php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80357 Unable to re-enable entity loader without triggering a deprecation
Submitted: 2020-11-12 20:02 UTC Modified: 2021-01-19 12:27 UTC
From: jeremy at derusse dot com Assigned:
Status: Open Package: *XML functions
PHP Version: 8.0.0RC4 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jeremy at derusse dot com
New email:
PHP Version: OS:

 

 [2020-11-12 20:02 UTC] jeremy at derusse dot com
Description:
------------
calling libxml_disable_entity_loader has been deprecated in PHP >= 8.0 (https://github.com/php/php-src/pull/5867)

But if a 3rd party library disable the entity loader, we have no way to re-enable it (or even to know if we have to re-enable it) without triggering a deprecation.

Suggested change:
- do not trigger deprecation when calling the method with `false` 
- add a new method `libxml_entity_loader_disabled()` that returns true/false when the entity loader is disabled


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-12 20:41 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2020-11-12 20:41 UTC] requinix@php.net
As far as I can tell, the whole point of the change was to deprecate the entire function and force callers who want entity loading to do so at the time of loading (using LIBXML_NOENT). Eventually it will be removed entirely, which would make a "libxml_entity_loader_disabled" function pointless.

IMO this is one of those times when you should use @ to suppress the warning. I mean, if there is code that disables the loader then it will be triggering the deprecation warning too, right?
 [2020-11-13 07:55 UTC] jeremy at derusse dot com
Thank you for the suggestion, but silencing the deprecation with an `@` doesn't work: frameworks like Symfony, use error_handler to collect and logs deprecations. At the end the deprecation is not that silent.

And I would like avoiding juggling with temporary error handlers to "just" silent a deprecation.

What's about `libxml_entity_loader_disabled(A_FALSE_CONSTANT)` that re-enable the entity loader but without triggering the deprecation?
 [2020-11-13 10:30 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2020-11-13 10:30 UTC] cmb@php.net
In hindsight, it might have been best to remove this functionality
altogether, i.e. make libxml_disable_entity_loader() a NOP, but
it's probably too late to do that now.  Not issuing E_DEPRECATED
if the function is called with FALSE, appears to be not
unreasonable.
 [2020-11-19 22:31 UTC] jeremy at derusse dot com
Do you know if Not triggering E_DEPRECATED when the function is called with FALSE, appears is doable?
 [2020-12-09 09:13 UTC] marek dot janata at seznam dot cz
Not using deprecated libxml_disable_entity_loader leads to XXE vulnerability.
My settings: Apache 2.4, Windows, PHP 8.0.0, libxml 2.9.10

Consider the following code:

// ---------------
$file = 'C:/secret/file.txt';
$xml = '<' . '?xml version="1.0" encoding="utf-8"?' .'>'
    .'<!DOCTYPE tag [<!ENTITY foo PUBLIC "bar" "'.$file.'" >]>'
    .'<tag>&foo;</tag>';

$prev = libxml_disable_entity_loader(TRUE);

$doc = new DOMDocument();
$doc->preserveWhiteSpace = FALSE;
$loadRes = $doc->loadXML($xml, LIBXML_NOENT);

libxml_disable_entity_loader($prev);

print $doc->saveXml();
// ---------------


With libxml_disable_entity_loader, we get E_DEPRECATED, but the contents of local file is not loaded.

Without libxml_disable_entity_loader, the code displays contents of local file.

In our application, we want to allow local entities in XML document, so we have to call loadXml with LIBXML_NOENT flag.
 [2020-12-09 10:12 UTC] jeremy at derusse dot com
Please open a new issue if you have a bug with libxml that does not disable the entity loader by default.

This is not related to this bug: not triggering a deprecation on PHP8

note: on linux: PHP 8.0, libxml2 Version => 2.9.9
The provided code works with `libxml_disable_entity_loader(true)` and without `libxml_disable_entity_loader` (beware removing the call to `libxml_disable_entity_loader` has not the same effect than calling `libxml_disable_entity_loader(false)`)
 [2021-01-19 12:27 UTC] cmb@php.net
After further consideration, it seems to me that calling
libxml_disable_entity_loader(true) is generally a bad idea as of
PHP 5.4.0 which introduced libxml_set_external_entity_loader().
That latter function as is doesn't resolve the mentioned library
interoperability issues, though.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Apr 11 20:01:27 2021 UTC