Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87382
Return-Path: <ivan.enderlin@hoa-project.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68485 invoked from network); 30 Jul 2015 06:00:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 06:00:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=ivan.enderlin@hoa-project.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=ivan.enderlin@hoa-project.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hoa-project.net from 217.70.183.195 cause and error)
X-PHP-List-Original-Sender: ivan.enderlin@hoa-project.net
X-Host-Fingerprint: 217.70.183.195 relay3-d.mail.gandi.net  
Received: from [217.70.183.195] ([217.70.183.195:35696] helo=relay3-d.mail.gandi.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/15-25901-06DB9B55 for <internals@lists.php.net>; Thu, 30 Jul 2015 02:00:01 -0400
Received: from mfilter30-d.gandi.net (mfilter30-d.gandi.net [217.70.178.161])
	by relay3-d.mail.gandi.net (Postfix) with ESMTP id F2685A80AB
	for <internals@lists.php.net>; Thu, 30 Jul 2015 07:59:57 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter30-d.gandi.net
Received: from relay3-d.mail.gandi.net ([217.70.183.195])
	by mfilter30-d.gandi.net (mfilter30-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024)
	with ESMTP id UgQ0C5ppl9XO for <internals@lists.php.net>;
	Thu, 30 Jul 2015 07:59:56 +0200 (CEST)
X-Originating-IP: 46.14.238.241
Received: from [10.0.1.115] (241.238.14.46.static.wline.lns.sme.cust.swisscom.ch [46.14.238.241])
	(Authenticated sender: ivan.enderlin@hoa-project.net)
	by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id A4F1AA80AA
	for <internals@lists.php.net>; Thu, 30 Jul 2015 07:59:56 +0200 (CEST)
To: internals@lists.php.net
References: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
Message-ID: <55B9BD5C.8060805@hoa-project.net>
Date: Thu, 30 Jul 2015 07:59:56 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0)
 Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
From: ivan.enderlin@hoa-project.net (Ivan Enderlin)

Hello :-),

Huge +1 from the [Hoa] community. We have already disabled it by default 
since a long time. However, could it introduce potential regressions (BC 
breaks)? I guess yes. So I would go for PHP7.0 instead of PHP7.1.

Cheers!


[Hoa]: http://hoa-project.net/

On 29/07/15 22:37, Anthony Ferrara wrote:
> All,
>
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);
>
> What I'm proposing is to disable entity loading by default. That way
> it requires developers to opt-in to actually load external entities.
>
> Thoughts?
>
> Anthony
>