php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #80235 libxml_disable_entity_loader deprecated but XSD external references possilbe
Submitted: 2020-10-14 11:52 UTC Modified: 2020-10-19 06:51 UTC
From: fabian dot badoi at gmail dot com Assigned: beberlei (profile)
Status: Closed Package: DOM XML related
PHP Version: 8.0.0rc1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fabian dot badoi at gmail dot com
New email:
PHP Version: OS:

 

 [2020-10-14 11:52 UTC] fabian dot badoi at gmail dot com
Description:
------------
This patch deprecated the libxml_disable_entity_loader function: https://github.com/php/php-src/pull/5867. However, XXE attacks are still possible if not calling it.


Running this command will demonstrate the problem:
docker run -ti --rm -v $(pwd):/tmp/test php:8.0-rc-cli-alpine php /tmp/test/test.php

Where test.php is the script provided here.

Test script:
---------------
<?php

//libxml_disable_entity_loader();
$doc = new DOMDocument();

$doc->schemaValidateSource(<<<XSD
<?xml version="1.0" encoding="utf-8" ?>
<xsd:schema xmlns="http://symfony.com/schema"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    targetNamespace="http://symfony.com/schema"
    elementFormDefault="qualified">

    <xsd:import namespace="http://www.w3.org/XML/1998/namespace"/>
  <xsd:import namespace="http://symfony.com/schema/dic/services" schemaLocation="https://webhook.site/203bf182-524d-4133-ad37-7865ecde5749" />

</xsd:schema>
XSD
);


Expected result:
----------------
You should see this warning:
Warning: DOMDocument::schemaValidateSource(): Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location 'https://webhook.site/203bf182-524d-4133-ad37-7865ecde5749'. Skipping the import. in /tmp/test/test.php on line 7

And PHP should NOT try to load the resource

Actual result:
--------------
You see this warning:
Warning: DOMDocument::schemaValidateSource(): Element '{http://www.w3.org/2001/XMLSchema}import': Failed to parse the XML resource 'https://webhook.site/203bf182-524d-4133-ad37-7865ecde5749'. in /tmp/test/test.php on line 7


And PHP tries to make a HTTP request

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-14 17:21 UTC] stas@php.net
Which libxml version are you using?
 [2020-10-14 17:24 UTC] stas@php.net
-Assigned To: +Assigned To: beberlei
 [2020-10-14 17:45 UTC] fabian dot badoi at gmail dot com
I'm using 2.9.10.

php > var_dump(LIBXML_VERSION);
int(20910)

I guess libxml2 changed the defaults for loading external entities via <!ENTITY declarations, but not schemas.
 [2020-10-14 21:31 UTC] cmb@php.net
I'm not aware that doing XSD validation could pose an attack
vector.
 [2020-10-15 06:42 UTC] fabian dot badoi at gmail dot com
You're right, I searched too and can't find anything.

I got overzealous because calling libxml_disable_entity_loader() also disabled XSD imports, this was a change we noticed.

I think it's safe to close this. Sorry for the trouble.
 [2020-10-19 06:51 UTC] fabian dot badoi at gmail dot com
-Status: Assigned +Status: Closed
 [2020-10-19 06:51 UTC] fabian dot badoi at gmail dot com
Closing as it's not an actual problem.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 15:01:29 2024 UTC