Page MenuHomePhabricator

Disable XML entity loader by default in libphutil

Authored by epriestley on Jan 23 2014, 9:32 PM.
Referenced Files
Unknown Object (File)
Sun, May 28, 11:12 PM
Unknown Object (File)
Sun, May 28, 4:50 PM
Unknown Object (File)
Sun, May 21, 4:31 PM
Unknown Object (File)
Sun, May 21, 4:25 PM
Unknown Object (File)
Sun, May 21, 4:24 PM
Unknown Object (File)
Mon, May 15, 4:05 AM
Unknown Object (File)
Sat, May 13, 12:58 PM
Unknown Object (File)
Apr 25 2023, 4:56 PM



See and

By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.

Test Plan

There's an example of a document which does bad things on I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.

Diff Detail

Lint Skipped
Tests Skipped