[Tickets #13025] Re: Cannot load conf.xml in horde config
noreply at bugs.horde.org
noreply at bugs.horde.org
Wed Mar 12 16:30:06 UTC 2014
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/13025
------------------------------------------------------------------------------
Ticket | 13025
Updated By | spamstop2 at terriertech.com
Summary | Cannot load conf.xml in horde config
Queue | Horde Base
Version | 5.1.5
Type | Bug
State | Not A Bug
Priority | 1. Low
Milestone |
Patch | 1
Owners |
+New Attachment | config2.patch
------------------------------------------------------------------------------
spamstop2 at terriertech.com (2014-03-12 16:30) wrote:
> We don't use external entities in the Horde configuration, and we
> definitely don't load horde/config/conf.xml as an external entity.
> Since this doesn't even happen deterministically, this has to be
> some problem with your system/server.
I think a revisit is needed for this. Try putting
libxml_disable_entity_loader(true) before the $dom->load().
When this is done it fails 100%, tried with both apache/mod_php and
nginx/php-fpm. If it doesn't for you, then my system is broken.
This shows that entity loading needs to be enabled in libxml2, even
though the file is local and doesn't include <!ENTITY.
Normally this is OK because libxml2 enables entity loading by default.
But this is going to fail in two situations:
1. For anyone using PHP-FPM, due to libxml_disable_entity_loader not
being thread safe, see https://bugs.php.net/bug.php?id=64938.
2. Starting in libxml2 2.9, it will be off by default, see
http://framework.zend.com/security/advisory/ZF2014-01.
Even if you don't want to fully enable entity loading, this can be
simply fixed using the attached patch.
spamstop2 at terriertech.com (2014-03-12 16:30) uploaded: config2.patch
http://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=config2.patch&ticket=13025&fn=%2Fconfig2.patch
More information about the bugs
mailing list