Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87421 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64128 invoked from network); 30 Jul 2015 21:53:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 21:53:20 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.173 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.212.173 mail-wi0-f173.google.com Received: from [209.85.212.173] ([209.85.212.173:37726] helo=mail-wi0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 66/44-34806-FCC9AB55 for ; Thu, 30 Jul 2015 17:53:19 -0400 Received: by wibud3 with SMTP id ud3so8890415wib.0 for ; Thu, 30 Jul 2015 14:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:content-type:subject:from:date:cc :message-id; bh=yHKdbOzBIXzzl0vBiiRhIhMxidZSzlmmgO8LChQENDM=; b=FF/OOqL9vZnIgN85LDGFh+WBgpL0Ntt1d8yTszz8A7SOUh9xqy+TEdnB7jxA5NqJYj EGAbo1ymmbnAkXCgzgAtC2Ym8oy+mtk0+/KE2mY5ZSgg5RnCwQd4KWadXSJV/d2vvK7B XtQOtAWXcIU6O7GwCWgci1NmBhzeXKGOseEuZNJKNVYlSKqGagoG2LCrxtviBR97eRYB NOLq88TjZk+pvh9RhX1GOLsQg4BOPg57qnnkUhAPxlJ/r3b0m65HBYz4HqdB09NMQuro 2W3ckje2QTcR62q07OGfvu/Pq+CJCivUjtz9DIs8ohORKgdNS8D0LzHpWAQqOrfSwpli fPFQ== X-Received: by 10.180.83.72 with SMTP id o8mr406679wiy.27.1438293196753; Thu, 30 Jul 2015 14:53:16 -0700 (PDT) Received: from [192.168.0.6] (cpc68956-brig15-2-0-cust215.3-3.cable.virginm.net. [82.6.24.216]) by smtp.gmail.com with ESMTPSA id ev8sm3873280wjb.8.2015.07.30.14.53.15 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 Jul 2015 14:53:16 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: References: <55BA59A1.9020503@freepanel.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Date: Thu, 30 Jul 2015 22:46:59 +0100 CC: "internals@lists.php.net" Message-ID: Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default From: rowan.collins@gmail.com (Rowan Collins) On 30 July 2015 19:25:47 BST, Anthony Ferrara wrote: > I thought SOAP was dead already. Tell that to the "Enterprises" who drag and drop in Visual Studio to create useless wrappers around hand-written XML because that's their definition of "web service". :P I don't fully understand where this vulnerability kicks in (other than which I don't think I've ever needed to consume) but any change in default behaviour needs to account for real-life usage, or it will simply become standard practice to switch it back to "insecure" mode. Regards, -- Rowan Collins [IMSoP]