Page MenuHomePhabricator

Disable XML entity loader by default in libphutil
ClosedPublic

Authored by epriestley on Jan 23 2014, 9:32 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 31 2024, 2:51 AM
Unknown Object (File)
Oct 18 2024, 10:23 AM
Unknown Object (File)
Oct 15 2024, 2:57 AM
Unknown Object (File)
Oct 13 2024, 7:06 PM
Unknown Object (File)
Sep 30 2024, 3:48 PM
Unknown Object (File)
Sep 30 2024, 3:45 PM
Unknown Object (File)
Sep 20 2024, 5:40 AM
Unknown Object (File)
Sep 20 2024, 5:40 AM
Subscribers

Details

Summary

See https://www.facebook.com/BugBounty/posts/778897822124446 and http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution.

By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.

Test Plan

There's an example of a document which does bad things on http://www.php.net/manual/en/function.libxml-disable-entity-loader.php. I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped