-
-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libxml_disable_entity_loader() is deprecated in PHP 8 #25
libxml_disable_entity_loader() is deprecated in PHP 8 #25
Conversation
Signed-off-by: Alex Pott <alex.a.pott@googlemail.com>
ee3874f
to
212fd5d
Compare
I have a huge concern. This functionality was put into place to mitigate XXE and XEE attacks. My question is: does the version of libxml used in PHP 8 remove this function because it no longer loads external entities by default? If so, does it provide ways to do so? And if so, how do you disable that once you have? If it doesn't ever allow loading external entities, then we have no issue. But until that is verified, there's no way I can merge this, as it raises risk for users. |
@weierophinney
https://www.php.net/manual/function.libxml-disable-entity-loader.php |
@froschdesign That doesn't answer the question, though: is there a mechanism available for enabling entity loading still available, and is PHP exposing it somehow? That method previously allowed enabling as well by passing a different boolean flag to it. If there's a way to enable entity loading in PHP 8 and/or prior PHP versions that use libxml 2.9, we still need to ensure it's disabled in our own code when we do anything that might trigger entity loading otherwise. |
@weierophinney
If I understand correctly then it must be activated via options on the constructor of DOMDocument: https://www.php.net/manual/libxml.constants.php#constant.libxml-noent |
That is one of the most misleading constant names I've encountered. 💩 ("NOENT" to mean "enable loading entities"? who thought that was a good idea?!?!) But verified: it's an option to pass to any of the |
I fully agree with this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend adding a method for this:
public static function disableEntityLoader($flag = true)
{
if (LIBXML_VERSION < 20900) {
return $flag;
}
return libxml_disable_entity_loader($flag);
}
For the pre-conditions, you would then use:
$disableEntityLoaderFlag = self::disableEntityLoader();
and post conditions would become:
self::disableEntityLoader($disableEntityLoaderFlag);
This will make the code easier to read, and easier to update when we update our minimum supported PHP versions to those that use libxml 2.9+ (as we can grep for those calls).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use the suggestion from @weierophinney to remove repetitions: #25 (review)
Thanks in advance!
I think this is solved with #29 |
Description
See https://php.watch/versions/8.0/libxml_disable_entity_loader-deprecation
This approach copies Symfony's approach - see https://github.com/symfony/symfony/blob/4ee85e8e3bcc0d4d57bdc81879e99b1883b4ae83/src/Symfony/Component/DomCrawler/Crawler.php#L225. for example.