Hi, > -----Original Message----- > From: Pierre Joye [mailto:pierre....@gmail.com] > Sent: Wednesday, July 29, 2015 11:01 PM > To: Anthony Ferrara <ircmax...@gmail.com> > Cc: PHP internals <internals@lists.php.net> > Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default > > On Jul 29, 2015 11:38 PM, "Anthony Ferrara" <ircmax...@gmail.com> wrote: > > > > All, > > > > I wanted to float an idea by you for PHP 7 (or 7.1 depending on the > > RM's feedback). > > > > Currently, PHP by default is vulnerable to XXE attacks: > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > > > To bypass this, you need to turn off external entity loading: > > > > libxml_disable_entity_loader(true); > > > > What I'm proposing is to disable entity loading by default. That way > > it requires developers to opt-in to actually load external entities. > > > > Thoughts? > > I am for it, for 7.0 or 8.0. > > We discussed it during the last related flaw and decided not to do it for BC > reasons (whatever it means in this case). > > This problem went off our radar, so yes, we should do it in 7.0. Changing > default > in minor versions always create more troubles. > To note were that the libxml-2.9.2 in Windows builds already contains patches mentioned in https://www.debian.org/security/2013/dsa-2652 , see https://github.com/winlibs/libxml2/commit/727e357fb21b95d5c315518bdac99a70a6d15ff8 ... Most of the distributions should already have these patches. Probably we should check whether disabling it in PHP were unnecessary, but if it's not - ofc 7.0 should be the target at least.
Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
