'mediawiki' ) { + libxml_disable_entity_loader( $oldDisable ); throw new MWException( "Expected <mediawiki> tag, got ". $this->reader->name ); } @@ -473,6 +479,7 @@ class WikiImporter { } } + libxml_disable_entity_loader( $oldDisable ); return true; } |