Possible race condition leading to XXE in SVG parser?

[gquere]

Hello,

The SVG parser might be vulnerale to a XXE.

This kind of construction: https://github.com/cariagency/spip-logo-svg/blob/master/vendor/enshrined/svg-sanitize/src/Sanitizer.php#L231

Might be vulnerable to a race condition because libxml_disable_entity_loader() is not thread-safe, as described here: http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

[darylldoyle]

Hi @gquere,

Thanks for the heads up!

Just to confirm, the worry is that after libxml_disable_entity_loader() is called by the svg-sanitiser script, another thread re-enables it and then entities end up getting loaded by the sanitiser, because libxml_disable_entity_loader() isn't thread-safe?

I've just briefly read around this but will take a closer look later tonight and see if I can find a fix. In the meantime, if you could confirm/correct the above question, that'd be much appreciated 🙂

[darylldoyle]

I've looked into this issue this evening and it seems that libxml_disable_entity_loader() was actually made thread-safe in PHP 5.5.22, 5.6.6 and 7.00. So any PHP versions after that should be OK [source].

I think at this point, if someone is running versions below that, then there are bigger security issues than a timing attack via this library. Zend went down the road of using a different method of detection for older, unpatched versions of PHP, but for the sake of this library, I feel that's overkill.

As such, unless someone can point me in the direction of some evidence that proves that this is still an open vulnerability, I'm going to close this.

[gquere]

Thanks for having looked into it!