Address vulnerabilities (#440)

* Update no-response.yml * Address XML vulnerability in DocumentToText.php disable entity loading. * Update DocumentToText.php
opencats · Jul 1, 2019 · 920a575 · 920a575
1 parent 96e1db3
commit 920a575
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/.github/no-response.yml b/.github/no-response.yml
@@ -1,7 +1,7 @@
 # Configuration for probot-no-response - https://github.com/probot/no-response
 
 # Number of days of inactivity before an Issue is closed for lack of response
-daysUntilClose: 14
+daysUntilClose: 16
 # Label requiring a response
 responseRequiredLabel: more-information-required
 # Comment to post when closing an Issue for lack of response. Set to `false` to disable

diff --git a/lib/DocumentToText.php b/lib/DocumentToText.php
@@ -412,6 +412,7 @@ private function readZippedXML($archiveFile, $dataFile)
                 $zip->close();
                 // Load XML from a string
                 // Skip errors and warnings
+                libxml_disable_entity_loader(true);
                 $xml = new DOMDocument();
                 $xml->loadXML($data, LIBXML_NOENT | LIBXML_XINCLUDE | LIBXML_NOERROR | LIBXML_NOWARNING);
                 $raw_text = $xml->saveXML();