Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87411
Return-Path: <php@freepanel.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39261 invoked from network); 30 Jul 2015 17:06:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 17:06:52 -0000
Authentication-Results: pb1.pair.com header.from=php@freepanel.net; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=php@freepanel.net; spf=softfail; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain freepanel.net does not designate 178.73.210.158 as permitted sender)
X-PHP-List-Original-Sender: php@freepanel.net
X-Host-Fingerprint: 178.73.210.158 mail.jake.nu  
Received: from [178.73.210.158] ([178.73.210.158:37000] helo=mail.jake.nu)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B5/70-34806-9A95AB55 for <internals@lists.php.net>; Thu, 30 Jul 2015 13:06:50 -0400
Received: from [192.168.1.100] (81-234-225-220-no35.tbcn.telia.com [81.234.225.220])
	(authenticated bits=0)
	by mail.jake.nu (8.14.8/8.14.8) with ESMTP id t6UH6ieh016754
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
	Thu, 30 Jul 2015 19:06:44 +0200
To: Anthony Ferrara <ircmaxell@gmail.com>,
        "internals@lists.php.net" <internals@lists.php.net>
References: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
Message-ID: <55BA59A1.9020503@freepanel.net>
Date: Thu, 30 Jul 2015 19:06:41 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------010403010102040607030907"
Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
From: php@freepanel.net (Jake)

--------------010403010102040607030907
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hello

Disabling this will (at least for me) cause SOAP related stuff to stop 
working as it was expected to work before!

<?php
$wsdl = "https://www.some.tld/soap.php?wsdl";

$soap = SoapServer($wsdl, array(....));

wsdl:

<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                     xmlns:s="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
                     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/"
targetNamespace="http://www.some.tld/soap/muppet/user/1.0/">
     <wsdl:types>

         <s:schema 
targetNamespace="http://www.some.tld/soap/muppet/user/1.0/"
xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/"
                     elementFormDefault="qualified">

...

It fails with

error to read external entity, failed while parsing /external entity 
/'http://www.some.tld/muppet.php?wsdl'

..

I dont know if i get this error correct but to me it looks like PHP on 
"www frontend" refuse to read WSDL/SOAP/XML from "www backend" because 
of this... Petty much of the SOAP idea is gone then..?

/ Jake


On 2015-07-29 22:37, Anthony Ferrara wrote:
> All,
>
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);
>
> What I'm proposing is to disable entity loading by default. That way
> it requires developers to opt-in to actually load external entities.
>
> Thoughts?
>
> Anthony
>


--------------010403010102040607030907--