Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87402 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19051 invoked from network); 30 Jul 2015 14:30:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 14:30:47 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com Received: from [209.85.212.170] ([209.85.212.170:35978] helo=mail-wi0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D3/24-31830-5153AB55 for ; Thu, 30 Jul 2015 10:30:46 -0400 Received: by wicgb10 with SMTP id gb10so246718739wic.1 for ; Thu, 30 Jul 2015 07:30:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=d6ZBD9Csjcw3bQLcmBWViBdsaSd9dHmDxhJQB+XWego=; b=qxMsPdJ5AWf25EqkhwyROlJ2uJop336gxDSdu2t886jfbTMF7ppYKOaevthyCzt/iq MDGRQrI9EJCuj+CcJ6+NMBTVVJfqhC8p6MoPMVXo1BSyLxro351KHcCajJitxRSYh0vW mphyCYaQ6yeHCecCsIQkxhKOz4uN2JH4bTmUcKdyqDkezSS+1QD2fu6XfCzBh+zdMQ7S ml22zO3UyTSrk4KeQ7bWlQbL7JTD227zQ7J8gyOjMFlNYdUQx/2wkifzKDaQvzpQIbaP 92aAwvASlZS0SRRaC1Cn2DachylaJk8z/4AxbKgDUC3m3NtOsr7IOfOR4XGE+cZJYUuR iEdg== X-Received: by 10.194.236.161 with SMTP id uv1mr94254148wjc.158.1438266643139; Thu, 30 Jul 2015 07:30:43 -0700 (PDT) Received: from [192.168.0.136] ([62.189.198.114]) by smtp.googlemail.com with ESMTPSA id 4sm2128147wjt.46.2015.07.30.07.30.41 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Jul 2015 07:30:42 -0700 (PDT) To: internals@lists.php.net References: <55B94D57.4070509@gmail.com> <55BA22C5.2020104@cdatazone.org> Message-ID: <55BA34EF.6030209@gmail.com> Date: Thu, 30 Jul 2015 15:30:07 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <55BA22C5.2020104@cdatazone.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default From: rowan.collins@gmail.com (Rowan Collins) Rob Richards wrote on 30/07/2015 14:12: > If you are already working with a trusted document then you should > safely be able to disable the entity loader. If you aren't then > wouldn't you want to do some sort of checking (especially if you dont > have an XML gateway fronting the system) for other malicious things > before even opening the document regardless if it has external > entities or not. Can you give any pointers to what kind of checking this would be, and how it would be carried out without parsing the XML document in the first place? According to the bug report, one of the affected uses is the SoapClient, which by definition is dealing with remote data. I can see how that could be considered "untrusted", but I can't think of any particular action that would make it more trusted (quite apart from the lack of an obvious point to intercept the data before it is parsed). Would it not make more sense for the parser to operate in an "untrusted" mode - disabling external entities, maybe different limits on stack depth, etc? Regards, -- Rowan Collins [IMSoP]