On 30 July 2015 19:25:47 BST, Anthony Ferrara wrote:
> I thought SOAP was dead already.
Tell that to the "Enterprises" who drag and drop in Visual Studio to create
useless wrappers around hand-written XML because that's their definition of
"web service". :P
I don't fully understand where this
On 30 July 2015 21:35:01 BST, Rob Richards wrote:
>On 7/30/15 10:30 AM, Rowan Collins wrote:
>> Rob Richards wrote on 30/07/2015 14:12:
>>> If you are already working with a trusted document then you should
>>> safely be able to disable the entity loader. If you aren't then
>>> wouldn't you want
On 7/30/15 2:57 PM, Stanislav Malyshev wrote:
Hi!
The problem here is that imagine the following:
I think if we separate the loading the initial file (i.e., staring point
of the XML parser) and the loading the entities from that file (which is
not happening right now) we'd solve many BC proble
On 7/30/15 10:30 AM, Rowan Collins wrote:
Rob Richards wrote on 30/07/2015 14:12:
If you are already working with a trusted document then you should
safely be able to disable the entity loader. If you aren't then
wouldn't you want to do some sort of checking (especially if you dont
have an XML
Stas,
On Thu, Jul 30, 2015 at 2:57 PM, Stanislav Malyshev wrote:
> Hi!
>
>> The problem here is that imagine the following:
>
> I think if we separate the loading the initial file (i.e., staring point
> of the XML parser) and the loading the entities from that file (which is
> not happening right
Hi!
> The problem here is that imagine the following:
I think if we separate the loading the initial file (i.e., staring point
of the XML parser) and the loading the entities from that file (which is
not happening right now) we'd solve many BC problems. Not sure about
SOAP, but many others for su
Jake,
On Thu, Jul 30, 2015 at 1:06 PM, Jake wrote:
> Hello
>
> Disabling this will (at least for me) cause SOAP related stuff to stop
> working as it was expected to work before!
The problem here is that imagine the following:
http://example.com/evil1.dtd";>
and then evil1.dtd:
http://ex
Hello
Disabling this will (at least for me) cause SOAP related stuff to stop
working as it was expected to work before!
https://www.some.tld/soap.php?wsdl";;
$soap = SoapServer($wsdl, array());
wsdl:
http://schemas.xmlsoap.org/wsdl/http/";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/so
Anatol Belski wrote:
>> -Original Message-
>> From: Pierre Joye [mailto:pierre@gmail.com]
>> Sent: Wednesday, July 29, 2015 11:01 PM
>> To: Anthony Ferrara
>> Cc: PHP internals
>> Subject: Re: [PHP-DEV] Disabling External Entities in libxml By De
Rob Richards wrote on 30/07/2015 14:12:
If you are already working with a trusted document then you should
safely be able to disable the entity loader. If you aren't then
wouldn't you want to do some sort of checking (especially if you dont
have an XML gateway fronting the system) for other mal
On 7/29/15 6:01 PM, Stanislav Malyshev wrote:
Hi!
Currently, PHP by default is vulnerable to XXE attacks:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
To bypass this, you need to turn off external entity loading:
libxml_disable_entity_loader(true);
AFAIR right now, du
Hello :-),
Huge +1 from the [Hoa] community. We have already disabled it by default
since a long time. However, could it introduce potential regressions (BC
breaks)? I guess yes. So I would go for PHP7.0 instead of PHP7.1.
Cheers!
[Hoa]: http://hoa-project.net/
On 29/07/15 22:37, Anthony F
Hi!
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);
AFAIR right now, due to how it is implemented, this bloc
Hi,
> -Original Message-
> From: Pierre Joye [mailto:pierre@gmail.com]
> Sent: Wednesday, July 29, 2015 11:01 PM
> To: Anthony Ferrara
> Cc: PHP internals
> Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
>
> On Jul 29, 2015 11
On Jul 29, 2015 11:38 PM, "Anthony Ferrara" wrote:
>
> All,
>
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass thi
On Wed, Jul 29, 2015 at 4:37 PM, Anthony Ferrara wrote:
> All,
>
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass
16 matches
Mail list logo
