libxml_disable_entity_loader
(PHP 5 >= 5.2.11)
libxml_disable_entity_loader — Disable the ability to load external entities
Description
bool libxml_disable_entity_loader
([ bool
$disable = true
] )Disable/enable the ability to load external entities.
Parameters
Return Values
Returns the previous value.
See Also
- libxml_use_internal_errors() - Disable libxml errors and allow user to fetch error information as needed
- The
LIBXML_NONETconstant
Коментарии
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.
You'll see it in an example where I load and validate the following string:
<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>
One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11
This function was reported to be not thread safe. So this might affect php-scripts on the same server.Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLsThis also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.If is called
libxml_disable_entity_loader(true);
, it causes that new SoapClient(.) fails with
SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl
because this wsdl imports a xsd as an another external file.
Tested on php 7.1.12, win x64.
In PHP 8.0 and later, PHP uses libxml versions from 2.9.0, libxml_disable_entity_loader is deprecated.
so it is now safe to remove all `libxml_disable_entity_loader` calls on php8
if you want Backwards Compatibility
use this snippet
if (\PHP_VERSION_ID < 80000) {
libxml_disable_entity_loader(true);
}
There is an extra \ should be deleted before PHP_VERSION_ID in the code which suconghou posted 2 years ago.
if (PHP_VERSION_ID < 80000) {
libxml_disable_entity_loader(true);
}