Hello :-),
Huge +1 from the [Hoa] community. We have already disabled it by default
since a long time. However, could it introduce potential regressions (BC
breaks)? I guess yes. So I would go for PHP7.0 instead of PHP7.1.
Cheers!
[Hoa]: http://hoa-project.net/
On 29/07/15 22:37, Anthony Ferrara wrote:
All,
I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
RM's feedback).
Currently, PHP by default is vulnerable to XXE attacks:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
To bypass this, you need to turn off external entity loading:
libxml_disable_entity_loader(true);
What I'm proposing is to disable entity loading by default. That way
it requires developers to opt-in to actually load external entities.
Thoughts?
Anthony
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
