Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58348
Return-Path: <glopes@nebm.ist.utl.pt>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83702 invoked from network); 29 Feb 2012 20:52:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Feb 2012 20:52:37 -0000
Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.21 cause and error)
X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt
X-Host-Fingerprint: 193.136.128.21 smtp1.ist.utl.pt Linux 2.6
Received: from [193.136.128.21] ([193.136.128.21:46557] helo=smtp1.ist.utl.pt)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 22/D7-46815-2109E4F4 for <internals@lists.php.net>; Wed, 29 Feb 2012 15:52:36 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id 0255E70003E6;
	Wed, 29 Feb 2012 20:52:32 +0000 (WET)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt
Received: from smtp1.ist.utl.pt ([127.0.0.1])
	by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025)
	with LMTP id WlkM2leMXArR; Wed, 29 Feb 2012 20:52:31 +0000 (WET)
Received: from mail2.ist.utl.pt (mail.ist.utl.pt [IPv6:2001:690:2100:1::8])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id 8956B70003DD;
	Wed, 29 Feb 2012 20:52:31 +0000 (WET)
Received: from damnation.mshome.net (5ED2BD93.cm-7-3c.dynamic.ziggo.nl [94.210.189.147])
	(Authenticated sender: ist155741)
	by mail2.ist.utl.pt (Postfix) with ESMTPSA id 2BE062005280;
	Wed, 29 Feb 2012 20:52:31 +0000 (WET)
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: "PHP Internals List" <internals@lists.php.net>, "Simon Schick"
 <simonsimcity@googlemail.com>
References: <CAJWj5+F5Dxi4yQrTuqyM7AVUkA2fbzEtx5JDzENV+i2XyT9NRg@mail.gmail.com>
Date: Wed, 29 Feb 2012 21:52:07 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: =?utf-8?Q?N=C3=BAcleo_de_Eng=2E_Biom=C3=A9di?=
 =?utf-8?Q?ca_do_I=2ES=2ET=2E?=
Message-ID: <op.wagj85rfidpuyk@damnation.mshome.net>
In-Reply-To: <CAJWj5+F5Dxi4yQrTuqyM7AVUkA2fbzEtx5JDzENV+i2XyT9NRg@mail.gmail.com>
User-Agent: Opera Mail/11.61 (Win32)
Subject: Re: [PHP-DEV] Vulnerability by loading doctype-declaration of xml
From: glopes@nebm.ist.utl.pt ("Gustavo Lopes")

On Wed, 29 Feb 2012 19:30:15 +0100, Simon Schick  
<simonsimcity@googlemail.com> wrote:

> I just read this post about a vulnerability by loading  
> doctype-declaration
> of an xml-string given in a request:
> http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
>
> Would it be a good point to restrict which urls can be loaded in the
> doctype, or is the following line the only possibility to prevent it in a
> good way?
> libxml_disable_entity_loader(true);
>

In PHP 5.4, you can use libxml_set_external_entity_loader() and define  
your own logic. I'm afraid it's not documented yet, but it receives a  
callback that takes two strings, a public id and system id and a context  
(an array with four keys). The callback should return a resource, a string  
 from which a resource can be opened, or NULL.

-- 
Gustavo Lopes