From fb3571de3d9dd0df9bfb38579b56dbb9746df551 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 28 Apr 2021 09:34:42 +0200 Subject: Add some logging for the XXE mitigation --- src/sp_disable_xxe.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'src/sp_disable_xxe.c') diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c index 3ef1a5d..9dea33c 100644 --- a/src/sp_disable_xxe.c +++ b/src/sp_disable_xxe.c @@ -1,6 +1,14 @@ #include "php_snuffleupagus.h" -PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; } +PHP_FUNCTION(sp_libxml_disable_entity_loader) { + sp_log_warn( "xxe", "A call to libxml_disable_entity_loader was tried and nopped"); + RETURN_TRUE; +} + +PHP_FUNCTION(sp_libxml_set_external_entity_loader) { + sp_log_warn("xxe", "A call to libxml_set_external_entity_loader was tried and nopped"); + RETURN_TRUE; +} int hook_libxml_disable_entity_loader() { TSRMLS_FETCH(); @@ -10,19 +18,21 @@ int hook_libxml_disable_entity_loader() { zval params[1]; #if PHP_VERSION_ID < 80000 - // This function is deprecated in PHP8, but better safe than sorry for php7. + // This function is deprecated in PHP8, but better safe than sorry for php7. ZVAL_STRING(&func_name, "libxml_disable_entity_loader"); ZVAL_STRING(¶ms[0], "true"); call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params); #endif - // This is now the recommended way to disable external entities + // This is now the recommended way to disable external entities ZVAL_STRING(&func_name, "libxml_set_external_entity_loader"); ZVAL_NULL(¶ms[0]); call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params); HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook, PHP_FN(sp_libxml_disable_entity_loader)); + HOOK_FUNCTION("libxml_set_external_entity_loader", sp_internal_functions_hook, + PHP_FN(sp_libxml_set_external_entity_loader)); return SUCCESS; } -- cgit v1.3