Fix XXE DDOs attack when uploading a malicious SVG (ref #152

Changelog.md

@@ -6,8 +6,12 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
 ### Added
  - Added an input box with auto-generated short markdown embed code with copy button to file pages
 
+### Changed
+ - Added 1920 as a preset image size on file pages
+
 ### Fixed
  - Fix saving edits to pages with an ampersand in their name (#99)
+ - [Security] Fixed an authenticated denial-of-service attack when uploading a malicious SVG (ref XXE billion laughs attack, #152)
 
 ## v0.15
 _(No changes since v0.15-beta2)_

build/index.php

@@ -5466,6 +5466,7 @@ function upload_check_svg($temp_filename)
  */
 function getsvgsize($svgFilename)
 {
+	libxml_disable_entity_loader(true); // Ref: XXE Billion Laughs Attack, issue #152
 	$svg = simplexml_load_file($svgFilename); // Load it as XML
 	if($svg === false)
 	{

module_index.json

@@ -122,7 +122,7 @@
         "author": "Starbeamrainbowlabs",
         "description": "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File\/' prefix.",
         "id": "feature-upload",
-        "lastupdate": 1513158485,
+        "lastupdate": 1513195855,
         "optional": false
     },
     {

modules/feature-upload.php

@@ -476,7 +476,7 @@ register_module([
 						if($mime_type == "application/pdf")
 							$fileTypeDisplay = "file";
 						
-						$preview_sizes = [ 256, 512, 768, 1024, 1440 ];
+						$preview_sizes = [ 256, 512, 768, 1024, 1440, 1920 ];
 						$preview_html .= "\t\t\t<figure class='preview'>
 				<img src='$previewUrl' />
 				<nav class='image-controls'>
@@ -622,6 +622,7 @@ function upload_check_svg($temp_filename)
  */
 function getsvgsize($svgFilename)
 {
+	libxml_disable_entity_loader(true); // Ref: XXE Billion Laughs Attack, issue #152
 	$svg = simplexml_load_file($svgFilename); // Load it as XML
 	if($svg === false)
 	{