Task #96583
closed
Remove PHP < 8 specific libxml_disable_entity_loader()
100%
Updated by Gerrit Code Review almost 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73063
Updated by Gerrit Code Review almost 3 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73063
Updated by Christian Kuhn almost 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 83086527cc2c990b87a5474fb3b8ea37cf051cc1.
Updated by Oliver Hader almost 3 years ago
Some (historic) references:
- https://typo3.org/security/advisory/typo3-core-sa-2016-005
- https://typo3.org/security/advisory/typo3-core-sa-2020-012
- https://php.watch/versions/8.0/libxml_disable_entity_loader-deprecation
[...] At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. [...]
Back in 2020 all major OS distributions used a safe libxml2 version - it was not possible back than to exploit XXE in the TYPO3 core - unless entity expansion was explicitly enabled in PHP code with LIBXML_NOENT when invoking the parser.
I'm just leaving this comment here for potential "security researchers" reporting things for TYPO3 before v12 (not having a PHP 8.0 requirement).
Updated by