Prevent XML parser from loading external entities

author: Mae <Mae@is.badat.dev> 2023-08-04 22:24:17 +0100
committer: Haelwenn (lanodan) Monnier <contact@hacktivis.me> 2023-08-05 08:23:04 +0200
commit: fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f (patch)
tree: c382c0f4171d3bdfcbc5abf56cd81bbb1a713aed
parent: ff2f3862abd4a9eabc0440999337a2d44c8b797e (diff)
download: pleroma-fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f.tar.gz
pleroma-fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex
index b699446b0..380a80ab8 100644
--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
       {doc, _rest} =
         text
         |> :binary.bin_to_list()
-        |> :xmerl_scan.string(quiet: true)
+        |> :xmerl_scan.string(
+          quiet: true,
+          fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
+        )
 
       {:ok, doc}
     rescue
author	Mae <Mae@is.badat.dev>	2023-08-04 22:24:17 +0100
committer	Haelwenn (lanodan) Monnier <contact@hacktivis.me>	2023-08-05 08:23:04 +0200
commit	fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f (patch)
tree	c382c0f4171d3bdfcbc5abf56cd81bbb1a713aed
parent	ff2f3862abd4a9eabc0440999337a2d44c8b797e (diff)
download	pleroma-fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f.tar.gz pleroma-fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f.zip