mahara-contributors team mailing list archive

Thread
Date
[Bug 1340151] Re: Consider a different approach to libxml_disable_entity_loader(true) in init.php

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1340151@xxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Nov 2015 05:33:14 -0000
Reply-to: Bug 1340151 <1340151@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Okay, I wrote up a little test script to check for this. Ubuntu 14.04 is
still on PHP 5.5.9, so it is still affected by this bug (not patched in
5.5 until 5.5.23).

    <pre><?php
    $before = libxml_disable_entity_loader(true);
    libxml_disable_entity_loader($before);
    var_dump($before);
    exit();

This will basically find out the state of the XML entity loader (true
means you can load them; false means you can't), and print that out.

When I run this on a CLI script, or in a newly restarted Apache site, it
always returns false.

When I install Mahara and load up the Mahara front page, and then access
this page via the web browser, it intermittently returns true. The
intermittency is because this setting leaks across processes (and maybe
also threads, but my Apache is unthreaded). So in my case, if I hit a
process that had previously served Mahara, it came back true, otherwise,
it came back false.

Tweaking my Apache config file /etc/apache2/mods-
enabled/mpm_prefork.conf to force Apache to use only one workerprocess,
I found that it returned true every time after I hit Mahara.

<IfModule mpm_prefork_module>
#       StartServers                     5
#       MinSpareServers           5
#       MaxSpareServers          10
#       MaxRequestWorkers         150
#       MaxConnectionsPerChild   0
        StartServers 1
        MinSpareServers 1
        MaxSpareServers 1
        MaxConnectionsPerChild   0
        MaxRequestWorkers 1
        ServerLimit 1
</IfModule>

Note that if you use this configuration to test, the Mahara front page
takes a long time to load! :-D Because the request for every image, CSS,
and JS file must be made one at a time. I worked around that by calling
the front page via CURL, which doesn't automatically attempt to load any
assets.

After I loaded the code in patch 5738 and rebooted Apache, I found that
after hitting the front page of Mahara, the state of
libxml_disable_entity_loader() did not change! So I think we can call
that a success. Although to be more thorough I should also hit some of
the code that temporarily enables it.

Cheers,
Aaron

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1340151

Title:
  Consider a different approach to libxml_disable_entity_loader(true) in
  init.php

Status in Mahara:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.9 series:
  Won't Fix
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed
Status in Mahara 16.04 series:
  In Progress

Bug description:
  Unfortunately it seems like using libxml_disable_entity_loader(true)
  in init.php is unkind to other applications living on the same system.

  PHP Bug https://bugs.php.net/bug.php?id=64938 is the heart of the
  problem  - the use of this setting leaks between different threads and
  by setting it for the duration of every single Mahara request this bug
  comes into play much more easily.

  The other problem is https://bugs.php.net/bug.php?id=62577 which means
  that  simplexml_load_file() will not even load *local* files off disk.
  For example, this would break in Mahara even though no entities come
  into play:

  $xml = simplexml_load_file(get_config('libroot').'/db/install.xml');

  In Moodle we've been warned on one of our issues that users have seen
  this problem in the wild with Mahara, I didn't find an issue reported
  to you about it, so i'll copy and paste the report from our tracker
  here:

  "We had experience with this problem on an upgrade to Mahara 1.7, when
  https://bugs.launchpad.net/mahara/+bug/1047111 was fixed. The approach
  was the same as is suggested in this ticket. This caused seemingly
  random failures in Moodle (which is run on the same webserver)
  whenever there was usage of Mahara. The root cause was not obvious,
  nor well advertised with the Mahara fix, so it took awhile to finally
  implement a fix. In the meantime, significant functionality is broken.
  Unfortunately, there's really no way around this unless you switch
  from using mod_php."

  Yesterday whilst debugging some code with Yuliya we realised she also
  was encountering this horrible combination of bugs affecting her
  Moodle install so it seems this is not a theoretical problem.

  In Moodle we have decided to use the same approach of many other projects and enable/disable the loader around vulnerable code to reduce the chance of this combination of bugs affecting other applications or uses of the the simplexml_load_file:
  http://cgit.drupalcode.org/drupal/commit/?id=b912710
  https://github.com/symfony/symfony/blob/8ef8a1d289a6ce454b7c79baeddbfb45e4af6191/src/Symfony/Component/Config/Util/XmlUtils.php#L41
  http://www.mediawiki.org/wiki/XML_External_Entity_Processing

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1340151/+subscriptions
References

[Bug 1340151] [NEW] Consider a different approach to libxml_disable_entity_loader(true) in init.php
From: Dan Poltawski, 2014-07-10