php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #80357 Unable to re-enable entity loader without triggering a deprecation
Submitted: 2020-11-12 20:02 UTC Modified: 2020-12-09 10:12 UTC
From: jeremy at derusse dot com Assigned:
Status: Open Package: *XML functions
PHP Version: 8.0.0RC4 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-11-12 20:02 UTC] jeremy at derusse dot com 
Description:
------------
calling libxml_disable_entity_loader has been deprecated in PHP >= 8.0 (https://github.com/php/php-src/pull/5867)

But if a 3rd party library disable the entity loader, we have no way to re-enable it (or even to know if we have to re-enable it) without triggering a deprecation.

Suggested change:
- do not trigger deprecation when calling the method with `false` 
- add a new method `libxml_entity_loader_disabled()` that returns true/false when the entity loader is disabled

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 20:41 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2020-11-12 20:41 UTC] requinix@php.net 
As far as I can tell, the whole point of the change was to deprecate the entire function and force callers who want entity loading to do so at the time of loading (using LIBXML_NOENT). Eventually it will be removed entirely, which would make a "libxml_entity_loader_disabled" function pointless.

IMO this is one of those times when you should use @ to suppress the warning. I mean, if there is code that disables the loader then it will be triggering the deprecation warning too, right?
 [2020-11-13 07:55 UTC] jeremy at derusse dot com 
Thank you for the suggestion, but silencing the deprecation with an `@` doesn't work: frameworks like Symfony, use error_handler to collect and logs deprecations. At the end the deprecation is not that silent.

And I would like avoiding juggling with temporary error handlers to "just" silent a deprecation.

What's about `libxml_entity_loader_disabled(A_FALSE_CONSTANT)` that re-enable the entity loader but without triggering the deprecation?
 [2020-11-13 10:30 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2020-11-13 10:30 UTC] cmb@php.net 
In hindsight, it might have been best to remove this functionality
altogether, i.e. make libxml_disable_entity_loader() a NOP, but
it's probably too late to do that now.  Not issuing E_DEPRECATED
if the function is called with FALSE, appears to be not
unreasonable.
 [2020-11-19 22:31 UTC] jeremy at derusse dot com 
Do you know if Not triggering E_DEPRECATED when the function is called with FALSE, appears is doable?
 [2020-12-09 09:13 UTC] marek dot janata at seznam dot cz 
Not using deprecated libxml_disable_entity_loader leads to XXE vulnerability.
My settings: Apache 2.4, Windows, PHP 8.0.0, libxml 2.9.10

Consider the following code:

// ---------------
$file = 'C:/secret/file.txt';
$xml = '<' . '?xml version="1.0" encoding="utf-8"?' .'>'
    .'<!DOCTYPE tag [<!ENTITY foo PUBLIC "bar" "'.$file.'" >]>'
    .'<tag>&foo;</tag>';

$prev = libxml_disable_entity_loader(TRUE);

$doc = new DOMDocument();
$doc->preserveWhiteSpace = FALSE;
$loadRes = $doc->loadXML($xml, LIBXML_NOENT);

libxml_disable_entity_loader($prev);

print $doc->saveXml();
// ---------------


With libxml_disable_entity_loader, we get E_DEPRECATED, but the contents of local file is not loaded.

Without libxml_disable_entity_loader, the code displays contents of local file.

In our application, we want to allow local entities in XML document, so we have to call loadXml with LIBXML_NOENT flag.
 [2020-12-09 10:12 UTC] jeremy at derusse dot com 
Please open a new issue if you have a bug with libxml that does not disable the entity loader by default.

This is not related to this bug: not triggering a deprecation on PHP8

note: on linux: PHP 8.0, libxml2 Version => 2.9.9
The provided code works with `libxml_disable_entity_loader(true)` and without `libxml_disable_entity_loader` (beware removing the call to `libxml_disable_entity_loader` has not the same effect than calling `libxml_disable_entity_loader(false)`)
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved. 		Last updated: Sat Jan 16 04:01:23 2021 UTC