Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support stream wrappers in XML parser extensions, add external entity loader #3249

Closed
wants to merge 1 commit into from
Closed

Support stream wrappers in XML parser extensions, add external entity loader #3249

wants to merge 1 commit into from

Conversation

swtaarrs
Copy link
Contributor

Summary:

  • Support stream wrappers in SimpleXML, DOM and XMLReader input and
    output filenames.
  • Rename libxml_input_buffer() to libxml_create_input_buffer().
  • Implement userspace function libxml_set_streams_context(), was
    previously missing.
  • Since the VM can now be re-entered during parsing, with libxml2 in the
    call stack with -fomit-frame-pointer, all XML parsing functions must
    be protected with SYNC_VM_REGS_SCOPED().
  • In DOMDocument, don't do File::TranslatePath() on input filenames,
    since they can now be URLs, and translation is now redundant with that
    done by FileStreamWrapper.
  • In simplexml_load_file(), call xmlReadFile() instead of
    f_file_get_contents(), so that the libxml default stream context is
    used. Almost fixes test/zend/bad/ext/libxml/tests/bug54440.php, except
    for a minor error handling issue that should be dealt with by GitHub
    PR Add an XML external entity loader. #2376.
  • In stream_context_create(), return a default stream context resource
    when the options fail validation, instead of returning false. This
    matches the PHP behaviour and makes
    hphp/test/zend/bad/ext/libxml/tests/bug63389.php pass.
  • Move passing tests to hphp/test/zend/good
  • Add test.xml, copied from PHP 5.6.0-dev, needed by a passing test.
  • Add an external entity loader. This allows the use of "data:" and
    "compress.zlib:" in entities and URIs.

Since loading external entities exposes a number of security issues including
remote shell execution, it's disabled by default (except for the data: protocol
which isn't actually external). The new config option is documented in
doc/inconsistencies.

Submitted on behalf of a third-party: The PHP Group
Source: PHP 5.6.0-dev
License: version 3.01 of the PHP license

Closes: #2329
Closes: #2829

Test Plan: automated tests, new version of zend test to make sure external
entity loading fails by default

@facebook-github-bot
Copy link
Contributor

This pull request has been imported into Phabricator, and discussion and review of the diff will take place at https://reviews.facebook.net/D20373

@swtaarrs swtaarrs mentioned this pull request Jul 22, 2014
Closed
@swtaarrs
Copy link
Contributor Author

@ptarjan is the review supposed to update automatically when I push my branch or do I have to comment here? My other PR, #3219, seems to be updating just fine.

@ptarjan
Copy link
Contributor

ptarjan commented Jul 28, 2014

@swtaarrs yes, I'm not sure why it didn't import your diff... digging... (and I'll force this one by hand)

@ptarjan
Copy link
Contributor

ptarjan commented Jul 28, 2014

@swtaarrs what parts of swtaarrs@efae335 aren't on https://reviews.facebook.net/D20373 ? It looks like you authored it 7 days ago. Which push are you expecting to update there?

@swtaarrs
Support stream wrappers in XML parser extensions, add external entity…
0cbe136 
… loader

Summary:
* Support stream wrappers in SimpleXML, DOM and XMLReader input and
  output filenames.
* Rename libxml_input_buffer() to libxml_create_input_buffer().
* Implement userspace function libxml_set_streams_context(), was
  previously missing.
* Since the VM can now be re-entered during parsing, with libxml2 in the
  call stack with -fomit-frame-pointer, all XML parsing functions must
  be protected with SYNC_VM_REGS_SCOPED().
* In DOMDocument, don't do File::TranslatePath() on input filenames,
  since they can now be URLs, and translation is now redundant with that
  done by FileStreamWrapper.
* In simplexml_load_file(), call xmlReadFile() instead of
  f_file_get_contents(), so that the libxml default stream context is
  used. Almost fixes test/zend/bad/ext/libxml/tests/bug54440.php, except
  for a minor error handling issue that should be dealt with by GitHub
  PR facebook#2376.
* In stream_context_create(), return a default stream context resource
  when the options fail validation, instead of returning false. This
  matches the PHP behaviour and makes
  hphp/test/zend/bad/ext/libxml/tests/bug63389.php pass.
* Move passing tests to hphp/test/zend/good
* Add test.xml, copied from PHP 5.6.0-dev, needed by a passing test.
* Add an external entity loader. This allows the use of "data:" and
  "compress.zlib:" in entities and URIs.

Since loading external entities exposes a number of security issues including
remote shell execution, it's disabled by default (except for the data: protocol
which isn't actually external). The new config option is documented in
doc/inconsistencies.

Submitted on behalf of a third-party: The PHP Group
Source: PHP 5.6.0-dev
License: version 3.01 of the PHP license

Closes: facebook#2329
Closes: facebook#2829

Test Plan: automated tests, new version of zend test to make sure external
entity loading fails by default
@swtaarrs
Copy link
Contributor Author

https://reviews.facebook.net/D20373#36

@swtaarrs swtaarrs closed this Jul 30, 2014
@swtaarrs swtaarrs deleted the xml-loader branch July 30, 2014 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

libxml2 usage does not support stream wrappers Support for the data scheme in XML extensions
3 participants
@swtaarrs @facebook-github-bot @ptarjan