Disable XML entity loader by default in libphutil
ClosedPublic
Actions

Authored by epriestley on Jan 23 2014, 9:32 PM.

Tags

None

Referenced Files

	F18839326: D8049.id.diff
	Mon, Oct 27, 3:38 PM

	F18835167: D8049.diff
	Sun, Oct 26, 1:57 PM

	F18789172: D8049.id18207.diff
	Wed, Oct 15, 8:23 AM

	F18765628: D8049.diff
	Tue, Oct 7, 12:15 PM

	F18645562: D8049.id18207.diff
	Sep 19 2025, 8:05 AM

	F18640120: D8049.id.diff
	Sep 17 2025, 3:42 PM

	F18631001: D8049.diff
	Sep 16 2025, 1:53 PM

	F18622899: D8049.diff
	Sep 15 2025, 1:27 PM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Commits

rPHU7316de8f8ff7: Disable XML entity loader by default in libphutil

Summary

See https://www.facebook.com/BugBounty/posts/778897822124446 and http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.

By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.

Test Plan

There's an example of a document which does bad things on http://www.php.net/manual/en/function.libxml-disable-entity-loader.php. I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

Wow.... That's quite the bug.

Closed by commit rPHU7316de8f8ff7 (authored by @epriestley).

epriestley mentioned this in D21497: Suppress PHP 8 deprecation warning in __arcanist_init_script__.Jan 10 2021, 10:08 PM

Revision Contents
Changeset List

Path

Size

scripts/

__init_script__.php

5 lines

Diff 18207

View Options

scripts/__init_script__.php

Disable XML entity loader by default in libphutilClosedPublicActions