PHP :: Request #80357 :: Unable to re-enable entity loader without triggering a deprecation

[2020-11-12 20:41 UTC] requinix@php.net

-Status: Open +Status: Feedback

[2020-11-12 20:41 UTC] requinix@php.net

As far as I can tell, the whole point of the change was to deprecate the entire function and force callers who want entity loading to do so at the time of loading (using LIBXML_NOENT). Eventually it will be removed entirely, which would make a "libxml_entity_loader_disabled" function pointless.

IMO this is one of those times when you should use @ to suppress the warning. I mean, if there is code that disables the loader then it will be triggering the deprecation warning too, right?

[2020-11-13 07:55 UTC] jeremy at derusse dot com

Thank you for the suggestion, but silencing the deprecation with an `@` doesn't work: frameworks like Symfony, use error_handler to collect and logs deprecations. At the end the deprecation is not that silent.

And I would like avoiding juggling with temporary error handlers to "just" silent a deprecation.

What's about `libxml_entity_loader_disabled(A_FALSE_CONSTANT)` that re-enable the entity loader but without triggering the deprecation?

[2020-11-13 10:30 UTC] cmb@php.net

-Status: Feedback +Status: Open

[2020-11-13 10:30 UTC] cmb@php.net

In hindsight, it might have been best to remove this functionality
altogether, i.e. make libxml_disable_entity_loader() a NOP, but
it's probably too late to do that now.  Not issuing E_DEPRECATED
if the function is called with FALSE, appears to be not
unreasonable.

[2020-11-19 22:31 UTC] jeremy at derusse dot com

Do you know if Not triggering E_DEPRECATED when the function is called with FALSE, appears is doable?

[2020-12-09 09:13 UTC] marek dot janata at seznam dot cz

Not using deprecated libxml_disable_entity_loader leads to XXE vulnerability.
My settings: Apache 2.4, Windows, PHP 8.0.0, libxml 2.9.10

Consider the following code:

// ---------------
$file = 'C:/secret/file.txt';
$xml = '<' . '?xml version="1.0" encoding="utf-8"?' .'>'
    .'<!DOCTYPE tag [<!ENTITY foo PUBLIC "bar" "'.$file.'" >]>'
    .'<tag>&foo;</tag>';

$prev = libxml_disable_entity_loader(TRUE);

$doc = new DOMDocument();
$doc->preserveWhiteSpace = FALSE;
$loadRes = $doc->loadXML($xml, LIBXML_NOENT);

libxml_disable_entity_loader($prev);

print $doc->saveXml();
// ---------------


With libxml_disable_entity_loader, we get E_DEPRECATED, but the contents of local file is not loaded.

Without libxml_disable_entity_loader, the code displays contents of local file.

In our application, we want to allow local entities in XML document, so we have to call loadXml with LIBXML_NOENT flag.

[2020-12-09 10:12 UTC] jeremy at derusse dot com

Please open a new issue if you have a bug with libxml that does not disable the entity loader by default.

This is not related to this bug: not triggering a deprecation on PHP8

note: on linux: PHP 8.0, libxml2 Version => 2.9.9
The provided code works with `libxml_disable_entity_loader(true)` and without `libxml_disable_entity_loader` (beware removing the call to `libxml_disable_entity_loader` has not the same effect than calling `libxml_disable_entity_loader(false)`)

[2021-01-19 12:27 UTC] cmb@php.net

After further consideration, it seems to me that calling
libxml_disable_entity_loader(true) is generally a bad idea as of
PHP 5.4.0 which introduced libxml_set_external_entity_loader().
That latter function as is doesn't resolve the mentioned library
interoperability issues, though.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2021 The PHP Group All rights reserved.	Last updated: Sun Apr 11 20:01:27 2021 UTC