On Jul 29, 2015 11:38 PM, "Anthony Ferrara" <ircmax...@gmail.com> wrote: > > All, > > I wanted to float an idea by you for PHP 7 (or 7.1 depending on the > RM's feedback). > > Currently, PHP by default is vulnerable to XXE attacks: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > To bypass this, you need to turn off external entity loading: > > libxml_disable_entity_loader(true); > > What I'm proposing is to disable entity loading by default. That way > it requires developers to opt-in to actually load external entities. > > Thoughts?
I am for it, for 7.0 or 8.0. We discussed it during the last related flaw and decided not to do it for BC reasons (whatever it means in this case). This problem went off our radar, so yes, we should do it in 7.0. Changing default in minor versions always create more troubles. Cheers, Pierre
