Disable XML entity loader by default in libphutil
ClosedPublic
Actions

Authored by epriestley on Jan 23 2014, 9:32 PM.

Tags

None

Referenced Files

	F19894479: D8049.diff
	Sat, Mar 28, 3:00 PM

	F19887188: D8049.id18207.diff
	Mon, Mar 23, 12:09 AM

	F19886812: D8049.id.diff
	Sun, Mar 22, 8:40 PM

	F19817209: D8049.diff
	Thu, Mar 5, 11:36 AM

	F19805416: D8049.id18207.diff
	Mon, Mar 2, 10:49 PM

	F19804975: D8049.id18207.diff
	Mon, Mar 2, 5:16 PM

	F19779924: D8049.diff
	Feb 23 2026, 6:00 PM

	F19531857: D8049.id18207.diff
	Jan 20 2026, 7:32 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Commits

rPHU7316de8f8ff7: Disable XML entity loader by default in libphutil

Summary

See https://www.facebook.com/BugBounty/posts/778897822124446 and http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.

By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.

Test Plan

There's an example of a document which does bad things on http://www.php.net/manual/en/function.libxml-disable-entity-loader.php. I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

Wow.... That's quite the bug.

Closed by commit rPHU7316de8f8ff7 (authored by @epriestley).

epriestley mentioned this in D21497: Suppress PHP 8 deprecation warning in __arcanist_init_script__.Jan 10 2021, 10:08 PM

Revision Contents
Changeset List

Path

Size

scripts/

__init_script__.php

5 lines

Diff 18207

View Options

scripts/__init_script__.php

Disable XML entity loader by default in libphutilClosedPublicActions