On Wed, Jul 29, 2015 at 4:37 PM, Anthony Ferrara <ircmax...@gmail.com> wrote: > All, > > I wanted to float an idea by you for PHP 7 (or 7.1 depending on the > RM's feedback). > > Currently, PHP by default is vulnerable to XXE attacks: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > To bypass this, you need to turn off external entity loading: > > libxml_disable_entity_loader(true); > > What I'm proposing is to disable entity loading by default. That way > it requires developers to opt-in to actually load external entities. > > Thoughts? > > Anthony > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
Enormous +1 to this from me. This should definitely be off by default. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
