The file includes/PF_AutoeditAPI.php calls DOMDocument::loadHTML() in a possibly-unsafe way. That call should be modified using these guidelines:
https://www.mediawiki.org/wiki/XML_External_Entity_Processing
The file includes/PF_AutoeditAPI.php calls DOMDocument::loadHTML() in a possibly-unsafe way. That call should be modified using these guidelines:
https://www.mediawiki.org/wiki/XML_External_Entity_Processing
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Secure call to DOMDocument::loadHTML() | mediawiki/extensions/PageForms | master | +3 -1 |
Change 342439 had a related patch set uploaded (by Harjotsingh):
[mediawiki/extensions/PageForms] Secure call to DOMDocument::loadHTML()
@Yaron_Koren no, I didn't test for XXE vulnerability.I just followed the prevention pattern specified https://www.mediawiki.org/wiki/XML_External_Entity_Processing.
Is there a way I could test for the vulnerability ?
I don't know how to test for the vulnerability either - though that would be ideal. But the most important thing is just to make sure that the code still works now.
I only tested autoedit for modifying pages automatically as specified here : https://www.mediawiki.org/wiki/Extension:Page_Forms/Linking_to_forms
Change 342439 merged by jenkins-bot:
[mediawiki/extensions/PageForms] Secure call to DOMDocument::loadHTML()