Add some logging for the XXE mitigation

author: jvoisin 2021-04-28 09:34:42 +0200
committer: jvoisin 2021-04-28 10:55:53 +0200
commit: fb3571de3d9dd0df9bfb38579b56dbb9746df551 (patch)
tree: e4ef03c633fc00cc4cbdec93255f0318c220d49d /src
parent: 99cab6d750e2d8e2f6dfc412394ce49ae7534bd6 (diff)
2 files changed, 18 insertions, 3 deletions
diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c
index 3ef1a5d..9dea33c 100644
--- a/src/sp_disable_xxe.c
+++ b/src/sp_disable_xxe.c
@@ -1,6 +1,14 @@
 #include "php_snuffleupagus.h"
-PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; }
+PHP_FUNCTION(sp_libxml_disable_entity_loader) {
+  sp_log_warn( "xxe", "A call to libxml_disable_entity_loader was tried and nopped");
+  RETURN_TRUE;
+}
+PHP_FUNCTION(sp_libxml_set_external_entity_loader) {
+  sp_log_warn("xxe", "A call to libxml_set_external_entity_loader was tried and nopped");
+  RETURN_TRUE;
+}
 int hook_libxml_disable_entity_loader() {
  TSRMLS_FETCH();
@@ -10,19 +18,21 @@ int hook_libxml_disable_entity_loader() {
  zval params[1];
 #if PHP_VERSION_ID < 80000
-        // This function is deprecated in PHP8, but better safe than sorry for php7.
+  // This function is deprecated in PHP8, but better safe than sorry for php7.
  ZVAL_STRING(&func_name, "libxml_disable_entity_loader");
  ZVAL_STRING(&params[0], "true");
  call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
 #endif
-        // This is now the recommended way to disable external entities
+  // This is now the recommended way to disable external entities
  ZVAL_STRING(&func_name, "libxml_set_external_entity_loader");
  ZVAL_NULL(&params[0]);
  call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
  HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook,
                PHP_FN(sp_libxml_disable_entity_loader));
+  HOOK_FUNCTION("libxml_set_external_entity_loader", sp_internal_functions_hook,
+                PHP_FN(sp_libxml_set_external_entity_loader));
  return SUCCESS;
 }
diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt
index 493f5a3..a49e094 100644
--- a/src/tests/xxe/disable_xxe_dom_disabled.phpt
+++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt
@@ -44,8 +44,13 @@ printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeVa
 ?>
 --EXPECTF-- 
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d
 libxml_disable_entity to true: WARNING, external entity loaded!
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d
 libxml_disable_entity to false: WARNING, external entity loaded!
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d
 without xxe: foo
 --CLEAN--
 <?php
author	jvoisin	2021-04-28 09:34:42 +0200
committer	jvoisin	2021-04-28 10:55:53 +0200
commit	fb3571de3d9dd0df9bfb38579b56dbb9746df551 (patch)
tree	e4ef03c633fc00cc4cbdec93255f0318c220d49d /src
parent	99cab6d750e2d8e2f6dfc412394ce49ae7534bd6 (diff)