Last modified: 2013-04-16 06:09:13 UTC
Similar to the issue in bug 46859, both the article import feature, and the RSS Extension parse user-supplied XML, without disabling external entities. During import, the external entity is expanded (can trigger an http get, or could execute an expect:// handler), but the output is not shown (the parsing encounters and unexpected "mediawiki" element, and fails), so confidentiality of local files is not compromised. While displaying an RSS feed with the RSS Extension, entities are expanded, and can be displayed to the user. A malicious RSS could compromise the confidentiality of local files, in addition to triggering http gets or executing expect:// handlers.
Related URL: https://gerrit.wikimedia.org/r/59202 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Related URL: https://gerrit.wikimedia.org/r/59342 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Related URL: https://gerrit.wikimedia.org/r/59349 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Related URL: https://gerrit.wikimedia.org/r/59357 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Related URL: https://gerrit.wikimedia.org/r/59377 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)