Skip to content

Update libxml2 docs relating to entity validation #1409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update libxml2 docs relating to entity validation #1409

wants to merge 1 commit into from

Conversation

andrewnicols
Copy link
Contributor

This commit adds warning that the LIBXML_DTD_VALID constant is also
susceptible to XXE exploit, and that the use of LIBXML_DTDATTR or
LIBXML_DTDLOAD constants will cause external entity fetching.

Also adds a note to the deprecated libxml_disable_entity_loader function
to note that LIBXML_NONET will prevent loading of external entities.

Prior to deprecation of the libxml_disable_entity_loader function, the
use of this function prevented both XXE via DTD parsing, and fetching of
external entities as specified by any of the above constants.

Fixes GH-1408.

@andrewnicols
Update libxml2 docs relating to entity validation
f77e02a 
This commit adds warning that the `LIBXML_DTD_VALID` constant is also
susceptible to XXE exploit, and that the use of `LIBXML_DTDATTR` or
`LIBXML_DTDLOAD` constants will cause external entity fetching.

Also adds a note to the deprecated libxml_disable_entity_loader function
to note that LIBXML_NONET will prevent loading of external entities.

Prior to deprecation of the `libxml_disable_entity_loader` function, the
use of this function prevented both XXE via DTD parsing, and fetching of
external entities as specified by any of the above constants.

Fixes phpGH-1408.
@afilina afilina requested review from Girgias and cmb69 August 2, 2023 17:18
@Girgias Girgias requested review from nielsdos and removed request for cmb69 August 2, 2023 17:40
nielsdos
nielsdos requested changes Aug 2, 2023
View reviewed changes
Copy link
Member

@nielsdos nielsdos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a nice improvement, thanks.
It is almost right, right now you say in multiple places that LIBXML_NONET prevents external entity loading, but it only prevents external entity loading over the network, so the current wording is a bit misleading.

@Girgias Girgias removed their request for review November 10, 2023 03:39
nielsdos added a commit to nielsdos/doc-en that referenced this pull request Nov 11, 2024
@nielsdos @andrewnicols
Fix phpGH-1408: Deprecation of libxml_disable_entity_loader() should …
702cc22 
…warn about constants which will override the new default behaviour

Based on stale PR phpGH-1409.
Closes phpGH-1409.
Closes phpGH-1408.

Co-authored-by: Andrew Nicols <[email protected]>
@nielsdos nielsdos mentioned this pull request Nov 11, 2024
Merged
nielsdos added a commit to nielsdos/doc-en that referenced this pull request Nov 11, 2024
@nielsdos @andrewnicols
Fix phpGH-1408: Deprecation of libxml_disable_entity_loader() should …
0d2c296 
…warn about constants which will override the new default behaviour

Based on stale PR phpGH-1409.
Closes phpGH-1409.
Closes phpGH-1408.

Co-authored-by: Andrew Nicols <[email protected]>
@Girgias Girgias closed this in eae558e Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nielsdos nielsdos nielsdos requested changes

Assignees
No one assigned
Labels
Extension: libxml Waiting on Author
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Deprecation of libxml_disable_entity_loader() should warn about constants which will override the new default behaviour
4 participants
@andrewnicols @nielsdos @afilina @Girgias