Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87415
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49005 invoked from network); 30 Jul 2015 18:57:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 18:57:33 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.182 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.182 mail-pd0-f182.google.com  
Received: from [209.85.192.182] ([209.85.192.182:33706] helo=mail-pd0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1C/02-34806-C937AB55 for <internals@lists.php.net>; Thu, 30 Jul 2015 14:57:33 -0400
Received: by pdbnt7 with SMTP id nt7so28841974pdb.0
        for <internals@lists.php.net>; Thu, 30 Jul 2015 11:57:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-type:content-transfer-encoding;
        bh=Q9aD9v8gzKiuoDwEqQr1GOC7opQYQJVKqBpZjpyJOoM=;
        b=AL8DnWu3eaUBV7IpCBlKGFO+r84YK60IArh5tKasye/A6Qwa3LpmyA+au+TSvjICyd
         yI4+ZmKYIe3HZcgy2XAOO76a7n4LLI2ODPMn2y1v+R28BKxgdr9YNYUKeSM3aXqSKJGw
         ikKJuyQehZrO40pUmHEqHN/+rc1IgGHWg3X1bH4OokeQPggN/1tG/m17lUQkyHfmGlOu
         YTkTm50hdTSLlyC+Q0PP7Zk2jVzbkgMfC/a+ZcsNvojwKiGPdCByFxc7tPqWanhwriWQ
         JIx4G3hUookd5xYT15hFerkHcYK+K/28VWofQx/ILttl4Fkmg/BXAALjZG+IC3IV5hSW
         YKsw==
X-Received: by 10.70.48.137 with SMTP id l9mr28094028pdn.45.1438282650050;
        Thu, 30 Jul 2015 11:57:30 -0700 (PDT)
Received: from Stas-Air.local ([198.73.209.1])
        by smtp.gmail.com with ESMTPSA id q7sm3495404pdj.31.2015.07.30.11.57.28
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 30 Jul 2015 11:57:28 -0700 (PDT)
To: Anthony Ferrara <ircmaxell@gmail.com>, Jake <php@freepanel.net>
References: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
 <55BA59A1.9020503@freepanel.net>
 <CAAyV7nHKseQ1hX0XhN6WDvfJR+A10HX=apcK=hMXTSijQucbMA@mail.gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <55BA7395.2090202@gmail.com>
Date: Thu, 30 Jul 2015 11:57:25 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAAyV7nHKseQ1hX0XhN6WDvfJR+A10HX=apcK=hMXTSijQucbMA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> The problem here is that imagine the following:

I think if we separate the loading the initial file (i.e., staring point
of the XML parser) and the loading the entities from that file (which is
not happening right now) we'd solve many BC problems. Not sure about
SOAP, but many others for sure.

> I know that you want it to work, but this is actually a great place to
> fail, because you're loading a trusted resource over HTTP. Meaning
> that an attacker could MITM and inject malicous XML into the response,
> and own your server without even needing to own the endpoint.

I feel like XML parser is a wrong place to solve this problem, transport
security can be done in HTTPS, signatures, etc. Otherwise many protocols
that rely on XML - such as SAML, which is quite widely used - would be
completely useless.

-- 
Stas Malyshev
smalyshev@gmail.com