Prevent XML parser from loading external entities

author: Mae <Mae@is.badat.dev> 2023-08-04 22:24:17 +0100
committer: Mark Felder <feld@feld.me> 2023-08-04 22:35:13 -0400
commit: ca0859b90f0f3cb9bb369d38d29868de59796c2c (patch)
tree: 161244d7c605a73627a3cf1ec0b0890616d8811b
parent: 1062185ba03ffa03f0dfcfc11f948285b2ffd610 (diff)
download: pleroma-ca0859b90f0f3cb9bb369d38d29868de59796c2c.tar.gz
pleroma-ca0859b90f0f3cb9bb369d38d29868de59796c2c.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex
index b699446b0..380a80ab8 100644
--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
       {doc, _rest} =
         text
         |> :binary.bin_to_list()
-        |> :xmerl_scan.string(quiet: true)
+        |> :xmerl_scan.string(
+          quiet: true,
+          fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
+        )
 
       {:ok, doc}
     rescue
author	Mae <Mae@is.badat.dev>	2023-08-04 22:24:17 +0100
committer	Mark Felder <feld@feld.me>	2023-08-04 22:35:13 -0400
commit	ca0859b90f0f3cb9bb369d38d29868de59796c2c (patch)
tree	161244d7c605a73627a3cf1ec0b0890616d8811b
parent	1062185ba03ffa03f0dfcfc11f948285b2ffd610 (diff)
download	pleroma-ca0859b90f0f3cb9bb369d38d29868de59796c2c.tar.gz pleroma-ca0859b90f0f3cb9bb369d38d29868de59796c2c.zip