Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87410 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37278 invoked from network); 30 Jul 2015 16:52:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 16:52:25 -0000 Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.20 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.20 mout.gmx.net Received: from [212.227.17.20] ([212.227.17.20:54315] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/10-34806-4465AB55 for ; Thu, 30 Jul 2015 12:52:21 -0400 Received: from [192.168.0.100] ([95.89.139.132]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0Lkjuq-1YmtI33gKS-00aSAq; Thu, 30 Jul 2015 18:52:15 +0200 Message-ID: <55BA5647.5080304@gmx.de> Date: Thu, 30 Jul 2015 18:52:23 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Anatol Belski , 'Pierre Joye' , 'Anthony Ferrara' CC: 'PHP internals' References: <017601d0ca44$2436c360$6ca44a20$@belski.net> In-Reply-To: <017601d0ca44$2436c360$6ca44a20$@belski.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:JtysKnVz6E/40WwQ1F/CNZY14hsVNv0tduQ6LPa8Hqs6lL+rA3T J+ijTOPgUdoBFxXvhdeJsDXGB7qOhGdF1spLII0OAQsq1CjVR1UynAZ5EdCqRc9Ofc3QRcd U7JgeDHGNOe0SE1MQ+qaf/CaH0EpAhe4IHRZZdAPyYT6d836ki74gPLzoNSesFkZ2ZJwPZ3 QoxeeXvElIsoG9mSZLSSg== X-UI-Out-Filterresults: notjunk:1;V01:K0:rnmXkYiBs8I=:f58y5nCXAwsf0tekd5Nb6B XjF9cIzRWubgyn1bQRYn7wq2TcMh3S28hRuvWxZ+CQAvyzewkE0j9o/u2+KkqpSR+CxzR4Q9v x1DPWrU+/Kp38vkj9JN7KLIFo/xLeEoomk6iJCoPtFtXSf+H2K4+x3qsAsxxHsyGsqzcEsFez k2g9/0OCk0rK37RI7rYwH3Prb1Ag+r4AFVF25swveHmoZPQ8NuhpXptqr5rLv02zpIGaWNwVY nZIAdndQub2H1vEqluJDw1ww160Xe3ZZ1ll0U10F3tvsHR877mFzERxAV8aJamSyX+quAObUF 0rgXh0i4XtmaCWqvfH2ylEq6adGvvTQV0DFagYKC1xgALWActeYS1I1BkTA0Kv4GSNwZ9FQbM 5xxAvGo/X6S3lMABtwK+1W/IUY1scWAzmFLhxRu3Uxmu/aAgpk3OCcrgkvqz7ANk23t23ZPcq GJXKptH4EGvHsKEO8749GoN8z9AJcGXoHbs8Afd479qcDdYpKAsENjAsmNfcaMHrlJV2To6Fg 8wID0lJRsC8SQKmzhFFjLNDb7rPfqijXP1PJyoiWotNWNDYaV1z7EbrO4tvbRKDmB57He5HNX YPlkU38D7H+S8xXrVCa1TiqqCPwBR9Hwv7AbBdu+i1fl2LXWCS8RiYtH6T+R/G/Fv9NHPvkYW OLd+P8MUthTJ/Ud79zu76bagpoj2/513VD5vrn2syq89XlcEsZiVvJRdUKKBKRaEVGmk= Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default From: cmbecker69@gmx.de (Christoph Becker) Anatol Belski wrote: >> -----Original Message----- >> From: Pierre Joye [mailto:pierre.php@gmail.com] >> Sent: Wednesday, July 29, 2015 11:01 PM >> To: Anthony Ferrara >> Cc: PHP internals >> Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default >> >> On Jul 29, 2015 11:38 PM, "Anthony Ferrara" wrote: >>> >>> All, >>> >>> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the >>> RM's feedback). >>> >>> Currently, PHP by default is vulnerable to XXE attacks: >>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing >>> >>> To bypass this, you need to turn off external entity loading: >>> >>> libxml_disable_entity_loader(true); >>> >>> What I'm proposing is to disable entity loading by default. That way >>> it requires developers to opt-in to actually load external entities. >>> >>> Thoughts? >> >> I am for it, for 7.0 or 8.0. >> >> We discussed it during the last related flaw and decided not to do it for BC >> reasons (whatever it means in this case). >> >> This problem went off our radar, so yes, we should do it in 7.0. Changing default >> in minor versions always create more troubles. >> > To note were that the libxml-2.9.2 in Windows builds already contains patches mentioned in https://www.debian.org/security/2013/dsa-2652 , see https://github.com/winlibs/libxml2/commit/727e357fb21b95d5c315518bdac99a70a6d15ff8 ... Most of the distributions should already have these patches. Probably we should check whether disabling it in PHP were unnecessary, but if it's not - ofc 7.0 should be the target at least. It seems to me that this patch addresses only part of the XXE problem. However, according to OWASP it would be sufficient to protect against XXE by not setting XML_PARSE_NOENT and XML_PARSE_DTDLOAD (checked as of libxml 2.9). AFAIK PHP does not set these options, unless requested by the user), whereas XML_PARSE_NOENT can also be set via DOMDocument::substituteEntities. Some note about the potential danger of these options/properties might be appropriate in the manual. -- Christoph M. Becker