Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58404 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7758 invoked from network); 1 Mar 2012 10:03:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Mar 2012 10:03:48 -0000 Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.170 as permitted sender) X-PHP-List-Original-Sender: julienpauli@gmail.com X-Host-Fingerprint: 209.85.215.170 mail-ey0-f170.google.com Received: from [209.85.215.170] ([209.85.215.170:45766] helo=mail-ey0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/A0-46815-2894F4F4 for ; Thu, 01 Mar 2012 05:03:47 -0500 Received: by eaao10 with SMTP id o10so114479eaa.29 for ; Thu, 01 Mar 2012 02:03:43 -0800 (PST) Received-SPF: pass (google.com: domain of julienpauli@gmail.com designates 10.213.29.209 as permitted sender) client-ip=10.213.29.209; Authentication-Results: mr.google.com; spf=pass (google.com: domain of julienpauli@gmail.com designates 10.213.29.209 as permitted sender) smtp.mail=julienpauli@gmail.com; dkim=pass header.i=julienpauli@gmail.com Received: from mr.google.com ([10.213.29.209]) by 10.213.29.209 with SMTP id r17mr792382ebc.137.1330596223491 (num_hops = 1); Thu, 01 Mar 2012 02:03:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=y3qiFApzh+pdsa/b3XiOsfQ8XHTGtY7H2xdGfHfl8RY=; b=uRJC4ry6ikA3Y0rOSxTgGFZiX67ajZwi7rZK169lOTHC3QIWuXvY3GCHnsttni72eL X9iX4SoLVNREU64tBCj+UBY7MK5P5rLjcvmtxp98Mw1SKvnO3qKdZY7iGaxoyDN84Chk hYCF82LCbd/8SAfG+LwzWdWwm3wVEMaPchhzk= Received: by 10.213.29.209 with SMTP id r17mr600234ebc.137.1330596223358; Thu, 01 Mar 2012 02:03:43 -0800 (PST) MIME-Version: 1.0 Sender: julienpauli@gmail.com Received: by 10.213.29.2 with HTTP; Thu, 1 Mar 2012 02:03:03 -0800 (PST) In-Reply-To: References: Date: Thu, 1 Mar 2012 11:03:03 +0100 X-Google-Sender-Auth: MufZjSly1YawHLhPHUtXXQWbM_8 Message-ID: To: Gustavo Lopes Cc: PHP Internals List , Simon Schick Content-Type: multipart/alternative; boundary=000e0cd1fa623b97f404ba2b9351 Subject: Re: [PHP-DEV] Vulnerability by loading doctype-declaration of xml From: jpauli@php.net (jpauli) --000e0cd1fa623b97f404ba2b9351 Content-Type: text/plain; charset=ISO-8859-1 Using DOM, this can be achieved with $domDocument->resolveExternals = false; before loading a document. Julien.P On Wed, Feb 29, 2012 at 9:52 PM, Gustavo Lopes wrote: > On Wed, 29 Feb 2012 19:30:15 +0100, Simon Schick < > simonsimcity@googlemail.com> wrote: > > I just read this post about a vulnerability by loading doctype-declaration >> of an xml-string given in a request: >> http://www.idontplaydarts.com/**2011/02/scanning-the-internal-** >> network-using-simplexml/ >> >> Would it be a good point to restrict which urls can be loaded in the >> doctype, or is the following line the only possibility to prevent it in a >> good way? >> libxml_disable_entity_loader(**true); >> >> > In PHP 5.4, you can use libxml_set_external_entity_**loader() and define > your own logic. I'm afraid it's not documented yet, but it receives a > callback that takes two strings, a public id and system id and a context > (an array with four keys). The callback should return a resource, a string > from which a resource can be opened, or NULL. > > -- > Gustavo Lopes > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --000e0cd1fa623b97f404ba2b9351--