Skip to content

[DependencyInjection] force enabling the external XML entity loaders #18915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 13, 2016
Merged

[DependencyInjection] force enabling the external XML entity loaders #18915

merged 1 commit into from
Jun 13, 2016

Conversation

xabbuh
Copy link
Member

@xabbuh xabbuh commented May 30, 2016
edited by nicolas-grekas
Loading

Q A
Branch? 2.7
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #18876, #18908
License MIT
Doc PR

@xabbuh xabbuh mentioned this pull request May 30, 2016
Merged
@xabbuh
Copy link
Member Author

xabbuh commented May 30, 2016

@nicolas-grekas @sstok I don't see the security issue here. The XmlUltils class still disables the entity loaders and switches the setting back to the old value after documents have been processed. The only place where we did not take into account whether the entity loaders are disabled are the validation of DI extension config files (which currently implicitly assumes that loaders are not disabled).

@sstok
Copy link
Contributor

sstok commented May 30, 2016
edited
Loading

What I mean is will schemaValidateSource() load any external resources of the source or will it parse the source as-is? And if it will load external resources, are then any security risks with that (including DoS attacks).

Edit. OK, that's no problem as the Document is parsed before the validation takes place.
So the parser should warn about that, only when a schema loads external resources it can be a problem, but who is crazy enough to load schema's from an untrusted source 😄

The only place where we did not take into account whether the entity loaders are disabled are the validation of DI extension config files (which currently implicitly assumes that loaders are not disabled).

I'm confused here, is the problem still existent or does this pull request solve the issue?

And as @nicolas-grekas pointed out it also needs to be done for the XliffFileLoader schema validator also as it loads at least one external resource https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Translation/Loader/schema/dic/xliff-core/xliff-core-1.2-strict.xsd#L33 (gets replaced by a local version).

@fabpot
Copy link
Member

fabpot commented Jun 8, 2016

There are other calls to schemaValidateSource in some other components, do we also need to make the same change?

@xabbuh
Copy link
Member Author

xabbuh commented Jun 9, 2016

@fabpot One place is in the XliffFileLoader which afaik doesn't support to import resources anyway (and thus would not be affected). And forcing the value in the XmlUtils does not sound like a good idea to me as we do not know how people use that class and imo they should force the proper value themselves if necessary.

@xabbuh
Copy link
Member Author

xabbuh commented Jun 9, 2016

Ah no I was mistaken. The XliffFileLoader needs to be updated as well.

@xabbuh xabbuh force-pushed the issue-18876 branch 2 times, most recently from de5175b to d60d4e0 Compare June 9, 2016 11:45
nicolas-grekas
nicolas-grekas reviewed Jun 10, 2016
View reviewed changes
src/Symfony/Component/Translation/Loader/XliffFileLoader.php
if (!@$dom->schemaValidateSource($source)) {
throw new InvalidResourceException(sprintf('Invalid resource provided: "%s"; Errors: %s', $file, implode("\n", $this->getXmlErrors($internalErrors))));
}

libxml_disable_entity_loader($disableEntities);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to restore the orig value before throwing, isn't it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, good catch.

@fabpot
Copy link
Member

fabpot commented Jun 13, 2016

Thank you @xabbuh.

@fabpot fabpot merged commit 12b5509 into symfony:2.7 Jun 13, 2016
fabpot added a commit that referenced this pull request Jun 13, 2016
@fabpot
bug #18915 [DependencyInjection] force enabling the external XML enti…
3f192dc 
…ty loaders (xabbuh)

This PR was merged into the 2.7 branch.

Discussion
----------

[DependencyInjection] force enabling the external XML entity loaders

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #18876, #18908
| License       | MIT
| Doc PR        |

Commits
-------

12b5509 force enabling the external XML entity loaders
@xabbuh xabbuh deleted the issue-18876 branch June 13, 2016 06:32
@fabpot fabpot mentioned this pull request Jun 15, 2016
Merged
This was referenced Jun 30, 2016
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug DependencyInjection Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xabbuh @sstok @fabpot @nicolas-grekas @carsonbot