How can I use PHP's various XML libraries to get DOM-like functionality and avoid DoS vulnerabilities, like Billion Laughs or Quadratic Blowup?

Question

I\'m writing a web application that has an XML API in PHP, and I\'m worried about three specific vulnerabilities, all related to inline DOCTYPE definitions: local file inclu

Answer 1

You should actually test your application with sample documents and see if it is vulnerable.

The underlying library for php's xml libraries is libxml2. It's behavior is controlled from php mostly through optional constants which most libraries will accept as an argument when loading the xml.

You can determine your php's libxml2 version with echo LIBXML_DOTTED_VERSION;

In later versions (after 2.6), libxml2 contains entity substitution limits designed to prevent both exponential and quadratic attacks. These can be overridden with the LIBXML_PARSEHUGE option.

By default libxml2 does not load a dtd, add default attributes, or perform entity substitution. So the default behavior is to ignore dtds.

You can turn parts of this on like so:

• LIBXML_DTDLOAD will load dtds.
• LIBXML_NONET will disable network-loading of dtds. You should always have this on and use libxml's dtd catalog to load dtds.
• LIBXML_DTDVALID will perform dtd validation while parsing.
• LIBXML_NOENT will perform entity substitution.
• LIBXML_DTDATTR will add default attributes.

So using the default settings PHP/libxml2 are probably not vulnerable to any of these issues, but the only way to know for sure is to test.