|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62577 simplexml_load_file does not file if libxml_disable_entity_loader(true)
Submitted: 2012-07-16 08:56 UTC Modified: 2018-10-15 10:50 UTC
Avg. Score:4.6 ± 0.8
Reproduced:57 of 61 (93.4%)
Same Version:19 (33.3%)
Same OS:39 (68.4%)
From: ivan dot enderlin at hoa-project dot net Assigned:
Status: Open Package: SimpleXML related
PHP Version: master-Git-2012-07-16 (Git) OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
12 + 14 = ?
Subscribe to this entry?

 [2012-07-16 08:56 UTC] ivan dot enderlin at hoa-project dot net
The function simplexml_load_file() failed to open any file (existing or not) if libxml_disable_entity_loader(true) has been called.

I have tried with simplexml_load_string(), it works; same with new SimpleXMLElement() etc. The bug is restricted to the simplexml_load_file() function.

Test script:


$xml = simplexml_load_file('foo');


Expected result:

Actual result:
    [0] => LibXMLError Object
            [level] => 1
            [code] => 1549
            [column] => 0
            [message] => failed to load external entity "foo"

            [file] => 
            [line] => 0



move-entity_loader_disabled-check (last revision 2018-10-15 10:50 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-16 09:22 UTC] 
libxml_disable_entity_loader(true) registers a NULL function 
( as callback for URI 
input file handling in libxml.
So you cant open any file with libxml after having called this function.

Is that the correct behavior ? I have no clue to answer that
 [2012-07-16 09:25 UTC] ivan dot enderlin at hoa-project dot net
I think it's not a normal behavior.
 [2012-11-15 11:03 UTC]
-Assigned To: +Assigned To: rrichards
 [2012-11-15 11:03 UTC]
hi Rob!

What would be the best/cleanest fix for this issue? It affects quite a lot of apps 
out there.

 [2013-05-29 07:20 UTC] Sjon at hortensius dot net
I can confirm this issue; it is very annoying and unexpected. Can't the code, as 
a work-around use file-get-contents + simplexml_load_string internally?

This issue is also related to #22215 imo
 [2013-05-29 07:21 UTC] sjon at hortensius dot net
I can confirm this issue; it is very annoying and unexpected. Can't the code, as 
a work-around use file-get-contents + simplexml_load_string internally?

This issue is also related to bug #64938 imo
 [2013-08-29 07:18 UTC] ivan dot enderlin at hoa-project dot net
ping? Any news from the front?
 [2013-12-15 01:19 UTC] claudio dot mulas at lucla dot net
Finally i've found what's the problem on my website. Still not fixed? :(
 [2014-01-27 16:44 UTC] phofstetter at sensational dot ch
External entity loading in XML is problematic security-wise (see and for example where Facebook was hit by that).

It's generally advised to turn off external entity loading.

But because of this bug, turning that off also turns off *all* external file loading via libxml. 

What we need IMHO is something that turns off loading files in response to parsing untrusted XML. Requesting XML from an external source in itself isn't a problem.

If this current behaviour is intended, please consider adding a note to the documentation explaining the case and telling users to use fopen (though that means that it's no longer possible to work with a huge stream of XML data because libxml_disable_entity_loader() also disables XmlReader::open()
 [2014-01-29 13:03 UTC] phofstetter at sensational dot ch
This bug causes libxml_disable_entity_loader(true); to also disable SoapClient - likely for the same reason. Contrary to the other options, this one is bad though because there's no workaround (asides of not using PHP's own SoapClient).

So as it stands now users either have to live with an annoying security hole when parsing untrusted XML (which does happen at times) or with a defunct SOAP client plus the nice fopen wrappers not working for all XML related functions.
 [2016-10-03 20:22 UTC] gudang at gmail dot com
@rrichards When are you going to fix this 4 years issue?
 [2017-10-24 06:14 UTC]
-Status: Assigned +Status: Open -Assigned To: rrichards +Assigned To:
 [2018-05-22 09:34 UTC] cojubacaso at stelliteop dot info
I don't see how this is a bug, the function is called "simplexml_load_file", so the expected behavior is that it will load content of a file, and if you don't give valid path, you get an error and false.
It is also documented like that, so please just close this, changing this behavior will probably brake a lot of applications also.
 [2018-05-22 11:12 UTC] phofstetter at sensational dot ch
> and if you don't give valid path, you get an error and false.

of course. But this bug is about `simplexml_load_file` failing on *any* valid path if `libxml_disable_entity_loader(true)` has been called.

Here's a test script. IMHO, both assert()s should pass:


file_put_contents('/tmp/test.xml', '<doc><foo>bar</foo></doc>');
assert(simplexml_load_file('/tmp/test.xml')->foo == 'bar');

assert(simplexml_load_file('/tmp/test.xml')->foo == 'bar');
 [2018-10-15 10:50 UTC]
The following patch has been added/updated:

Patch Name: move-entity_loader_disabled-check
Revision:   1539600601
 [2018-10-15 10:50 UTC]
Hmm, I wonder why we check whether external entity loading is
disabled in php_libxml_input_buffer_create_filename()[1] (which is
the xmlParserInputBufferCreateFilenameDefault() callback), instead
of in _php_libxml_external_entity_loader()[2] (which is the
xmlSetExternalEntityLoader() callback).  (See the attached
move-entity_loader_disabled-check patch.)  Wouldn't the latter be
sufficient to prevent XXE attacks?

Also I wonder whether we need libxml_disable_entity_loader() at
all.  Only if LIBXML_DTDLOAD|LIBXML_NOENT are given as options,
external entities will be resolved.  Some of the XML parsers don't
accept options, but at least as of libxml 2.9.0 save defaults are
used anyway[3].

[1] <>
[2] <>
[3] <>
 [2018-10-18 21:23 UTC] gudang at gmail dot com
6 years...
 [2018-12-23 21:15 UTC] hanskrentel at yahoo dot de
Most likely this is not a bug. Those who disable the entity loader via libxml_disable_entity_loader() are dealing with an underlying problem with an unpatched libxml version.

Those who not have forgotten to implement their own entity loader (which is possible) which does not prevent from loading.

Same for the default entity loader being enabled.

Just my 2 cents.
 [2018-12-28 12:16 UTC] fzxdhdfhkfghj at rykotfuk dot copm
Ja ne233er3re3e3
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 19:01:24 2019 UTC