Disable XML entity loader by default in libphutil
7316de8f8ff7
Actions

Authored by epriestley <git@epriestley.com> on Jan 23 2014, 23:00.

Description

Disable XML entity loader by default in libphutil

Summary:
See https://www.facebook.com/BugBounty/posts/778897822124446 and http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.

By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.

Test Plan: There's an example of a document which does bad things on http://www.php.net/manual/en/function.libxml-disable-entity-loader.php. I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8049

Details

Committed

epriestley <git@epriestley.com>

Jan 23 2014, 23:00

Pushed

aubort

Mar 17 2017, 12:03

Parents

rPHU86d651f9c929: Mostly align parser to PHP 5.5.8

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHU7316de8f8ff7: Disable XML entity loader by default in libphutil (authored by epriestley <git@epriestley.com>).Jan 23 2014, 23:00

Changes (1)

				Path
	M			scripts/__init_script__.php

rPHU7316de8f8ff7

View Options

scripts/__init_script__.php