Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87376 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41254 invoked from network); 29 Jul 2015 22:00:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jul 2015 22:00:41 -0000 Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.18 mout.gmx.net Received: from [212.227.15.18] ([212.227.15.18:58668] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0A/02-25901-70D49B55 for ; Wed, 29 Jul 2015 18:00:40 -0400 Received: from [192.168.0.100] ([95.89.139.132]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LanoO-1YaXLo3TQ0-00kSyX; Thu, 30 Jul 2015 00:00:36 +0200 Message-ID: <55B94D0B.40908@gmx.de> Date: Thu, 30 Jul 2015 00:00:43 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Anthony Ferrara , "internals@lists.php.net" References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:yMgq+HhXjJ2jo8M2ToJZzP2/Ji+9FqWM3pM1ArlNlxd+YQXL72Z 9wtRWa4j5jvLowAaFFLdwl6tkSeBpiTeFqqoif5Ml+KqekEFaYQuqLC2H1EkR3wTi0rvY8X etpDuUvJOYSvwCkW2+2sVUAvYxogcBz0dKAGs44OVTF+oJvmEWXXlFvjBJjtUYZJYE8Zx7K zpqV2emBntpBo+vh+/sig== X-UI-Out-Filterresults: notjunk:1;V01:K0:nMnj0Td3yqo=:Es8vt89K3ujHQsHGOvDCxg xDTX5P/KNSWT2/sQ2BH5p8FvCRbvYhpPMVKQC20GFpgN/47Q4i7bmPlSZHJo8G06pW25RUoYH eXsVXQcDmOahbCMYjzoTK0bwo3nDQ16jXNk53DM3qP7XllNn+i1hTWHbkaaC0BZO5BFmYEfjx sSrO0Ix0S10XSRxiudfvuKDkLKv/CLFHEW32X+Er8ooB0hN1jb1QMLgeB6Ahek/WbXdhtNnWj HkPtLvF6iAwuShcW69UO4mzdVACTFQWGZDuRPgpcefO1DIMgT8MwzE8il3Gp/7c55u5i0N+vL Lzp/hPatBwJWhCDUClEtVl/KvPkLz5k+HIEy0Lp9318glu+nHEP+MeSgC9TFlbLP0Y3WBxxYp QBYIQNapdAMCJw5x7XkcnFqLIjoCOmcH9c1qGiFbDzh3u+6ygrI+BZS7/yMixkWInqf37q4mS WNsnDORlaNWvth9Sve19ckeYUKtJCq1ifhUcHj17fF06YIOli9He5vV+Pc8hMzubG71EVmu6D g8vEuCjwy3qdT018LWKIWynDWw8/UOQfZskz/XAcnC16l9+94AE700w5EyiY0MSrOGrp6iT+F c0Wmzozk00pBc/TarpWFRr2GGsj4fiD3N4C61/NchN4S9ulNSk3+KqrYR+jqqa9V+ORoPdfQT KeCudMWIzsNuI6nS/+n9doac1UPRzCZKArhBotkFvvK7SkF7T6waOkMWRSgC65vpUZe0= Subject: Re: Disabling External Entities in libxml By Default From: cmbecker69@gmx.de (Christoph Becker) Anthony Ferrara wrote: > I wanted to float an idea by you for PHP 7 (or 7.1 depending on the > RM's feedback). > > Currently, PHP by default is vulnerable to XXE attacks: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > To bypass this, you need to turn off external entity loading: > > libxml_disable_entity_loader(true); > > What I'm proposing is to disable entity loading by default. That way > it requires developers to opt-in to actually load external entities. > > Thoughts? A problem is reported as bug #62577. As it is now, when libxml_disable_entity_loader(true) has been called, no XML file can be loaded, i.e. simplexml_load_file(), DOMDocument::load() etc. always fails, even if the XML doesn't contain any entities at all. -- Christoph M. Becker