Skip to content

Commit fa643ce

Browse files
author
Dik Takken
committed
Bump libxml version requirement 2.7.6 => 2.9.0
Since libxml version 2.9.0 external entity loading is disabled by default. Bumping the version requirement means that XML processing in PHP is no longer vulnerable to XXE processing attacks by default.
1 parent c169819 commit fa643ce

File tree

2 files changed

+54
-1
lines changed

2 files changed

+54
-1
lines changed

build/php.m4

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2010,7 +2010,7 @@ dnl
20102010
dnl Common setup macro for libxml.
20112011
dnl
20122012
AC_DEFUN([PHP_SETUP_LIBXML], [
2013-
PKG_CHECK_MODULES([LIBXML], [libxml-2.0 >= 2.7.6])
2013+
PKG_CHECK_MODULES([LIBXML], [libxml-2.0 >= 2.9.0])
20142014
20152015
PHP_EVAL_INCLINE($LIBXML_CFLAGS)
20162016
PHP_EVAL_LIBLINE($LIBXML_LIBS, $1)
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
--TEST--
2+
libxml_disable_entity_loader()
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('libxml')) die('skip libxml extension not available');
6+
if (!extension_loaded('dom')) die('skip dom extension not available');
7+
--FILE--
8+
<?php
9+
10+
$xml = <<<EOT
11+
<?xml version="1.0" encoding="UTF-8"?>
12+
<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
13+
<foo>&xxe;</foo>
14+
EOT;
15+
16+
$dir = str_replace('\\', '/', __DIR__);
17+
$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
18+
19+
function parseXML1($xml) {
20+
$doc = new DOMDocument();
21+
$doc->loadXML($xml, 0);
22+
return $doc->saveXML();
23+
}
24+
25+
function parseXML2($xml) {
26+
return simplexml_load_string($xml);
27+
}
28+
29+
function parseXML3($xml) {
30+
$p = xml_parser_create();
31+
xml_parse_into_struct($p, $xml, $vals, $index);
32+
xml_parser_free($p);
33+
return var_export($vals, true);
34+
}
35+
36+
function parseXML4($xml) {
37+
// This is the only time we enable external entity loading.
38+
return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
39+
}
40+
41+
var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false);
42+
var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false);
43+
var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false);
44+
var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false);
45+
46+
echo "Done\n";
47+
?>
48+
--EXPECTF--
49+
bool(true)
50+
bool(true)
51+
bool(true)
52+
bool(false)
53+
Done

0 commit comments

Comments
 (0)