Re: Disabling External Entities in libxml By Default

From:	Christoph Becker	Date:	Thu, 30 Jul 2015 16:52:23 +0000
Subject:	Re: Disabling External Entities in libxml By Default
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Anatol Belski wrote:

>> -----Original Message-----
>> From: Pierre Joye [mailto:[email protected]]
>> Sent: Wednesday, July 29, 2015 11:01 PM
>> To: Anthony Ferrara <[email protected]>
>> Cc: PHP internals <[email protected]>
>> Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
>>
>> On Jul 29, 2015 11:38 PM, "Anthony Ferrara" <[email protected]> wrote:
>>>
>>> All,
>>>
>>> I wanted to float an idea by you for PHP 7 (or 7.1 depending on the
>>> RM's feedback).
>>>
>>> Currently, PHP by default is vulnerable to XXE attacks:
>>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>>>
>>> To bypass this, you need to turn off external entity loading:
>>>
>>> libxml_disable_entity_loader(true);
>>>
>>> What I'm proposing is to disable entity loading by default. That way
>>> it requires developers to opt-in to actually load external entities.
>>>
>>> Thoughts?
>>
>> I am for it, for 7.0 or 8.0.
>>
>> We discussed it during the last related flaw and decided not to do it for BC
>> reasons (whatever it means in this case).
>>
>> This problem went off our radar, so yes, we should do it in 7.0. Changing default
>> in minor versions always create more troubles.
>>
> To note were that the libxml-2.9.2 in Windows builds already contains patches mentioned in https://www.debian.org/security/2013/dsa-2652
> , see https://github.com/winlibs/libxml2/commit/727e357fb21b95d5c315518bdac99a70a6d15ff8
> ... Most of the distributions should already have these patches. Probably we should check whether
> disabling it in PHP were unnecessary, but if it's not - ofc 7.0 should be the target at least.

It seems to me that this patch addresses only part of the XXE problem.
However, according to OWASP it would be sufficient to protect against
XXE by not setting XML_PARSE_NOENT and XML_PARSE_DTDLOAD (checked as of
libxml 2.9).  AFAIK PHP does not set these options, unless requested by
the user), whereas XML_PARSE_NOENT can also be set via
DOMDocument::substituteEntities.

Some note about the potential danger of these options/properties might
be appropriate in the manual.

-- 
Christoph M. Becker



   

Thread (18 messages)

• Anthony FerraraWed, 29 Jul 2015 20:37:52 +0000
  • Scott ArciszewskiWed, 29 Jul 2015 20:51:23 +0000
  • Pierre JoyeWed, 29 Jul 2015 21:00:43 +0000
    • Anatol BelskiWed, 29 Jul 2015 21:18:36 +0000RE: [PHP-DEV] Disabling External Entities in libxml By Default
      • Christoph BeckerThu, 30 Jul 2015 16:52:23 +0000Re: Disabling External Entities in libxml By Default
  • Christoph BeckerWed, 29 Jul 2015 22:00:43 +0000Re: Disabling External Entities in libxml By Default
  • Stanislav MalyshevWed, 29 Jul 2015 22:01:59 +0000
    • Rob RichardsThu, 30 Jul 2015 13:12:37 +0000
      • Rowan CollinsThu, 30 Jul 2015 14:30:07 +0000
        • Rob RichardsThu, 30 Jul 2015 20:35:01 +0000
          • Rowan CollinsThu, 30 Jul 2015 21:53:02 +0000
  • Ivan EnderlinThu, 30 Jul 2015 05:59:56 +0000
  • JakeThu, 30 Jul 2015 17:06:41 +0000
    • Anthony FerraraThu, 30 Jul 2015 18:25:47 +0000
      • Stanislav MalyshevThu, 30 Jul 2015 18:57:25 +0000
        • Anthony FerraraThu, 30 Jul 2015 19:32:42 +0000
        • Rob RichardsThu, 30 Jul 2015 20:55:06 +0000
      • Rowan CollinsThu, 30 Jul 2015 21:46:59 +0000