PHP :: Request #80357 :: Unable to re-enable entity loader without triggering a deprecation

Request #80357	Unable to re-enable entity loader without triggering a deprecation
Submitted:	2020-11-12 20:02 UTC	Modified:	2021-01-19 12:27 UTC
From:	jeremy at derusse dot com	Assigned:
Status:	Open	Package:	*XML functions
PHP Version:	8.0.0RC4	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jeremy at derusse dot com
New email:
PHP Version:		OS:

New Comment:

[2020-11-12 20:02 UTC] jeremy at derusse dot com

Description:
------------
calling libxml_disable_entity_loader has been deprecated in PHP >= 8.0 (https://github.com/php/php-src/pull/5867)

But if a 3rd party library disable the entity loader, we have no way to re-enable it (or even to know if we have to re-enable it) without triggering a deprecation.

Suggested change:
- do not trigger deprecation when calling the method with `false` 
- add a new method `libxml_entity_loader_disabled()` that returns true/false when the entity loader is disabled

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-11-12 20:41 UTC] requinix@php.net

-Status: Open +Status: Feedback

[2020-11-12 20:41 UTC] requinix@php.net

As far as I can tell, the whole point of the change was to deprecate the entire function and force callers who want entity loading to do so at the time of loading (using LIBXML_NOENT). Eventually it will be removed entirely, which would make a "libxml_entity_loader_disabled" function pointless.

IMO this is one of those times when you should use @ to suppress the warning. I mean, if there is code that disables the loader then it will be triggering the deprecation warning too, right?

[2020-11-13 07:55 UTC] jeremy at derusse dot com

Thank you for the suggestion, but silencing the deprecation with an `@` doesn't work: frameworks like Symfony, use error_handler to collect and logs deprecations. At the end the deprecation is not that silent.

And I would like avoiding juggling with temporary error handlers to "just" silent a deprecation.

What's about `libxml_entity_loader_disabled(A_FALSE_CONSTANT)` that re-enable the entity loader but without triggering the deprecation?

[2020-11-13 10:30 UTC] cmb@php.net

-Status: Feedback +Status: Open

[2020-11-13 10:30 UTC] cmb@php.net

In hindsight, it might have been best to remove this functionality
altogether, i.e. make libxml_disable_entity_loader() a NOP, but
it's probably too late to do that now.  Not issuing E_DEPRECATED
if the function is called with FALSE, appears to be not
unreasonable.

[2020-11-19 22:31 UTC] jeremy at derusse dot com

Do you know if Not triggering E_DEPRECATED when the function is called with FALSE, appears is doable?

[2020-12-09 09:13 UTC] marek dot janata at seznam dot cz

Not using deprecated libxml_disable_entity_loader leads to XXE vulnerability.
My settings: Apache 2.4, Windows, PHP 8.0.0, libxml 2.9.10

Consider the following code:

// ---------------
$file = 'C:/secret/file.txt';
$xml = '<' . '?xml version="1.0" encoding="utf-8"?' .'>'
    .'<!DOCTYPE tag [<!ENTITY foo PUBLIC "bar" "'.$file.'" >]>'
    .'<tag>&foo;</tag>';

$prev = libxml_disable_entity_loader(TRUE);

$doc = new DOMDocument();
$doc->preserveWhiteSpace = FALSE;
$loadRes = $doc->loadXML($xml, LIBXML_NOENT);

libxml_disable_entity_loader($prev);

print $doc->saveXml();
// ---------------


With libxml_disable_entity_loader, we get E_DEPRECATED, but the contents of local file is not loaded.

Without libxml_disable_entity_loader, the code displays contents of local file.

In our application, we want to allow local entities in XML document, so we have to call loadXml with LIBXML_NOENT flag.

[2020-12-09 10:12 UTC] jeremy at derusse dot com

Please open a new issue if you have a bug with libxml that does not disable the entity loader by default.

This is not related to this bug: not triggering a deprecation on PHP8

note: on linux: PHP 8.0, libxml2 Version => 2.9.9
The provided code works with `libxml_disable_entity_loader(true)` and without `libxml_disable_entity_loader` (beware removing the call to `libxml_disable_entity_loader` has not the same effect than calling `libxml_disable_entity_loader(false)`)

[2021-01-19 12:27 UTC] cmb@php.net

After further consideration, it seems to me that calling
libxml_disable_entity_loader(true) is generally a bad idea as of
PHP 5.4.0 which introduced libxml_set_external_entity_loader().
That latter function as is doesn't resolve the mentioned library
interoperability issues, though.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 19:01:31 2024 UTC