From d43bf442ab472de9ad9db6b62e9f7b02e580f466 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Tue, 16 Apr 2013 05:29:15 +0200
Subject: Update to MediaWiki 1.20.4

---
 includes/Import.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'includes/Import.php')

diff --git a/includes/Import.php b/includes/Import.php
index 11f37952..c32c6793 100644
--- a/includes/Import.php
+++ b/includes/Import.php
@@ -432,9 +432,15 @@ class WikiImporter {
 	 * @return bool
 	 */
 	public function doImport() {
+
+		// Calls to reader->read need to be wrapped in calls to
+		// libxml_disable_entity_loader() to avoid local file
+		// inclusion attacks (bug 46932).
+		$oldDisable = libxml_disable_entity_loader( true );
 		$this->reader->read();
 
 		if ( $this->reader->name != 'mediawiki' ) {
+			libxml_disable_entity_loader( $oldDisable );
 			throw new MWException( "Expected <mediawiki> tag, got ".
 				$this->reader->name );
 		}
@@ -473,6 +479,7 @@ class WikiImporter {
 			}
 		}
 
+		libxml_disable_entity_loader( $oldDisable );
 		return true;
 	}
 
-- 
cgit v1.2.2