Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DependencyInjection] force enabling the external XML entity loaders #18915

Merged
merged 1 commit into from Jun 13, 2016

Conversation

Projects
None yet
5 participants
@xabbuh
Copy link
Member

commented May 30, 2016

Q A
Branch? 2.7
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #18876, #18908
License MIT
Doc PR
@xabbuh

This comment has been minimized.

Copy link
Member Author

commented May 30, 2016

@nicolas-grekas @sstok I don't see the security issue here. The XmlUltils class still disables the entity loaders and switches the setting back to the old value after documents have been processed. The only place where we did not take into account whether the entity loaders are disabled are the validation of DI extension config files (which currently implicitly assumes that loaders are not disabled).

@xabbuh xabbuh force-pushed the xabbuh:issue-18876 branch from 277ad7b to 4b8c20f May 30, 2016

@sstok

This comment has been minimized.

Copy link
Contributor

commented May 30, 2016

What I mean is will schemaValidateSource() load any external resources of the source or will it parse the source as-is? And if it will load external resources, are then any security risks with that (including DoS attacks).

Edit. OK, that's no problem as the Document is parsed before the validation takes place.
So the parser should warn about that, only when a schema loads external resources it can be a problem, but who is crazy enough to load schema's from an untrusted source 😄

The only place where we did not take into account whether the entity loaders are disabled are the validation of DI extension config files (which currently implicitly assumes that loaders are not disabled).

I'm confused here, is the problem still existent or does this pull request solve the issue?

And as @nicolas-grekas pointed out it also needs to be done for the XliffFileLoader schema validator also as it loads at least one external resource https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Translation/Loader/schema/dic/xliff-core/xliff-core-1.2-strict.xsd#L33 (gets replaced by a local version).

@fabpot

This comment has been minimized.

Copy link
Member

commented Jun 8, 2016

There are other calls to schemaValidateSource in some other components, do we also need to make the same change?

@xabbuh

This comment has been minimized.

Copy link
Member Author

commented Jun 9, 2016

@fabpot One place is in the XliffFileLoader which afaik doesn't support to import resources anyway (and thus would not be affected). And forcing the value in the XmlUtils does not sound like a good idea to me as we do not know how people use that class and imo they should force the proper value themselves if necessary.

@xabbuh xabbuh force-pushed the xabbuh:issue-18876 branch from 4b8c20f to ce1f329 Jun 9, 2016

@xabbuh

This comment has been minimized.

Copy link
Member Author

commented Jun 9, 2016

Ah no I was mistaken. The XliffFileLoader needs to be updated as well.

@xabbuh xabbuh force-pushed the xabbuh:issue-18876 branch 2 times, most recently from de5175b to d60d4e0 Jun 9, 2016

if (!@$dom->schemaValidateSource($source)) {
throw new InvalidResourceException(sprintf('Invalid resource provided: "%s"; Errors: %s', $file, implode("\n", $this->getXmlErrors($internalErrors))));
}
libxml_disable_entity_loader($disableEntities);

This comment has been minimized.

Copy link
@nicolas-grekas

nicolas-grekas Jun 10, 2016

Member

we need to restore the orig value before throwing, isn't it?

This comment has been minimized.

Copy link
@xabbuh

xabbuh Jun 11, 2016

Author Member

Sure, good catch.

@xabbuh xabbuh force-pushed the xabbuh:issue-18876 branch from d60d4e0 to 12b5509 Jun 11, 2016

@fabpot

This comment has been minimized.

Copy link
Member

commented Jun 13, 2016

Thank you @xabbuh.

@fabpot fabpot merged commit 12b5509 into symfony:2.7 Jun 13, 2016

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
fabbot.io Your code looks good.
Details

fabpot added a commit that referenced this pull request Jun 13, 2016

bug #18915 [DependencyInjection] force enabling the external XML enti…
…ty loaders (xabbuh)

This PR was merged into the 2.7 branch.

Discussion
----------

[DependencyInjection] force enabling the external XML entity loaders

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #18876, #18908
| License       | MIT
| Doc PR        |

Commits
-------

12b5509 force enabling the external XML entity loaders

@xabbuh xabbuh deleted the xabbuh:issue-18876 branch Jun 13, 2016

@fabpot fabpot referenced this pull request Jun 15, 2016

Merged

Release v3.1.1 #19055

This was referenced Jun 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.