Skip to content

Reintroduce libxml_disable_entity_loader() calls #29094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Reintroduce libxml_disable_entity_loader() calls #29094

wants to merge 2 commits into from

Conversation

@solracsf
Copy link
Member

@solracsf solracsf commented Oct 6, 2021

@kesselb
Copy link
Collaborator

kesselb commented Oct 6, 2021

No. But we should also check for the libxml instead of the php version like sabre-io/xml#204.

@solracsf
Copy link
Member Author

solracsf commented Oct 6, 2021

@LukasReschke I found you've created #26801 some time ago about this too. Any input?

@solracsf solracsf requested a review from LukasReschke October 6, 2021 18:40
@CarlSchwan
Copy link
Member

No. But we should also check for the libxml instead of the php version like sabre-io/xml#204.

Btw nextcloud/3rdparty#807 needs a review too :D

@CarlSchwan
Copy link
Member

Long answer/description https://blog.sonarsource.com/wordpress-xxe-security-vulnerability

I just read the article and the vulnerability in Wordpress was not because they stopped calling libxml_disable_entity_loader in php 8 but because they added the LIBXML_NOENT flag. And with the LIBXML_NOENT and without a libxml_disable_entity_loader, there is indeed a xee vulnerability.

In Nextcloud case, we don't use the LIBXML_NOENT flag, so we should be safe. In any case, @LukasReschke should probably confirm this :)

@solracsf solracsf closed this Dec 30, 2021
@solracsf solracsf deleted the patch-potential-xxe branch December 30, 2021 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LukasReschke LukasReschke Awaiting requested review from LukasReschke

Assignees

No one assigned

Labels

3. to review Waiting for reviews security technical debt

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@solracsf @kesselb @CarlSchwan @skjnldsv