Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87377 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42721 invoked from network); 29 Jul 2015 22:02:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jul 2015 22:02:04 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.179 mail-pd0-f179.google.com Received: from [209.85.192.179] ([209.85.192.179:34433] helo=mail-pd0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B0/62-25901-B5D49B55 for ; Wed, 29 Jul 2015 18:02:04 -0400 Received: by pdbbh15 with SMTP id bh15so12485865pdb.1 for ; Wed, 29 Jul 2015 15:02:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=8vV5zkrbnueCtwDX3xLt5lQCxeiJYok+crZRJaDWgZ8=; b=Rm2XO4TQpPZQpOmdTMLGlhyZTbuDXZbNqw+LyhcDUctjnKyNyxCyfuRvq5jyGtSFgF 3W2YywBu8CehM0zhxU2BixrjV37/kI77G9ElfgzDMhHI8XVSp31ozIfp0GmlHFxjdQYp U/JuIJqslHsnJWGLiiZ/aBP4KBwAU0HP70tyVAa8LxXg1v95Ego2ZmuutRkJXYvmNMjE L8qG++SLaA+AUBA9cXc0owz5mrEeQ6HIA2gHgKTysSruuZ+iXn9WPYAMCNsK2n4hu2EE qwFHFmctKOzvv40z+IpjHxCNFm5N/A77XNH0mHkjczRkYdXAlY8FmaDGd/xjsHU/7LfG rcaA== X-Received: by 10.70.119.73 with SMTP id ks9mr99073342pdb.131.1438207321565; Wed, 29 Jul 2015 15:02:01 -0700 (PDT) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by smtp.gmail.com with ESMTPSA id ob15sm42528262pdb.40.2015.07.29.15.02.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jul 2015 15:02:00 -0700 (PDT) To: Anthony Ferrara , "internals@lists.php.net" References: X-Enigmail-Draft-Status: N1110 Message-ID: <55B94D57.4070509@gmail.com> Date: Wed, 29 Jul 2015 15:01:59 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Currently, PHP by default is vulnerable to XXE attacks: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > To bypass this, you need to turn off external entity loading: > > libxml_disable_entity_loader(true); AFAIR right now, due to how it is implemented, this blocks loading XML content from files with something like XMLReader::open() - due to the use of the same code path by both. It may have changes since last time I looked, but it definitely was a major reason why default stayed that way. What people did is something like that: libxml_disable_entity_loader( false ); $reader->open( $filename ); libxml_disable_entity_loader( true ); I imagine we could do better. But we need to be careful - if we just set it as disabled, we could break a lot of unsuspecting apps that do nothing more that reading XML files. -- Stas Malyshev smalyshev@gmail.com