Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87374
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35667 invoked from network); 29 Jul 2015 21:00:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Jul 2015 21:00:49 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.174 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.220.174 mail-qk0-f174.google.com  
Received: from [209.85.220.174] ([209.85.220.174:36408] helo=mail-qk0-f174.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 60/21-25901-FFE39B55 for <internals@lists.php.net>; Wed, 29 Jul 2015 17:00:47 -0400
Received: by qkdv3 with SMTP id v3so11389004qkd.3
        for <internals@lists.php.net>; Wed, 29 Jul 2015 14:00:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=rpuSqGM7+mNZAYtz/zGwV+wz/P/z8TsA2c1mwBP3NRo=;
        b=AIP5KqUDOfBJduKJb4wJeQu6N4f7p3xYj64iht3jLT36WbtFM6S1jbPF1tmm2iX+eZ
         hpVsgiHDAQCG8o3ssUGFjg+ZRMVrCkw+ZjfStN06ziCAGqGVssNMCeVxoNBbWkMNWL31
         vCbcI7wIRAx1RQmTLh3F1K/SyG6yoY/PIcymlrNKkTUvAubHTfJBcl4Y2Sj9wBcwfyLn
         Bxmdr75R4HvC9GawQdriIgGihCWluezvTTadN3Q87B43C43ZgjZsUftAasADeA8+joqS
         2WOCuhVuG6aY5HOrLecIrZY3YrfkDH3rL7vL/5NBPq76plcv/16J/voXFB58x1Stm9Yv
         5GRw==
MIME-Version: 1.0
X-Received: by 10.55.20.156 with SMTP id 28mr65379780qku.9.1438203644460; Wed,
 29 Jul 2015 14:00:44 -0700 (PDT)
Received: by 10.96.151.5 with HTTP; Wed, 29 Jul 2015 14:00:43 -0700 (PDT)
Received: by 10.96.151.5 with HTTP; Wed, 29 Jul 2015 14:00:43 -0700 (PDT)
In-Reply-To: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
References: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
Date: Thu, 30 Jul 2015 04:00:43 +0700
Message-ID: <CAEZPtU7HAne7mvkxUqo2yBV6_FRAibUnjqRiDVL99QRdna=-OQ@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1145e90657c64d051c09e1f1
Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
From: pierre.php@gmail.com (Pierre Joye)

--001a1145e90657c64d051c09e1f1
Content-Type: text/plain; charset=UTF-8

On Jul 29, 2015 11:38 PM, "Anthony Ferrara" <ircmaxell@gmail.com> wrote:
>
> All,
>
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);
>
> What I'm proposing is to disable entity loading by default. That way
> it requires developers to opt-in to actually load external entities.
>
> Thoughts?

I am for it, for 7.0 or 8.0.

We discussed it during the last related flaw and decided not to do it for
BC reasons (whatever it means in this case).

This problem went off our radar, so yes, we should do it in 7.0. Changing
default in minor versions always create more troubles.

Cheers,
Pierre

--001a1145e90657c64d051c09e1f1--