php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62577 simplexml_load_file does not file if libxml_disable_entity_loader(true)
Submitted: 2012-07-16 08:56 UTC Modified: 2012-11-15 11:03 UTC
Votes:56
Avg. Score:4.7 ± 0.6
Reproduced:49 of 50 (98.0%)
Same Version:16 (32.7%)
Same OS:35 (71.4%)
From: ivan dot enderlin at hoa-project dot net Assigned: rrichards
Status: Assigned Package: SimpleXML related
PHP Version: master-Git-2012-07-16 (Git) OS: All
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-07-16 08:56 UTC] ivan dot enderlin at hoa-project dot net
Description:
------------
The function simplexml_load_file() failed to open any file (existing or not) if libxml_disable_entity_loader(true) has been called.

I have tried with simplexml_load_string(), it works; same with new SimpleXMLElement() etc. The bug is restricted to the simplexml_load_file() function.

Test script:
---------------
<?php

libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);

$xml = simplexml_load_file('foo');

print_r(libxml_get_errors());
var_dump($xml);

Expected result:
----------------
Array
(
)
…

Actual result:
--------------
Array
(
    [0] => LibXMLError Object
        (
            [level] => 1
            [code] => 1549
            [column] => 0
            [message] => failed to load external entity "foo"

            [file] => 
            [line] => 0
        )

)
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-16 09:22 UTC] jpauli@php.net
http://lxr.php.net/xref/PHP_5_4/ext/libxml/libxml.c#1058 
libxml_disable_entity_loader(true) registers a NULL function 
(http://lxr.php.net/xref/PHP_5_4/ext/libxml/libxml.c#372) as callback for URI 
input file handling in libxml.
So you cant open any file with libxml after having called this function.

Is that the correct behavior ? I have no clue to answer that
 [2012-07-16 09:25 UTC] ivan dot enderlin at hoa-project dot net
I think it's not a normal behavior.
 [2012-11-15 11:03 UTC] pajoye@php.net
-Assigned To: +Assigned To: rrichards
 [2012-11-15 11:03 UTC] pajoye@php.net
hi Rob!

What would be the best/cleanest fix for this issue? It affects quite a lot of apps 
out there.

Thanks!
 [2013-05-29 07:20 UTC] Sjon at hortensius dot net
I can confirm this issue; it is very annoying and unexpected. Can't the code, as 
a work-around use file-get-contents + simplexml_load_string internally?

This issue is also related to #22215 imo
 [2013-05-29 07:21 UTC] sjon at hortensius dot net
I can confirm this issue; it is very annoying and unexpected. Can't the code, as 
a work-around use file-get-contents + simplexml_load_string internally?

This issue is also related to bug #64938 imo
 [2013-08-29 07:18 UTC] ivan dot enderlin at hoa-project dot net
ping? Any news from the front?
 [2013-12-15 01:19 UTC] claudio dot mulas at lucla dot net
Finally i've found what's the problem on my website. Still not fixed? :(
 [2014-01-27 16:44 UTC] phofstetter at sensational dot ch
External entity loading in XML is problematic security-wise (see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing and for example http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution where Facebook was hit by that).

It's generally advised to turn off external entity loading.

But because of this bug, turning that off also turns off *all* external file loading via libxml. 

What we need IMHO is something that turns off loading files in response to parsing untrusted XML. Requesting XML from an external source in itself isn't a problem.

If this current behaviour is intended, please consider adding a note to the documentation explaining the case and telling users to use fopen (though that means that it's no longer possible to work with a huge stream of XML data because libxml_disable_entity_loader() also disables XmlReader::open()
 [2014-01-29 13:03 UTC] phofstetter at sensational dot ch
This bug causes libxml_disable_entity_loader(true); to also disable SoapClient - likely for the same reason. Contrary to the other options, this one is bad though because there's no workaround (asides of not using PHP's own SoapClient).

So as it stands now users either have to live with an annoying security hole when parsing untrusted XML (which does happen at times) or with a defunct SOAP client plus the nice fopen wrappers not working for all XML related functions.
 [2016-10-03 20:22 UTC] gudang at gmail dot com
@rrichards When are you going to fix this 4 years issue?
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC