From d9cccbbe417d305bb56911cd07a7feac6b89e9a6 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 27 Apr 2021 22:22:34 +0200 Subject: Protect against XXE in php8 PHP8 disables external entities by default, but they can still be explicitly used (cf. https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/), which is badâ„¢. The right way to defend against XXE is now to set libxml_set_external_entity_loader to null. --- src/sp_disable_xxe.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'src/sp_disable_xxe.c') diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c index 113d84b..3ef1a5d 100644 --- a/src/sp_disable_xxe.c +++ b/src/sp_disable_xxe.c @@ -5,20 +5,22 @@ PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; } int hook_libxml_disable_entity_loader() { TSRMLS_FETCH(); -// External entities are disabled by default in PHP8+ -#if PHP_VERSION_ID < 80000 - /* Call the php function here instead of re-implementing it is a bit - * ugly, but we do not want to introduce compile-time dependencies against - * libxml. */ zval func_name; - zval hmac; + zval retval; zval params[1]; +#if PHP_VERSION_ID < 80000 + // This function is deprecated in PHP8, but better safe than sorry for php7. ZVAL_STRING(&func_name, "libxml_disable_entity_loader"); ZVAL_STRING(¶ms[0], "true"); - call_user_function(CG(function_table), NULL, &func_name, &hmac, 1, params); + call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params); #endif + // This is now the recommended way to disable external entities + ZVAL_STRING(&func_name, "libxml_set_external_entity_loader"); + ZVAL_NULL(¶ms[0]); + call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params); + HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook, PHP_FN(sp_libxml_disable_entity_loader)); -- cgit v1.3