Quantcast
Channel: Serverphorums.com
Viewing all articles
Browse latest Browse all 23908

Re: [PHP-DEV] Disabling External Entities in libxml By Default

$
0
0
Hi!

> Currently, PHP by default is vulnerable to XXE attacks:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> To bypass this, you need to turn off external entity loading:
>
> libxml_disable_entity_loader(true);

AFAIR right now, due to how it is implemented, this blocks loading XML
content from files with something like XMLReader::open() - due to the
use of the same code path by both. It may have changes since last time I
looked, but it definitely was a major reason why default stayed that
way. What people did is something like that:

libxml_disable_entity_loader( false );
$reader->open( $filename );
libxml_disable_entity_loader( true );

I imagine we could do better. But we need to be careful - if we just set
it as disabled, we could break a lot of unsuspecting apps that do
nothing more that reading XML files.

--
Stas Malyshev
smalyshev@gmail.com

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Viewing all articles
Browse latest Browse all 23908

Trending Articles