[#28949] - [4.x] disable external entity loader for libxml
- Closed
- 20 Jun 2022
- Medium
- Build: 4.0-dev
- # 28949
- Diff
- SniperSister:4x-xmlentities
- Success Hound Smells good to me. Woof! Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
- Success Download Prebuilt packages are available for download. Details
- Success continuous-integration/drone/pr Build is passing Details
- Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Summary of Changes
Older versions of libxml and/or specific configurations are vulnerable to so called XML External Entity Processing vulnerabilities, short XXE:
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
In order to harden J4 against such attacks, we should disable the loading of external entites by default.
Testing Instructions
Test parts of the CMS related to XML processing i.e.:
- Parse RSS feeds using mod_feed
- Purge the extension cache in the extension manager
- Install an extension with an update server being enable
Expected result
Features continue to work as expected.
Documentation Changes Required
3rd party developers relying on external entity processing need to be aware of that change.
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
|
||
@richard67 thanks, fixed!
@SniperSister Drone still wasn't happy with PHPCS of comments, have corrected that for you.
@SniperSister I've just tested everything and a bit more than described, but I have a problem with langmetadata.xml. On the site (frontend) I get:
Warning: simplexml_load_file(): I/O warning : failed to load external entity "/joomla-cms-4.0-dev/language/en-GB/langmetadata.xml" in /joomla-cms-4.0-dev/libraries/src/Language/LanguageHelper.php on line 682
I don't really understand why simplexml finds an external entity in this file https://github.com/joomla/joomla-cms/blob/4.0-dev/language/en-GB/langmetadata.xml.
In the backend that doesn't happen.
@richard67 that's indeed super weird. Reproducible on multiple machines?
@SniperSister I have only one available right now, it's Linux.
PHP version 7.3.11-0ubuntu0.19.10.4
If we're doing this it needs to go in all 3 framework.php files for each of the applications
I have tested this item
I have tested this adding https://community.joomla.org/blogs/community.feed feed to the site and also installing a J4 extension and it's correctly processed in both cases.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28949.
I have tested this item
I've tested this path showing a RSS feed in frontend with News Feeds core component. After apply path it continues working.
I've installed a component too and purged the extensions cache in the extension manager, after search for updates, it works.
Thank you!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28949.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28949.
Not RTC. George pointed out a required change, that has not been made.
| Status | Ready to Commit | ⇒ | Pending |
I get the same warning as @richard67. PHP 7.2.5~7.4.6 on Windows.
libxml_disable_entity_loader() is deprecated in PHP 8.0.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28949.
@SniperSister @zero-24 as this is a security issue it would be good to get this resolved.
| Labels |
Added:
?
|
||
joomla-cms-bot
- | Category | ⇒ | Administration |
I have just added the relevant changes to the administrator and api location as requested.
@richard67 can you still reproduce your error with the metadata?
@richard67 can you still reproduce your error with the metadata?
@wilsonge Unfortunately yes:
I only made a new installation of current 4.0-dev, then switched error reporting to maximum (and server time zone to "Europe/Berlin", but I think that's not relevant here) in Global Configuration, then installed Patchtester 4, entered the GitHub token in Patchtester access information, then fetched the PRs in Patchtester, applied the patch of this PR, and then I got the above result.
From system info:
- PHP Version = 7.3.11-0ubuntu0.19.10.6
- Web Server = Apache/2.4.41 (Ubuntu)
- WebServer to PHP Interface = apache2handler
| Labels |
Added:
?
?
Removed: ? ? |
||
I would close this as the function got deprecated in PHP 8.0, because it does this automatically as mentioned here https://php.watch/versions/8.0/libxml_disable_entity_loader-deprecation. If we really want to patch it, then I would also add a php check to execute the function only in PHP < 8.0.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-06-20 07:04:22 |
| Closed_By | ⇒ | SniperSister | |
| Labels |
Added:
?
Removed: ? |
||
@SniperSister Please use tabs instead of spaces for indentation to fix PHPCS errrors mentioned by Drone.