Commit c577de8b authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Disallow XXE in RSS dashboard widget

Processing XML external entities is explicitly disallowed when retrieving
RSS/XML data from a remote service. Code-wise it is handled as security
issue - however it was not possible to actually exploit the code with
current system distributions. Default processing of external entities
has been disabled in libxml2 since verion 2.9 - thus, most systems are
not affected by this issue.

Resolves: #92329
Releases: master, 10.4
Change-Id: Ia00e98ea8e54472ad09fbf4beaf1481eaa5fd7a2
Security-Bulletin: TYPO3-CORE-SA-2020-012
Security-References: CVE-2020-26229

Tested-by: Oliver Hader's avatarOliver Hader <>
Reviewed-by: Oliver Hader's avatarOliver Hader <>
parent 13964141
......@@ -105,7 +105,9 @@ class RssWidget implements WidgetInterface
if ($rssContent === false) {
throw new \RuntimeException('RSS URL could not be fetched', 1573385431);
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$rssFeed = simplexml_load_string($rssContent);
$items = [];
foreach ($rssFeed->channel->item as $item) {
$items[] = [
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment