Github Protect against XXE in php8 · jvoisin/snuffleupagus@d9cccbb · GitHub
source link: https://github.com/jvoisin/snuffleupagus/commit/d9cccbbe417d305bb56911cd07a7feac6b89e9a6
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Protect against XXE in php8 · jvoisin/snuffleupagus@d9cccbb · GitHubPermalink
Protect against XXE in php8
PHP8 disables external entities by default, but they can still be explicitly used (cf. https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/), which is bad™. The right way to defend against XXE is now to set libxml_set_external_entity_loader to null.
@@ -5,20 +5,22 @@ PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; }
int hook_libxml_disable_entity_loader() {
TSRMLS_FETCH();
// External entities are disabled by default in PHP8+
#if PHP_VERSION_ID < 80000
/* Call the php function here instead of re-implementing it is a bit
* ugly, but we do not want to introduce compile-time dependencies against
* libxml. */
zval func_name;
zval hmac;
zval retval;
zval params[1];
#if PHP_VERSION_ID < 80000
// This function is deprecated in PHP8, but better safe than sorry for php7.
ZVAL_STRING(&func_name, "libxml_disable_entity_loader");
ZVAL_STRING(¶ms[0], "true");
call_user_function(CG(function_table), NULL, &func_name, &hmac, 1, params);
call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
#endif
// This is now the recommended way to disable external entities
ZVAL_STRING(&func_name, "libxml_set_external_entity_loader");
ZVAL_NULL(¶ms[0]);
call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook,
PHP_FN(sp_libxml_disable_entity_loader));
0 comments
on commit d9cccbb
Please sign in to comment.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK