Hi Dan, Do you happen to have a test case? We have trouble replicating the issue as our servers are not set up "the wrong way". ;-)
Thank you Kristina -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1340151 Title: Consider a different approach to libxml_disable_entity_loader(true) in init.php Status in Mahara ePortfolio: Confirmed Status in Mahara 1.10 series: Confirmed Status in Mahara 15.04 series: Confirmed Bug description: Unfortunately it seems like using libxml_disable_entity_loader(true) in init.php is unkind to other applications living on the same system. PHP Bug https://bugs.php.net/bug.php?id=64938 is the heart of the problem - the use of this setting leaks between different threads and by setting it for the duration of every single Mahara request this bug comes into play much more easily. The other problem is https://bugs.php.net/bug.php?id=62577 which means that simplexml_load_file() will not even load *local* files off disk. For example, this would break in Mahara even though no entities come into play: $xml = simplexml_load_file(get_config('libroot').'/db/install.xml'); In Moodle we've been warned on one of our issues that users have seen this problem in the wild with Mahara, I didn't find an issue reported to you about it, so i'll copy and paste the report from our tracker here: "We had experience with this problem on an upgrade to Mahara 1.7, when https://bugs.launchpad.net/mahara/+bug/1047111 was fixed. The approach was the same as is suggested in this ticket. This caused seemingly random failures in Moodle (which is run on the same webserver) whenever there was usage of Mahara. The root cause was not obvious, nor well advertised with the Mahara fix, so it took awhile to finally implement a fix. In the meantime, significant functionality is broken. Unfortunately, there's really no way around this unless you switch from using mod_php." Yesterday whilst debugging some code with Yuliya we realised she also was encountering this horrible combination of bugs affecting her Moodle install so it seems this is not a theoretical problem. In Moodle we have decided to use the same approach of many other projects and enable/disable the loader around vulnerable code to reduce the chance of this combination of bugs affecting other applications or uses of the the simplexml_load_file: http://cgit.drupalcode.org/drupal/commit/?id=b912710 https://github.com/symfony/symfony/blob/8ef8a1d289a6ce454b7c79baeddbfb45e4af6191/src/Symfony/Component/Config/Util/XmlUtils.php#L41 http://www.mediawiki.org/wiki/XML_External_Entity_Processing To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1340151/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
