Re: Disabling External Entities in libxml By Default

From: Date: Thu, 30 Jul 2015 20:55:06 +0000
Subject: Re: Disabling External Entities in libxml By Default
References: 1 2 3 4  Groups: php.internals 
Request: Send a blank email to internals+get-87418@lists.php.net to get a copy of this message 
On 7/30/15 2:57 PM, Stanislav Malyshev wrote:

Hi!


The problem here is that imagine the following:

I think if we separate the loading the initial file (i.e., staring point
of the XML parser) and the loading the entities from that file (which is
not happening right now) we'd solve many BC problems. Not sure about
SOAP, but many others for sure.


It will solve many but your guess is as good as mine as to what the split will be. All come down to what people are doing with XML. I've had comments from both sides where people hate the way its currently implemented and have suggested the idea of allowing initial file and then from others who like it as is. Regardless tho the current implementation should definitely not be enabled by default but I could see something laxer like this. I still say it should be a different function and leave the current one as is.




I know that you want it to work, but this is actually a great place to
fail, because you're loading a trusted resource over HTTP. Meaning
that an attacker could MITM and inject malicous XML into the response,
and own your server without even needing to own the endpoint.

I feel like XML parser is a wrong place to solve this problem, transport
security can be done in HTTPS, signatures, etc. Otherwise many protocols
that rely on XML - such as SAML, which is quite widely used - would be
completely useless.



Rob

Thread (18 messages)

« previous php.internals (#87418) next »