php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #80235 libxml_disable_entity_loader deprecated but XSD external references possilbe
Submitted: 2020-10-14 11:52 UTC Modified: 2020-10-19 06:51 UTC
From: fabian dot badoi at gmail dot com Assigned: beberlei (profile)
Status: Closed Package: DOM XML related
PHP Version: 8.0.0rc1 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fabian dot badoi at gmail dot com
New email:
PHP Version: OS:

 

 [2020-10-14 11:52 UTC] fabian dot badoi at gmail dot com 
Description:
------------
This patch deprecated the libxml_disable_entity_loader function: https://github.com/php/php-src/pull/5867. However, XXE attacks are still possible if not calling it.


Running this command will demonstrate the problem:
docker run -ti --rm -v $(pwd):/tmp/test php:8.0-rc-cli-alpine php /tmp/test/test.php

Where test.php is the script provided here.

Test script:
---------------
<?php

//libxml_disable_entity_loader();
$doc = new DOMDocument();

$doc->schemaValidateSource(<<<XSD
<?xml version="1.0" encoding="utf-8" ?>
<xsd:schema xmlns="http://symfony.com/schema"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    targetNamespace="http://symfony.com/schema"
    elementFormDefault="qualified">

    <xsd:import namespace="http://www.w3.org/XML/1998/namespace"/>
  <xsd:import namespace="http://symfony.com/schema/dic/services" schemaLocation="https://webhook.site/203bf182-524d-4133-ad37-7865ecde5749" />

</xsd:schema>
XSD
);


Expected result:
----------------
You should see this warning:
Warning: DOMDocument::schemaValidateSource(): Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location 'https://webhook.site/203bf182-524d-4133-ad37-7865ecde5749'. Skipping the import. in /tmp/test/test.php on line 7

And PHP should NOT try to load the resource

Actual result:
--------------
You see this warning:
Warning: DOMDocument::schemaValidateSource(): Element '{http://www.w3.org/2001/XMLSchema}import': Failed to parse the XML resource 'https://webhook.site/203bf182-524d-4133-ad37-7865ecde5749'. in /tmp/test/test.php on line 7


And PHP tries to make a HTTP request

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-14 17:21 UTC] stas@php.net 
Which libxml version are you using?
 [2020-10-14 17:24 UTC] stas@php.net
-Assigned To: +Assigned To: beberlei
 [2020-10-14 17:45 UTC] fabian dot badoi at gmail dot com 
I'm using 2.9.10.

php > var_dump(LIBXML_VERSION);
int(20910)

I guess libxml2 changed the defaults for loading external entities via <!ENTITY declarations, but not schemas.
 [2020-10-14 21:31 UTC] cmb@php.net 
I'm not aware that doing XSD validation could pose an attack
vector.
 [2020-10-15 06:42 UTC] fabian dot badoi at gmail dot com 
You're right, I searched too and can't find anything.

I got overzealous because calling libxml_disable_entity_loader() also disabled XSD imports, this was a change we noticed.

I think it's safe to close this. Sorry for the trouble.
 [2020-10-19 06:51 UTC] fabian dot badoi at gmail dot com
-Status: Assigned +Status: Closed
 [2020-10-19 06:51 UTC] fabian dot badoi at gmail dot com 
Closing as it's not an actual problem.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 15:01:27 2025 UTC