php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71592 External entity processing never fail regardless of handler return code
Submitted: 2016-02-15 01:39 UTC Modified: 2018-10-30 17:57 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: anrdaemon at freemail dot ru Assigned: cmb (profile)
Status: Closed Package: XML related
PHP Version: 5.6.18 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: anrdaemon at freemail dot ru
New email:
PHP Version: OS:

 

 [2016-02-15 01:39 UTC] anrdaemon at freemail dot ru 
Description:
------------
Despite documentation[1] explicitly stating that "If the value returned from the handler is FALSE (which it will be if no value is returned), the XML parser will stop parsing and xml_get_error_code() will return XML_ERROR_EXTERNAL_ENTITY_HANDLING.", the output of the attached test script will always be "No error".

phpinfo()
PHP Version => 5.6.18

xml

XML Support => active
XML Namespace Support => active
libxml2 Version => 2.9.3

[1]http://php.net/xml_set_external_entity_ref_handler

Test script:
---------------
<?php
$parser = xml_parser_create_ns('UTF-8');
xml_set_external_entity_ref_handler($parser, function($self, $names, $base, $system_id, $public_id)
  {
    print "@{$names}: '{$system_id}' {$public_id}\n";
    /* Ref: http://php.net/xml_set_external_entity_ref_handler
      If the value returned from the handler is FALSE (which it will be if no
      value is returned), the XML parser will stop parsing and
      xml_get_error_code() will return XML_ERROR_EXTERNAL_ENTITY_HANDLING.
    */
    return false;
  }
);

xml_parse($parser, '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE p [
  <!ENTITY pic PUBLIC "image.gif" "http://example.org/image.gif">
]>
<p>&pic;</p>');

print xml_error_string(xml_get_error_code($parser)) . "\n";
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-14 17:45 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-03-14 17:45 UTC] cmb@php.net 
This part of the documentation refers to libexpat based ext/xml.
For libxml2 based ext/xml, the external entity reference handler
is effectively a void function.  Not sure, whether libexpat's
behavior could be implemented with libxml2.
 [2018-10-09 21:21 UTC] cmb@php.net 
<https://github.com/php/php-src/pull/3596> is supposed to solve this bug.
 [2018-10-27 15:32 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=829b0df77b20392115d75fb82c56ad94edc1e423
Log: Fix #71592: External entity processing never fails
 [2018-10-27 15:32 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2018-10-27 15:35 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-10-30 01:42 UTC] anrdaemon at freemail dot ru 
May I point out, that the source XML in the test case contains at least 2 issues?
1. It's not well-formed. (<p></nop>)
2. Its root tag does not match DOCTYPE declaration.
 [2018-10-30 17:57 UTC] cmb@php.net 
> It's not well-formed. (<p></nop>)

This is on purpose to make sure that the parsing bails out early.

> Its root tag does not match DOCTYPE declaration.

Thanks!  Indeed, that's a mistake.

Fixed with <http://git.php.net/?p=php-src.git;a=commit;h=2816a3fdfa23cf0711251b8d1e9ffad3d281ea96>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC