We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41
LIBXML_DTDLOAD | LIBXML_DTDATTR
$options
To be published on Dec 8th
Summary
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
Mitigation:
Remove the
LIBXML_DTDLOAD | LIBXML_DTDATTR
options from$options
is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41Background / details
To be published on Dec 8th