Re: Disabling External Entities in libxml By Default

From: Date: Thu, 30 Jul 2015 05:59:56 +0000
Subject: Re: Disabling External Entities in libxml By Default
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hello :-),

Huge +1 from the [Hoa] community. We have already disabled it by default since a long time. However, could it introduce potential regressions (BC breaks)? I guess yes. So I would go for PHP7.0 instead of PHP7.1.

Cheers!


[Hoa]: http://hoa-project.net/

On 29/07/15 22:37, Anthony Ferrara wrote:

All,

I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
RM's feedback).

Currently, PHP by default is vulnerable to XXE attacks:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

To bypass this, you need to turn off external entity loading:

libxml_disable_entity_loader(true);

What I'm proposing is to disable entity loading by default. That way
it requires developers to opt-in to actually load external entities.

Thoughts?

Anthony

Thread (18 messages)

« previous php.internals (#87382) next »