Completely disable xml entity resolution (!3932) · Merge requests · Pleroma / pleroma

Mae BadAtNames requested to merge MaeIsBad/pleroma:disable-xml-entities-completely into develop Aug 05, 2023

I misunderstood how the fetch_fun option on xmerl_scan.string worked. While the previous patch was sufficient to prevent reading local files it still could be DOSed with a billion laughs attack.

Checklist

[ x ] Adding a changelog: In the changelog.d directory, create a file named <code>.<type>.

Edited Aug 05, 2023 by Mae BadAtNames

Completely disable xml entity resolution

Checklist

Merge request reports