Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support stream wrappers in XML parser extensions, add external entity loader #3249

Closed
wants to merge 1 commit into from
Closed

Support stream wrappers in XML parser extensions, add external entity loader #3249

wants to merge 1 commit into from

Commits on Jul 30, 2014

  1. Support stream wrappers in XML parser extensions, add external entity… 

    … loader

Summary:
* Support stream wrappers in SimpleXML, DOM and XMLReader input and
  output filenames.
* Rename libxml_input_buffer() to libxml_create_input_buffer().
* Implement userspace function libxml_set_streams_context(), was
  previously missing.
* Since the VM can now be re-entered during parsing, with libxml2 in the
  call stack with -fomit-frame-pointer, all XML parsing functions must
  be protected with SYNC_VM_REGS_SCOPED().
* In DOMDocument, don't do File::TranslatePath() on input filenames,
  since they can now be URLs, and translation is now redundant with that
  done by FileStreamWrapper.
* In simplexml_load_file(), call xmlReadFile() instead of
  f_file_get_contents(), so that the libxml default stream context is
  used. Almost fixes test/zend/bad/ext/libxml/tests/bug54440.php, except
  for a minor error handling issue that should be dealt with by GitHub
  PR facebook#2376.
* In stream_context_create(), return a default stream context resource
  when the options fail validation, instead of returning false. This
  matches the PHP behaviour and makes
  hphp/test/zend/bad/ext/libxml/tests/bug63389.php pass.
* Move passing tests to hphp/test/zend/good
* Add test.xml, copied from PHP 5.6.0-dev, needed by a passing test.
* Add an external entity loader. This allows the use of "data:" and
  "compress.zlib:" in entities and URIs.

Since loading external entities exposes a number of security issues including
remote shell execution, it's disabled by default (except for the data: protocol
which isn't actually external). The new config option is documented in
doc/inconsistencies.

Submitted on behalf of a third-party: The PHP Group
Source: PHP 5.6.0-dev
License: version 3.01 of the PHP license

Closes: facebook#2329
Closes: facebook#2829

Test Plan: automated tests, new version of zend test to make sure external
entity loading fails by default
    @swtaarrs
    swtaarrs committed Jul 30, 2014
    Configuration menu
    Copy the full SHA
    0cbe136 View commit details
    Browse the repository at this point in the history