PHP :: Doc Bug #62577 :: simplexml_load_file does not file if libxml_disable_entity

simplexml_load_file does not file if libxml_disable_entity_loader(true)

Submitted:

2012-07-16 08:56 UTC

Modified:

2020-08-31 16:30 UTC

Votes:	71
Avg. Score:	4.5 ± 0.8
Reproduced:	58 of 62 (93.5%)
Same Version:	20 (34.5%)
Same OS:	40 (69.0%)

From:

ivan dot enderlin at hoa-project dot net

Assigned:

cmb (profile)

Status:

Closed

Package:

*XML functions

PHP Version:

master-Git-2012-07-16 (Git)

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ivan dot enderlin at hoa-project dot net
New email:
PHP Version:		OS:

New Comment:

[2012-07-16 08:56 UTC] ivan dot enderlin at hoa-project dot net

Description:
------------
The function simplexml_load_file() failed to open any file (existing or not) if libxml_disable_entity_loader(true) has been called.

I have tried with simplexml_load_string(), it works; same with new SimpleXMLElement() etc. The bug is restricted to the simplexml_load_file() function.

Test script:
---------------
<?php

libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);

$xml = simplexml_load_file('foo');

print_r(libxml_get_errors());
var_dump($xml);

Expected result:
----------------
Array
(
)
…

Actual result:
--------------
Array
(
    [0] => LibXMLError Object
        (
            [level] => 1
            [code] => 1549
            [column] => 0
            [message] => failed to load external entity "foo"

            [file] => 
            [line] => 0
        )

)
bool(false)

Patches

move-entity_loader_disabled-check (last revision 2018-10-15 10:50 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-07-16 09:22 UTC] jpauli@php.net

http://lxr.php.net/xref/PHP_5_4/ext/libxml/libxml.c#1058 
libxml_disable_entity_loader(true) registers a NULL function 
(http://lxr.php.net/xref/PHP_5_4/ext/libxml/libxml.c#372) as callback for URI 
input file handling in libxml.
So you cant open any file with libxml after having called this function.

Is that the correct behavior ? I have no clue to answer that

[2012-07-16 09:25 UTC] ivan dot enderlin at hoa-project dot net

I think it's not a normal behavior.

[2012-11-15 11:03 UTC] pajoye@php.net

-Assigned To: +Assigned To: rrichards

[2012-11-15 11:03 UTC] pajoye@php.net

hi Rob!

What would be the best/cleanest fix for this issue? It affects quite a lot of apps 
out there.

Thanks!

[2013-05-29 07:20 UTC] Sjon at hortensius dot net

I can confirm this issue; it is very annoying and unexpected. Can't the code, as 
a work-around use file-get-contents + simplexml_load_string internally?

This issue is also related to #22215 imo

[2013-05-29 07:21 UTC] sjon at hortensius dot net

I can confirm this issue; it is very annoying and unexpected. Can't the code, as 
a work-around use file-get-contents + simplexml_load_string internally?

This issue is also related to bug #64938 imo

[2013-08-29 07:18 UTC] ivan dot enderlin at hoa-project dot net

ping? Any news from the front?

[2013-12-15 01:19 UTC] claudio dot mulas at lucla dot net

Finally i've found what's the problem on my website. Still not fixed? :(

[2014-01-27 16:44 UTC] phofstetter at sensational dot ch

External entity loading in XML is problematic security-wise (see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing and for example http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution where Facebook was hit by that).

It's generally advised to turn off external entity loading.

But because of this bug, turning that off also turns off *all* external file loading via libxml. 

What we need IMHO is something that turns off loading files in response to parsing untrusted XML. Requesting XML from an external source in itself isn't a problem.

If this current behaviour is intended, please consider adding a note to the documentation explaining the case and telling users to use fopen (though that means that it's no longer possible to work with a huge stream of XML data because libxml_disable_entity_loader() also disables XmlReader::open()

[2014-01-29 13:03 UTC] phofstetter at sensational dot ch

This bug causes libxml_disable_entity_loader(true); to also disable SoapClient - likely for the same reason. Contrary to the other options, this one is bad though because there's no workaround (asides of not using PHP's own SoapClient).

So as it stands now users either have to live with an annoying security hole when parsing untrusted XML (which does happen at times) or with a defunct SOAP client plus the nice fopen wrappers not working for all XML related functions.

[2016-10-03 20:22 UTC] gudang at gmail dot com

@rrichards When are you going to fix this 4 years issue?

