commit: fc10e07ffbc9d81c7a2ac38a3f9175f2edf2bd1f
parent ff2f3862abd4a9eabc0440999337a2d44c8b797e
Author: Mae <Mae@is.badat.dev>
Date: Fri, 4 Aug 2023 22:24:17 +0100
Prevent XML parser from loading external entities
Diffstat:
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex
@@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
{doc, _rest} =
text
|> :binary.bin_to_list()
- |> :xmerl_scan.string(quiet: true)
+ |> :xmerl_scan.string(
+ quiet: true,
+ fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
+ )
{:ok, doc}
rescue
