darylldoyle/svg-sanitizer

Possible race condition leading to XXE in SVG parser?

gquere opened this issue · 3 comments

Hello,

The SVG parser might be vulnerale to a XXE.

This kind of construction:
https://github.com/cariagency/spip-logo-svg/blob/master/vendor/enshrined/svg-sanitize/src/Sanitizer.php#L231

Might be vulnerable to a race condition because libxml_disable_entity_loader() is not thread-safe, as described here:
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

Hi @gquere,

Thanks for the heads up!

Just to confirm, the worry is that after libxml_disable_entity_loader() is called by the svg-sanitiser script, another thread re-enables it and then entities end up getting loaded by the sanitiser, because libxml_disable_entity_loader() isn't thread-safe?

I've just briefly read around this but will take a closer look later tonight and see if I can find a fix. In the meantime, if you could confirm/correct the above question, that'd be much appreciated 🙂

I've looked into this issue this evening and it seems that libxml_disable_entity_loader() was actually made thread-safe in PHP 5.5.22, 5.6.6 and 7.00. So any PHP versions after that should be OK [source].

I think at this point, if someone is running versions below that, then there are bigger security issues than a timing attack via this library. Zend went down the road of using a different method of detection for older, unpatched versions of PHP, but for the sake of this library, I feel that's overkill.

As such, unless someone can point me in the direction of some evidence that proves that this is still an open vulnerability, I'm going to close this.

Thanks for having looked into it!