Deprecation of libxml_disable_entity_loader() should warn about constants which will override the new default behaviour #1408
Comments
|
From a quick test, the following constants cause the dtd to be loaded:
I believe (and testing confirms) that the following are safe unless
The following is not safe:
This is further backed up by the libxml2 source at https://gitlab.gnome.org/GNOME/libxml2/-/blob/9edc20c154234ede9cde4002367a7239bde680ce/parser.c#L2768-2772 Testing with the following excerpt demonstrates this: (example exploit courtesy of https://gist.github.com/staaldraad/01415b990939494879b4) With the previous behaviour, simply specifying |
andrewnicols
changed the title
|
It's also worth noting that removing the call to This is because the entity was hosted at http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd which seems to hang on certain user agents (https://www.w3.org/blog/2008/02/w3c_s_excessive_dtd_traffic/ seems relevant). |
This commit adds warning that the `LIBXML_DTD_VALID` constant is also susceptible to XXE exploit, and that the use of `LIBXML_DTDATTR` or `LIBXML_DTDLOAD` constants will cause external entity fetching. Also adds a note to the deprecated libxml_disable_entity_loader function to note that LIBXML_NONET will prevent loading of external entities. Prior to deprecation of the `libxml_disable_entity_loader` function, the use of this function prevented both XXE via DTD parsing, and fetching of external entities as specified by any of the above constants. Fixes phpGH-1408.
…warn about constants which will override the new default behaviour Based on stale PR phpGH-1409. Closes phpGH-1409. Closes phpGH-1408. Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
…warn about constants which will override the new default behaviour Based on stale PR phpGH-1409. Closes phpGH-1409. Closes phpGH-1408. Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
From manual page: https://php.net/function.libxml-disable-entity-loader
libxml_disable_entity_loader() was deprecated in php/php-src@e0fa48f with the note:
The documentation for
libxml_disable_entity_loaderalso notes:However, there is no mention of the many ways it can be enabled, or how to make it safe where it has been enabled.
Previously you could call code such as:
The presence of either the
DTDLOADorDTDATTRconstants would normally cause the entity to be fetched, but the presence oflibxml_disable_entity_loaderoverrdies and prevents this.Now, after removing the deprecated call, the entity is fetched.
Whilst the honus is on the developer to understand the change to libxml, the attack vector of an XXE is not sufficiently clear and could be significantly improved in this documentation. The list of libxml constants does not adequately explain the risk of fetching the DTD, or explain that the behaviour of these flags has changed with the deprecation and removal of
libxml_disable_entity_loader.I would recommend that:
libxml_disable_entity_loaderdocs be updated to note that presence of the relevantLIBXML_flags will override the default behaviour to not load the entity with advice on how to mitigate this; andThe text was updated successfully, but these errors were encountered: