Task #96583: Remove PHP < 8 specific libxml_disable_entity_loader() - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Task #96583

closed

Remove PHP < 8 specific libxml_disable_entity_loader()

Added by Christian Kuhn almost 3 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2022-01-19

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Sprint Focus:

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Gerrit Code Review almost 3 years ago

Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73063

Actions

Copy link

Updated by Gerrit Code Review almost 3 years ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73063

Actions

Copy link

Updated by Christian Kuhn almost 3 years ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 83086527cc2c990b87a5474fb3b8ea37cf051cc1.

Actions

Copy link

Updated by Oliver Hader almost 3 years ago

Some (historic) references:

https://typo3.org/security/advisory/typo3-core-sa-2016-005
https://typo3.org/security/advisory/typo3-core-sa-2020-012
https://php.watch/versions/8.0/libxml_disable_entity_loader-deprecation

[...] At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. [...]

Back in 2020 all major OS distributions used a safe libxml2 version - it was not possible back than to exploit XXE in the TYPO3 core - unless entity expansion was explicitly enabled in PHP code with LIBXML_NOENT when invoking the parser.

I'm just leaving this comment here for potential "security researchers" reporting things for TYPO3 before v12 (not having a PHP 8.0 requirement).

Actions

Copy link

Updated by Benni Mack about 2 years ago

Status changed from Resolved to Closed

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Task #96583

Remove PHP < 8 specific libxml_disable_entity_loader()

Updated by Gerrit Code Review almost 3 years ago

Updated by Gerrit Code Review almost 3 years ago

Updated by Christian Kuhn almost 3 years ago

Updated by Oliver Hader almost 3 years ago

Updated by Benni Mack about 2 years ago