Dan helpfully posted a bunch of links in the bug description showing how other products have addressed this problem. I find the Mediawiki one to be the most concise and explanatory: http://www.mediawiki.org/wiki/XML_External_Entity_Processing
Based on that, we need this plan of action:
1. Remove the part from init.php where we do libxml_disable_entity_loader(true);
2. Provide wrapper functions for DOMDocument -> loadXML() and simplexml_load_string(), which will run libxml_disable_entity_loader() before the vulnerable code, and then set it back to the old value immediately after.
3. Replace all existing calls to DOMDocument -> loadXML() and simplexml_load_string() with calls to our wrapper functions.
XMLReader->XML() is also vulnerable, but we don't use that in the Mahara codebase anywhere.
We'll need to test this to make sure that it no longer crashes Moodle, *and* that it doesn't leave us vulnerable to the initual security issue we were trying to fix.
Dan helpfully posted a bunch of links in the bug description showing how other products have addressed this problem. I find the Mediawiki one to be the most concise and explanatory: http:// www.mediawiki. org/wiki/ XML_External_ Entity_ Processing
Based on that, we need this plan of action:
1. Remove the part from init.php where we do libxml_ disable_ entity_ loader( true);
2. Provide wrapper functions for DOMDocument -> loadXML() and simplexml_ load_string( ), which will run libxml_ disable_ entity_ loader( ) before the vulnerable code, and then set it back to the old value immediately after.
3. Replace all existing calls to DOMDocument -> loadXML() and simplexml_ load_string( ) with calls to our wrapper functions.
XMLReader->XML() is also vulnerable, but we don't use that in the Mahara codebase anywhere.
We'll need to test this to make sure that it no longer crashes Moodle, *and* that it doesn't leave us vulnerable to the initual security issue we were trying to fix.