Hello
Disabling this will (at least for me) cause SOAP related stuff to stop
working as it was expected to work before!
<?php
$wsdl = "https://www.some.tld/soap.php?wsdl";;
$soap = SoapServer($wsdl, array(....));
wsdl:
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:s="http://www.w3.org/2001/XMLSchema";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";
xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/";
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/";
targetNamespace="http://www.some.tld/soap/muppet/user/1.0/";>
<wsdl:types>
<s:schema
targetNamespace="http://www.some.tld/soap/muppet/user/1.0/";
xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/";
elementFormDefault="qualified">
...
It fails with
error to read external entity, failed while parsing /external entity
/'http://www.some.tld/muppet.php?wsdl'
..
I dont know if i get this error correct but to me it looks like PHP on
"www frontend" refuse to read WSDL/SOAP/XML from "www backend" because
of this... Petty much of the SOAP idea is gone then..?
/ Jake
On 2015-07-29 22:37, Anthony Ferrara wrote:
All,
I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
RM's feedback).
Currently, PHP by default is vulnerable to XXE attacks:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
To bypass this, you need to turn off external entity loading:
libxml_disable_entity_loader(true);
What I'm proposing is to disable entity loading by default. That way
it requires developers to opt-in to actually load external entities.
Thoughts?
Anthony
