Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74740 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97394 invoked from network); 4 Jun 2014 12:00:12 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jun 2014 12:00:12 -0000 Authentication-Results: pb1.pair.com smtp.mail=php@beccati.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=php@beccati.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain beccati.com designates 176.9.114.167 as permitted sender) X-PHP-List-Original-Sender: php@beccati.com X-Host-Fingerprint: 176.9.114.167 spritz.beccati.com Received: from [176.9.114.167] ([176.9.114.167:56266] helo=mail.beccati.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/50-29706-A4A0F835 for ; Wed, 04 Jun 2014 08:00:11 -0400 Received: (qmail 20578 invoked from network); 4 Jun 2014 12:00:06 -0000 Received: from home.beccati.com (HELO ?192.168.1.202?) (88.149.176.119) by mail.beccati.com with SMTP; 4 Jun 2014 12:00:06 -0000 Message-ID: <538F0A40.7080309@beccati.com> Date: Wed, 04 Jun 2014 14:00:00 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: PHP Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: libxml2, the fix for CVE-2014-0191 breaks some tests From: php@beccati.com (Matteo Beccati) Hi everyone, since the latest upgrade to libxml2 on my Ubuntu CI box, 2-3 DOM tests started to fail when trying to parse external entities. The fix is trivial and I'm ready for pushing to PHP-5.4+, but before doing so I wanted to give a heads up to everyone involved. The fix is basically about adding some: $domDocument->substituteEntities = true; to the failing tests. As far as I understand, the default "false" (equivalent to XML_PARSE_NOENT) was ignored by previous libxml2 versions, leading to the vulnerability. Maybe this is worth mentioning in the docs too? For reference: http://www.ubuntu.com/usn/usn-2214-1/ https://revive.beccati.com/bamboo/browse/PHP-SRC-10/ http://php.net/manual/en/class.domdocument.php#domdocument.props.substituteentities Cheers -- Matteo Beccati Development & Consulting - http://www.beccati.com/