From aa176fa2fc43647a6c183d88ffbffbe2898fd880 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 13 Mar 2015 16:52:18 -0700
Subject: [PATCH] SECURITY: Don't allow directly calling Xml::isWellFormed

Changing Xml::isWellFormed to private. In WMF hosted repos, there are
no callers to isWellFormed directly.

Bug: T85848
Change-Id: I104427989b89c386de571b8e60642095331a1132
---
 includes/Xml.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/Xml.php b/includes/Xml.php
index 78b8715..f0bd70b 100644
--- a/includes/Xml.php
+++ b/includes/Xml.php
@@ -703,13 +703,15 @@ class Xml {
 	/**
 	 * Check if a string is well-formed XML.
 	 * Must include the surrounding tag.
+	 * This function is a DoS vector if an attacker can define
+	 * entities in $text.
 	 *
 	 * @param string $text String to test.
 	 * @return bool
 	 *
 	 * @todo Error position reporting return
 	 */
-	public static function isWellFormed( $text ) {
+	private static function isWellFormed( $text ) {
 		$parser = xml_parser_create( "UTF-8" );
 
 		# case folding violates XML standard, turn it off
-- 
1.8.4.5