2020-06-30 14:41:58 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
2021-06-04 14:23:34 +02:00
|
|
|
== Noncompliant Code Example
|
2020-06-30 14:41:58 +02:00
|
|
|
|
|
|
|
|
https://www.php.net/manual/fr/function.simplexml-load-string.php[SimpleXML] object:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
$xml = file_get_contents("xxe.xml");
|
2020-12-21 15:38:52 +01:00
|
|
|
$doc = simplexml_load_string($xml, "SimpleXMLElement", LIBXML_NOENT); // Noncompliant (LIBXML_NOENT enable external entities substitution)
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
https://www.php.net/manual/fr/class.domdocument.php[DOMDocument] object:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
$doc = new DOMDocument();
|
2020-12-21 15:38:52 +01:00
|
|
|
$doc->load("xxe.xml", LIBXML_NOENT); // Noncompliant (LIBXML_NOENT enable external entities substitution)
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
https://www.php.net/manual/fr/xmlreader.xml.php[XMLReader] object:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
$reader = new XMLReader();
|
2021-06-04 14:23:34 +02:00
|
|
|
$reader->open("xxe.xml");
|
2020-12-21 15:38:52 +01:00
|
|
|
$reader->setParserProperty(XMLReader::SUBST_ENTITIES, true); // Noncompliant (SUBST_ENTITIES enable external entities substitution)
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
https://www.php.net/manual/fr/function.simplexml-load-string.php[SimpleXML] object:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
$xml = file_get_contents("xxe.xml");
|
2020-12-21 15:38:52 +01:00
|
|
|
$doc = simplexml_load_string($xml, "SimpleXMLElement"); // Compliant (external entities substitution are disabled by default)
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
https://www.php.net/manual/fr/class.domdocument.php[DOMDocument] object:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
$doc = new DOMDocument();
|
2020-12-21 15:38:52 +01:00
|
|
|
$doc->load("xxe.xml"); // Compliant (external entities substitution are disabled by default)
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
https://www.php.net/manual/fr/xmlreader.xml.php[XMLReader] object:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
$reader = new XMLReader();
|
2021-06-04 14:23:34 +02:00
|
|
|
$reader->open("xxe.xml");
|
2020-12-21 15:38:52 +01:00
|
|
|
$reader->setParserProperty(XMLReader::SUBST_ENTITIES, false); // Compliant (SUBST_ENTITIES set to false)
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== See
|
|
|
|
|
|
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
|
|
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#php[OWASP XXE Prevention Cheat Sheet]
|
|
|
|
|
* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
|
|
|
|
|
* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::comments-and-links.adoc[]
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
