Anatol Belski wrote: >> -----Original Message----- >> From: Pierre Joye [mailto:pierre....@gmail.com] >> Sent: Wednesday, July 29, 2015 11:01 PM >> To: Anthony Ferrara <ircmax...@gmail.com> >> Cc: PHP internals <internals@lists.php.net> >> Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default >> >> On Jul 29, 2015 11:38 PM, "Anthony Ferrara" <ircmax...@gmail.com> wrote: >>> >>> All, >>> >>> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the >>> RM's feedback). >>> >>> Currently, PHP by default is vulnerable to XXE attacks: >>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing >>> >>> To bypass this, you need to turn off external entity loading: >>> >>> libxml_disable_entity_loader(true); >>> >>> What I'm proposing is to disable entity loading by default. That way >>> it requires developers to opt-in to actually load external entities. >>> >>> Thoughts? >> >> I am for it, for 7.0 or 8.0. >> >> We discussed it during the last related flaw and decided not to do it for BC >> reasons (whatever it means in this case). >> >> This problem went off our radar, so yes, we should do it in 7.0. Changing >> default >> in minor versions always create more troubles. >> > To note were that the libxml-2.9.2 in Windows builds already contains patches > mentioned in https://www.debian.org/security/2013/dsa-2652 , see > https://github.com/winlibs/libxml2/commit/727e357fb21b95d5c315518bdac99a70a6d15ff8 > ... Most of the distributions should already have these patches. Probably we > should check whether disabling it in PHP were unnecessary, but if it's not - > ofc 7.0 should be the target at least.
It seems to me that this patch addresses only part of the XXE problem. However, according to OWASP it would be sufficient to protect against XXE by not setting XML_PARSE_NOENT and XML_PARSE_DTDLOAD (checked as of libxml 2.9). AFAIK PHP does not set these options, unless requested by the user), whereas XML_PARSE_NOENT can also be set via DOMDocument::substituteEntities. Some note about the potential danger of these options/properties might be appropriate in the manual. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