[2016-10-17 13:32 UTC] cmb@php.net

Related To: Bug #73328

[2017-10-24 06:14 UTC] kalle@php.net

-Status: Assigned +Status: Open -Assigned To: rrichards +Assigned To:

[2018-05-22 09:34 UTC] cojubacaso at stelliteop dot info

I don't see how this is a bug, the function is called "simplexml_load_file", so the expected behavior is that it will load content of a file, and if you don't give valid path, you get an error and false.
It is also documented like that, so please just close this, changing this behavior will probably brake a lot of applications also.

[2018-05-22 11:12 UTC] phofstetter at sensational dot ch

> and if you don't give valid path, you get an error and false.

of course. But this bug is about `simplexml_load_file` failing on *any* valid path if `libxml_disable_entity_loader(true)` has been called.

Here's a test script. IMHO, both assert()s should pass:

<?php

file_put_contents('/tmp/test.xml', '<doc><foo>bar</foo></doc>');
libxml_disable_entity_loader(false);
assert(simplexml_load_file('/tmp/test.xml')->foo == 'bar');

libxml_disable_entity_loader(true);
assert(simplexml_load_file('/tmp/test.xml')->foo == 'bar');
unlink('/tmp/test.xml');

[2018-10-15 10:50 UTC] cmb@php.net

The following patch has been added/updated:

Patch Name: move-entity_loader_disabled-check
Revision:   1539600601
URL:        https://bugs.php.net/patch-display.php?bug=62577&patch=move-entity_loader_disabled-check&revision=1539600601

[2018-10-15 10:50 UTC] cmb@php.net

Hmm, I wonder why we check whether external entity loading is
disabled in php_libxml_input_buffer_create_filename()[1] (which is
the xmlParserInputBufferCreateFilenameDefault() callback), instead
of in _php_libxml_external_entity_loader()[2] (which is the
xmlSetExternalEntityLoader() callback).  (See the attached
move-entity_loader_disabled-check patch.)  Wouldn't the latter be
sufficient to prevent XXE attacks?

Also I wonder whether we need libxml_disable_entity_loader() at
all.  Only if LIBXML_DTDLOAD|LIBXML_NOENT are given as options,
external entities will be resolved.  Some of the XML parsers don't
accept options, but at least as of libxml 2.9.0 save defaults are
used anyway[3].

[1] <https://github.com/php/php-src/blob/php-7.3.0RC3/ext/libxml/libxml.c#L395>
[2] <https://github.com/php/php-src/blob/php-7.3.0RC3/ext/libxml/libxml.c#L572>
[3] <https://gitlab.gnome.org/GNOME/libxml2/commit/4629ee02ac649c27f9c0cf98ba017c6b5526070f>

[2018-10-18 21:23 UTC] gudang at gmail dot com

6 years...

[2018-12-23 21:15 UTC] hanskrentel at yahoo dot de

Most likely this is not a bug. Those who disable the entity loader via libxml_disable_entity_loader() are dealing with an underlying problem with an unpatched libxml version.

Those who not have forgotten to implement their own entity loader (which is possible) which does not prevent from loading.

Same for the default entity loader being enabled.

Just my 2 cents.

[2020-08-31 16:00 UTC] cmb@php.net

Related To: Bug #69910

[2020-08-31 16:09 UTC] cmb@php.net

-Type: Bug +Type: Documentation Problem -Package: SimpleXML related +Package: *XML functions

[2020-08-31 16:09 UTC] cmb@php.net

Like Hans Krentel already said; the fix is simple: just don't call
libxml_disable_entity_loader(), because as of libxml >= 2.9.0
entity reference substitution is disabled by default.  If you're
still using libxml < 2.9.0, better change that.

libxml_disable_entity_loader() is deprecated as of PHP 8.0.0.

I'm changing this to documentation problem.

[2020-08-31 16:30 UTC] phpdocbot@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=a07808fdd74a7ebda792e77c4c7b377e6d44f26a
Log: Fix #62577: simplexml_load_file does not file if libxml_disable_entity_loader(true)

[2020-08-31 16:30 UTC] phpdocbot@php.net

-Status: Open +Status: Closed

[2020-08-31 16:30 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2020-08-31 17:10 UTC] phpdocbot@php.net

Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=99bb679542e42499b323e68b359e9c9a5b9b01f7
Log: Fix #62577: simplexml_load_file does not file if libxml_disable_entit

[2020-12-30 11:59 UTC] nikic@php.net

Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=7577b7c33f658f7da1e975978561e4eb5263f7e3
Log: Fix #62577: simplexml_load_file does not file if libxml_disable_entit

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 04:00:01 2025 UTC