From: Dik Takken <d.h.j.takken@freedom.nl>
Date: Thu, 16 Jul 2020 12:19:40 +0000 (+0200)
Subject: Bump libxml version requirement 2.7.6 => 2.9.0
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=691a09f291a909cba8821ef16a447a5e615dee69;p=php

Bump libxml version requirement 2.7.6 => 2.9.0

Since libxml version 2.9.0 external entity loading is disabled by default.
Bumping the version requirement means that XML processing in PHP is no
longer vulnerable to XXE processing attacks by default.
---

diff --git a/UPGRADING b/UPGRADING
index 36022bbd48..d08dcb5df4 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -984,6 +984,11 @@ PHP 8.0 UPGRADE NOTES
 - PDO:
   . PDOStatement now implements IteratorAggregate (instead of Traversable).
 
+- LibXML:
+  . The minimum required libxml version is now 2.9.0. This means that external
+    entity loading is now guaranteed to be disabled by default, and no extra
+    steps need to be taken to protect against XXE attacks.
+
 - MySQLi / PDO MySQL:
   . When mysqlnd is not used (which is the default and recommended option),
     the minimum supported libmysqlclient version is now 5.1.
diff --git a/build/php.m4 b/build/php.m4
index bdc02573ac..1059d7f2f4 100644
--- a/build/php.m4
+++ b/build/php.m4
@@ -2010,7 +2010,7 @@ dnl
 dnl Common setup macro for libxml.
 dnl
 AC_DEFUN([PHP_SETUP_LIBXML], [
-  PKG_CHECK_MODULES([LIBXML], [libxml-2.0 >= 2.7.6])
+  PKG_CHECK_MODULES([LIBXML], [libxml-2.0 >= 2.9.0])
 
   PHP_EVAL_INCLINE($LIBXML_CFLAGS)
   PHP_EVAL_LIBLINE($LIBXML_LIBS, $1)
diff --git a/ext/libxml/tests/bug54138_1.phpt b/ext/libxml/tests/bug54138_1.phpt
deleted file mode 100644
index f0a8a04698..0000000000
--- a/ext/libxml/tests/bug54138_1.phpt
+++ /dev/null
@@ -1,24 +0,0 @@
---TEST--
-Bug #54138 - DOMNode::getLineNo() doesn't return line number higher than 65535
---SKIPIF--
-<?php
-if (!extension_loaded('dom')) die('skip dom extension not available');
-if (LIBXML_VERSION >= 20900) die('skip this test is for libxml < 2.9.0 only');
-?>
---FILE--
-<?php
-define('LIBXML_BIGLINES', 1<<22);
-$foos = str_repeat('<foo/>' . PHP_EOL, 65535);
-$xml = <<<XML
-<?xml version="1.0" encoding="UTF-8"?>
-<root>
-$foos
-<bar/>
-</root>
-XML;
-$dom = new DOMDocument();
-$dom->loadXML($xml, LIBXML_BIGLINES);
-var_dump($dom->getElementsByTagName('bar')->item(0)->getLineNo());
-?>
---EXPECT--
-int(65535)
diff --git a/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt b/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt
new file mode 100644
index 0000000000..9540f34969
--- /dev/null
+++ b/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt
@@ -0,0 +1,53 @@
+--TEST--
+libxml_disable_entity_loader()
+--SKIPIF--
+<?php
+if (!extension_loaded('libxml')) die('skip libxml extension not available');
+if (!extension_loaded('dom')) die('skip dom extension not available');
+--FILE--
+<?php
+
+$xml = <<<EOT
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
+<foo>&xxe;</foo>
+EOT;
+
+$dir = str_replace('\\', '/', __DIR__);
+$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
+
+function parseXML1($xml) {
+  $doc = new DOMDocument();
+  $doc->loadXML($xml, 0);
+  return $doc->saveXML();
+}
+
+function parseXML2($xml) {
+  return simplexml_load_string($xml);
+}
+
+function parseXML3($xml) {
+  $p = xml_parser_create();
+  xml_parse_into_struct($p, $xml, $vals, $index);
+  xml_parser_free($p);
+  return var_export($vals, true);
+}
+
+function parseXML4($xml) {
+  // This is the only time we enable external entity loading.
+  return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
+}
+
+var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false);
+var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false);
+var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false);
+var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false);
+
+echo "Done\n";
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+bool(true)
+bool(false)
+Done