Disable XML entity loader by default in libphutil
ClosedPublic
Actions

Authored by epriestley on Jan 23 2014, 9:32 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Wed, May 28, 7:14 PM

	Unknown Object (File)
	Sun, May 25, 9:32 PM

	Unknown Object (File)
	Sat, May 24, 3:16 PM

	Unknown Object (File)
	Tue, May 20, 4:44 PM

	Unknown Object (File)
	Mon, May 19, 2:11 PM

	Unknown Object (File)
	Apr 26 2025, 9:50 AM

	Unknown Object (File)
	Apr 20 2025, 9:16 AM

	Unknown Object (File)
	Apr 20 2025, 8:01 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Commits

rPHU7316de8f8ff7: Disable XML entity loader by default in libphutil

Summary

See https://www.facebook.com/BugBounty/posts/778897822124446 and http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.

By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.

Test Plan

There's an example of a document which does bad things on http://www.php.net/manual/en/function.libxml-disable-entity-loader.php. I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

Wow.... That's quite the bug.

Closed by commit rPHU7316de8f8ff7 (authored by @epriestley).

epriestley mentioned this in D21497: Suppress PHP 8 deprecation warning in __arcanist_init_script__.Jan 10 2021, 10:08 PM

Revision Contents
Changeset List

Path

Size

scripts/

__init_script__.php

5 lines

Diff 18207

View Options

scripts/__init_script__.php

Disable XML entity loader by default in libphutilClosedPublicActions