Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87375 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37769 invoked from network); 29 Jul 2015 21:18:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jul 2015 21:18:48 -0000 Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error) X-PHP-List-Original-Sender: anatol.php@belski.net X-Host-Fingerprint: 85.214.73.107 klapt.com Received: from [85.214.73.107] ([85.214.73.107:56646] helo=h1123647.serverkompetenz.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0B/71-25901-33349B55 for ; Wed, 29 Jul 2015 17:18:44 -0400 Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006) id C9C4423D6299; Wed, 29 Jul 2015 23:18:40 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on h1123647.serverkompetenz.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.5 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: from w530phpdev (pD9FE87F9.dip0.t-ipconnect.de [217.254.135.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id C12CE23D6003; Wed, 29 Jul 2015 23:18:38 +0200 (CEST) To: "'Pierre Joye'" , "'Anthony Ferrara'" Cc: "'PHP internals'" References: In-Reply-To: Date: Wed, 29 Jul 2015 23:18:36 +0200 Message-ID: <017601d0ca44$2436c360$6ca44a20$@belski.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQG+TCeSKEAF7uPyqKJ8EqW/NivELQGRufB4ngtgM2A= Content-Language: en-us Subject: RE: [PHP-DEV] Disabling External Entities in libxml By Default From: anatol.php@belski.net ("Anatol Belski") Hi, > -----Original Message----- > From: Pierre Joye [mailto:pierre.php@gmail.com] > Sent: Wednesday, July 29, 2015 11:01 PM > To: Anthony Ferrara > Cc: PHP internals > Subject: Re: [PHP-DEV] Disabling External Entities in libxml By = Default >=20 > On Jul 29, 2015 11:38 PM, "Anthony Ferrara" = wrote: > > > > All, > > > > I wanted to float an idea by you for PHP 7 (or 7.1 depending on the > > RM's feedback). > > > > Currently, PHP by default is vulnerable to XXE attacks: > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > > > To bypass this, you need to turn off external entity loading: > > > > libxml_disable_entity_loader(true); > > > > What I'm proposing is to disable entity loading by default. That way > > it requires developers to opt-in to actually load external entities. > > > > Thoughts? >=20 > I am for it, for 7.0 or 8.0. >=20 > We discussed it during the last related flaw and decided not to do it = for BC > reasons (whatever it means in this case). >=20 > This problem went off our radar, so yes, we should do it in 7.0. = Changing default > in minor versions always create more troubles. >=20 To note were that the libxml-2.9.2 in Windows builds already contains = patches mentioned in https://www.debian.org/security/2013/dsa-2652 , see = https://github.com/winlibs/libxml2/commit/727e357fb21b95d5c315518bdac99a7= 0a6d15ff8 ... Most of the distributions should already have these = patches. Probably we should check whether disabling it in PHP were = unnecessary, but if it's not - ofc 7.0 should be the target at least. Regards Anatol