patch for webservices XXE/XEE vulnerability #2177
Conversation
|
Guess that's it from me, can't find any more. 😉 |
|
damn.. one more thing - I have to add line to CHANGELOG |
|
@yiisoft/core-developers any comments on this one? |
|
Seems like php's soap server already disables entity loading when parsing the requests (see [1], called from [2]). Maybe someone can look up since when this behavior is implemented? If it was already available in PHP 5.1, we don't need to do any extra work. Are there any other locations in the framework that are meant to parse xml provided by a user? Those might be affected... [1] http://git.php.net/?p=php-src.git;a=blob;f=ext/soap/php_xml.c;h=939385557df326205e62d7d4ae343da1fa6ab02f;hb=HEAD#l153 |
|
as you can see here: http://git.php.net/?p=php-src.git;a=history;f=ext/soap/php_xml.c;h=939385557df326205e62d7d4ae343da1fa6ab02f;hb=HEAD |
| foreach($dom->childNodes as $child) | ||
| { | ||
| if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) | ||
| throw new CException('Invalid XML: Detected use of illegal DOCTYPE'); |
There was a problem hiding this comment.
I think the following code would be better:
throw new CException(Yii::t('yii','Invalid XML: Detected use of illegal DOCTYPE.')); // note trailing dotYii's common approach is to localize exception messages too.
|
At first glance looks good to me too. Will try to test it with the real application soon. |
ghost
assigned
| { | ||
| //when request is already parsed - there is nothing to do, we only need to save it as string | ||
| if($request instanceof DOMDocument) | ||
| $xml = $request->saveXML(); |
There was a problem hiding this comment.
$xml = $request->saveXML(); → $xml=$request->saveXML();. Please fix all the other CS and consistency issues in your patch. We're trying to stick to agreements as strictly as possible, isn't it? :-)
|
Sure - will prepare additional commit with changes, however I am still investigating this issue, as it seems that PHP soap extension does not allow <DOCTYPE> and throws "DTD are not supported by SOAP". So maybe SOAP is in fact not vulnerable. Also - I checked other modules of Yii and there are no other XML parsing codes so maybe this patch is not necessary. And if so - why did Zend coders added such patch? |
|
@redguy666 any news on this one? We're preparing for 1.1.14 RC and it would be great to include your pull request as well. |
|
Closing this issue as SOAP implementation is not vulnerable and there are no other XML parsing related threats in Yii. |
|
@redguy666, hm, have you tested it on a real web server? How did you come to this conclusion? |
solves #2174