13 changed files with 4 additions and 71 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,11 +18,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)
 ## 2.5.4
 ## Security
 - Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
 ## 2.5.3
 ### Security
--- a/2
+++ b/2
@ -49,7 +49,7 @@ USER pleroma
 COPY --from=build --chown=pleroma:0 /release ${HOME}
-COPY --chown=pleroma --chmod=640 ./config/docker.exs /etc/pleroma/config.exs
+COPY ./config/docker.exs /etc/pleroma/config.exs
 COPY ./docker-entrypoint.sh ${HOME}
 EXPOSE 4000
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ b/changelog.d/akkoma-xml-remote-entities.security
@ -1 +0,0 @@
 Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
--- a/changelog.d/disable-xml-entity-resolution.security
+++ b/changelog.d/disable-xml-entity-resolution.security
@ -1 +0,0 @@
 Disable XML entity resolution completely to fix a dos vulnerability
--- a/changelog.d/dockerfile-config-perms.fix
+++ b/changelog.d/dockerfile-config-perms.fix
@ -1 +0,0 @@
 - Fix config ownership in dockerfile to pass restriction test
--- a/changelog.d/gentoo_otp_intro.skip
+++ b/changelog.d/gentoo_otp_intro.skip
--- a/docs/installation/gentoo_otp_en.md
+++ b/docs/installation/gentoo_otp_en.md
@ -2,7 +2,7 @@
 {! backend/installation/otp_vs_from_source.include !}
-This guide covers installation via Gentoo provided packaging. A [manual installation guide for gentoo](./gentoo_en.md) is also available.
+A [manual installation guide for gentoo](./gentoo_en.md) is also available.
 ## Installation
--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@ -29,10 +29,7 @@ def parse_document(text) do
      {doc, _rest} =
        text
        |> :binary.bin_to_list()
-        |> :xmerl_scan.string(
+        |> :xmerl_scan.string(quiet: true)
          quiet: true,
          allow_entities: false
        )
      {:ok, doc}
    rescue
--- a/mix.exs
+++ b/mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
  def project do
    [
      app: :pleroma,
-      version: version("2.5.54"),
+      version: version("2.5.53"),
      elixir: "~> 1.11",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix] ++ Mix.compilers(),
--- a/test/fixtures/xml_billion_laughs.xml
+++ b/test/fixtures/xml_billion_laughs.xml
@ -1,15 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
 ]>
 <lolz>&lol9;</lolz>
--- a/test/fixtures/xml_external_entities.xml
+++ b/test/fixtures/xml_external_entities.xml
@ -1,3 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
 <stockCheck><productId>&xxe;</productId></stockCheck>
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@ -180,28 +180,5 @@ test "respects xml content-type" do
      {:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
    end
    test "refuses to process XML remote entities" do
      Tesla.Mock.mock(fn
        %{
          url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
        } ->
          {:ok,
           %Tesla.Env{
             status: 200,
             body: File.read!("test/fixtures/xml_external_entities.xml"),
             headers: [{"content-type", "application/xrd+xml"}]
           }}
        %{url: "https://pawoo.net/.well-known/host-meta"} ->
          {:ok,
           %Tesla.Env{
             status: 200,
             body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
           }}
      end)
      assert :error = WebFinger.finger("pekorino@pawoo.net")
    end
  end
 end
--- a/test/pleroma/web/xml_test.exs
+++ b/test/pleroma/web/xml_test.exs
@ -1,15 +0,0 @@
 defmodule Pleroma.Web.XMLTest do
  use Pleroma.DataCase, async: true
  alias Pleroma.Web.XML
  test "refuses to parse any entities from XML" do
    data = File.read!("test/fixtures/xml_billion_laughs.xml")
    assert(:error == XML.parse_document(data))
  end
  test "refuses to load external entities from XML" do
    data = File.read!("test/fixtures/xml_external_entities.xml")
    assert(:error == XML.parse_document(data))
  end
 end
		`@ -1 +0,0 @@`
			`Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem`
		`@ -1 +0,0 @@`
			`Disable XML entity resolution completely to fix a dos vulnerability`
		`@ -1 +0,0 @@`
			`- Fix config ownership in dockerfile to pass restriction test`