User tests: Successful: Unsuccessful:
Older versions of libxml and/or specific configurations are vulnerable to so called XML External Entity Processing vulnerabilities, short XXE:
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
In order to harden J4 against such attacks, we should disable the loading of external entites by default.
Test parts of the CMS related to XML processing i.e.:
Features continue to work as expected.
3rd party developers relying on external entity processing need to be aware of that change.
Status | New | ⇒ | Pending |
Labels |
Added:
?
|
@richard67 thanks, fixed!
@SniperSister Drone still wasn't happy with PHPCS of comments, have corrected that for you.
@SniperSister I've just tested everything and a bit more than described, but I have a problem with langmetadata.xml. On the site (frontend) I get:
Warning: simplexml_load_file(): I/O warning : failed to load external entity "/joomla-cms-4.0-dev/language/en-GB/langmetadata.xml" in /joomla-cms-4.0-dev/libraries/src/Language/LanguageHelper.php on line 682
I don't really understand why simplexml finds an external entity in this file https://github.com/joomla/joomla-cms/blob/4.0-dev/language/en-GB/langmetadata.xml.
In the backend that doesn't happen.
@richard67 that's indeed super weird. Reproducible on multiple machines?
@SniperSister I have only one available right now, it's Linux.
PHP version 7.3.11-0ubuntu0.19.10.4
If we're doing this it needs to go in all 3 framework.php files for each of the applications
I have tested this item
I have tested this adding https://community.joomla.org/blogs/community.feed feed to the site and also installing a J4 extension and it's correctly processed in both cases.
I have tested this item
I've tested this path showing a RSS feed in frontend with News Feeds core component. After apply path it continues working.
I've installed a component too and purged the extensions cache in the extension manager, after search for updates, it works.
Thank you!
Status | Pending | ⇒ | Ready to Commit |
RTC
Not RTC. George pointed out a required change, that has not been made.
Status | Ready to Commit | ⇒ | Pending |
I get the same warning as @richard67. PHP 7.2.5~7.4.6 on Windows.
libxml_disable_entity_loader()
is deprecated in PHP 8.0.
I have tested this item
@SniperSister @zero-24 as this is a security issue it would be good to get this resolved.
Labels |
Added:
?
|
Category | ⇒ | Administration |
I have just added the relevant changes to the administrator and api location as requested.
@richard67 can you still reproduce your error with the metadata?
@richard67 can you still reproduce your error with the metadata?
@wilsonge Unfortunately yes:
I only made a new installation of current 4.0-dev, then switched error reporting to maximum (and server time zone to "Europe/Berlin", but I think that's not relevant here) in Global Configuration, then installed Patchtester 4, entered the GitHub token in Patchtester access information, then fetched the PRs in Patchtester, applied the patch of this PR, and then I got the above result.
From system info:
Labels |
Added:
?
?
Removed: ? ? |
I would close this as the function got deprecated in PHP 8.0, because it does this automatically as mentioned here https://php.watch/versions/8.0/libxml_disable_entity_loader-deprecation. If we really want to patch it, then I would also add a php check to execute the function only in PHP < 8.0.
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-06-20 07:04:22 |
Closed_By | ⇒ | SniperSister | |
Labels |
Added:
?
Removed: ? |
@SniperSister Please use tabs instead of spaces for indentation to fix PHPCS errrors mentioned by Drone.