[SECURITY] Disallow XXE in RSS dashboard widget

Processing XML external entities is explicitly disallowed when retrieving RSS/XML data from a remote service. Code-wise it is handled as security issue - however it was not possible to actually exploit the code with current system distributions. Default processing of external entities has been disabled in libxml2 since verion 2.9 - thus, most systems are not affected by this issue. Resolves: #92329 Releases: master, 10.4 Change-Id: Ia00e98ea8e54472ad09fbf4beaf1481eaa5fd7a2 Security-Bulletin: TYPO3-CORE-SA-2020-012 Security-References: CVE-2020-26229 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66661 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Nov 17, 2020 · 73a7a90 · 73a7a90
1 parent 0b96d4b
commit 73a7a90
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/typo3/sysext/dashboard/Classes/Widgets/RssWidget.php b/typo3/sysext/dashboard/Classes/Widgets/RssWidget.php
@@ -105,7 +105,9 @@ protected function getRssItems(): array
         if ($rssContent === false) {
             throw new \RuntimeException('RSS URL could not be fetched', 1573385431);
         }
+        $previousValueOfEntityLoader = libxml_disable_entity_loader(true);
         $rssFeed = simplexml_load_string($rssContent);
+        libxml_disable_entity_loader($previousValueOfEntityLoader);
         $items = [];
         foreach ($rssFeed->channel->item as $item) {
             $items[] = [