Anthony Ferrara wrote:
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);
>
> What I'm proposing is to disable entity loading by default. That way
> it requires developers to opt-in to actually load external entities.
>
> Thoughts?
A problem is reported as bug #62577. As it is now, when
libxml_disable_entity_loader(true) has been called, no XML file can be
loaded, i.e. simplexml_load_file(), DOMDocument::load() etc. always
fails, even if the XML doesn't contain any entities at all.
--
Christoph M. Becker
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
> RM's feedback).
>
> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);
>
> What I'm proposing is to disable entity loading by default. That way
> it requires developers to opt-in to actually load external entities.
>
> Thoughts?
A problem is reported as bug #62577. As it is now, when
libxml_disable_entity_loader(true) has been called, no XML file can be
loaded, i.e. simplexml_load_file(), DOMDocument::load() etc. always
fails, even if the XML doesn't contain any entities at all.
--
Christoph M. Becker
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php