Prevent XML parser from loading external entities

2024-11-20 05:49:54 +01:00 · 2023-08-05 12:18:29 +00:00 · 2023-08-05 12:18:29 +00:00 · f56267280e
commit f56267280e
parent d6ac4aff42
1 changed files with 4 additions and 1 deletions
--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
      {doc, _rest} =
        text
        |> :binary.bin_to_list()
-        |> :xmerl_scan.string(quiet: true)
+        |> :xmerl_scan.string(
+          quiet: true,
+          fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
+        )

      {:ok, doc}
    rescue