summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--UPGRADING5
-rw-r--r--build/php.m42
-rw-r--r--ext/libxml/tests/bug54138_1.phpt24
-rw-r--r--ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt53
4 files changed, 59 insertions, 25 deletions
diff --git a/UPGRADING b/UPGRADING
index 36022bbd48..d08dcb5df4 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -984,6 +984,11 @@ PHP 8.0 UPGRADE NOTES
- PDO:
. PDOStatement now implements IteratorAggregate (instead of Traversable).
+- LibXML:
+ . The minimum required libxml version is now 2.9.0. This means that external
+ entity loading is now guaranteed to be disabled by default, and no extra
+ steps need to be taken to protect against XXE attacks.
+
- MySQLi / PDO MySQL:
. When mysqlnd is not used (which is the default and recommended option),
the minimum supported libmysqlclient version is now 5.1.
diff --git a/build/php.m4 b/build/php.m4
index bdc02573ac..1059d7f2f4 100644
--- a/build/php.m4
+++ b/build/php.m4
@@ -2010,7 +2010,7 @@ dnl
dnl Common setup macro for libxml.
dnl
AC_DEFUN([PHP_SETUP_LIBXML], [
- PKG_CHECK_MODULES([LIBXML], [libxml-2.0 >= 2.7.6])
+ PKG_CHECK_MODULES([LIBXML], [libxml-2.0 >= 2.9.0])
PHP_EVAL_INCLINE($LIBXML_CFLAGS)
PHP_EVAL_LIBLINE($LIBXML_LIBS, $1)
diff --git a/ext/libxml/tests/bug54138_1.phpt b/ext/libxml/tests/bug54138_1.phpt
deleted file mode 100644
index f0a8a04698..0000000000
--- a/ext/libxml/tests/bug54138_1.phpt
+++ /dev/null
@@ -1,24 +0,0 @@
---TEST--
-Bug #54138 - DOMNode::getLineNo() doesn't return line number higher than 65535
---SKIPIF--
-<?php
-if (!extension_loaded('dom')) die('skip dom extension not available');
-if (LIBXML_VERSION >= 20900) die('skip this test is for libxml < 2.9.0 only');
-?>
---FILE--
-<?php
-define('LIBXML_BIGLINES', 1<<22);
-$foos = str_repeat('<foo/>' . PHP_EOL, 65535);
-$xml = <<<XML
-<?xml version="1.0" encoding="UTF-8"?>
-<root>
-$foos
-<bar/>
-</root>
-XML;
-$dom = new DOMDocument();
-$dom->loadXML($xml, LIBXML_BIGLINES);
-var_dump($dom->getElementsByTagName('bar')->item(0)->getLineNo());
-?>
---EXPECT--
-int(65535)
diff --git a/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt b/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt
new file mode 100644
index 0000000000..9540f34969
--- /dev/null
+++ b/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt
@@ -0,0 +1,53 @@
+--TEST--
+libxml_disable_entity_loader()
+--SKIPIF--
+<?php
+if (!extension_loaded('libxml')) die('skip libxml extension not available');
+if (!extension_loaded('dom')) die('skip dom extension not available');
+--FILE--
+<?php
+
+$xml = <<<EOT
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
+<foo>&xxe;</foo>
+EOT;
+
+$dir = str_replace('\\', '/', __DIR__);
+$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
+
+function parseXML1($xml) {
+ $doc = new DOMDocument();
+ $doc->loadXML($xml, 0);
+ return $doc->saveXML();
+}
+
+function parseXML2($xml) {
+ return simplexml_load_string($xml);
+}
+
+function parseXML3($xml) {
+ $p = xml_parser_create();
+ xml_parse_into_struct($p, $xml, $vals, $index);
+ xml_parser_free($p);
+ return var_export($vals, true);
+}
+
+function parseXML4($xml) {
+ // This is the only time we enable external entity loading.
+ return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
+}
+
+var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false);
+var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false);
+var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false);
+var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false);
+
+echo "Done\n";
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+bool(true)
+bool(false)
+Done
View Lorry Controller Status