php · nielsdos · Jul 6, 2024 · Jul 6, 2024
diff --git a/NEWS b/NEWS
@@ -2,7 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.0alpha2
 
-- PDO
+- LibXML:
+  . Added LIBXML_NO_XXE constant. (nielsdos)
+
+- PDO:
   . Fixed bug GH-14792 (Compilation failure on pdo_* extensions).
     (Peter Kokot)
 

diff --git a/UPGRADING b/UPGRADING
@@ -763,6 +763,10 @@ PHP 8.4 UPGRADE NOTES
 
 - LibXML:
   . LIBXML_RECOVER.
+  . LIBXML_NO_XXE.
+    This is used together with LIBXML_NOENT for when you want to perform entity
+    substitution, but want to disallow external entity loading.
+    This constant is available as of libxml2 2.13.
 
 - OpenSSL:
   . X509_PURPOSE_OCSP_HELPER.

@@ -12,16 +12,17 @@ $flags = [
 try {
     Dom\XMLDocument::createFromString('<?xml version="1.0"?><container/>', -1);
 } catch (ValueError $e) {
-    echo $e->getMessage();
+    echo $e->getMessage(), "\n";
 }
 
 foreach ($flags as $flag) {
     var_dump(Dom\XMLDocument::createFromString('<?xml version="1.0"?><container/>', $flag) instanceof Dom\XMLDocument);
 }
 
 ?>
---EXPECT--
-Dom\XMLDocument::createFromString(): Argument #2 ($options) contains invalid flags (allowed flags: LIBXML_RECOVER, LIBXML_NOENT, LIBXML_DTDLOAD, LIBXML_DTDATTR, LIBXML_DTDVALID, LIBXML_NOERROR, LIBXML_NOWARNING, LIBXML_NOBLANKS, LIBXML_XINCLUDE, LIBXML_NSCLEAN, LIBXML_NOCDATA, LIBXML_NONET, LIBXML_PEDANTIC, LIBXML_COMPACT, LIBXML_PARSEHUGE, LIBXML_BIGLINES)bool(true)
+--EXPECTF--
+Dom\XMLDocument::createFromString(): Argument #2 ($options) contains invalid flags (allowed flags: %s)
+bool(true)
 bool(true)
 bool(true)
 bool(true)

@@ -0,0 +1,29 @@
+--TEST--
+Test flag LIBXML_NO_XXE
+--EXTENSIONS--
+dom
+--SKIPIF--
+<?php
+if (!defined('LIBXML_NO_XXE')) die('skip LIBXML_NO_XXE not available');
+?>
+--FILE--
+<?php
+$xml = <<< XML
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE set [
+    <!ENTITY foo '<foo>bar</foo>'>
+    <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<set>&foo;&xxe;</set>
+XML;
+
+$doc = Dom\XMLDocument::createFromString($xml, LIBXML_NOENT | LIBXML_NO_XXE);
+echo $doc->saveXML();
+?>
+--EXPECT--
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE set [
+<!ENTITY foo "<foo>bar</foo>">
+<!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<set><foo>bar</foo></set>
@@ -29,6 +29,9 @@ static bool check_options_validity(uint32_t arg_num, zend_long options)
 {
 	const zend_long VALID_OPTIONS = XML_PARSE_RECOVER
 								  | XML_PARSE_NOENT
+#if LIBXML_VERSION >= 21300
+								  | XML_PARSE_NO_XXE
+#endif
 								  | XML_PARSE_DTDLOAD
 								  | XML_PARSE_DTDATTR
 								  | XML_PARSE_DTDVALID
@@ -47,6 +50,9 @@ static bool check_options_validity(uint32_t arg_num, zend_long options)
 		zend_argument_value_error(arg_num, "contains invalid flags (allowed flags: "
 										   "LIBXML_RECOVER, "
 										   "LIBXML_NOENT, "
+#if LIBXML_VERSION >= 21300
+										   "LIBXML_NO_XXE, "
+#endif
 										   "LIBXML_DTDLOAD, "
 										   "LIBXML_DTDATTR, "
 										   "LIBXML_DTDVALID, "

@@ -28,6 +28,13 @@
  * @cvalue XML_PARSE_NOENT
  */
 const LIBXML_NOENT = UNKNOWN;
+#if LIBXML_VERSION >= 21300
+/**
+ * @var int
+ * @cvalue XML_PARSE_NO_XXE
+ */
+const LIBXML_NO_XXE = UNKNOWN;
+#endif
 /**
  * @var int
  * @cvalue XML_PARSE_DTDLOAD

@@ -0,0 +1,28 @@
+--TEST--
+XML parsing with LIBXML_NO_XXE
+--EXTENSIONS--
+simplexml
+--SKIPIF--
+<?php
+if (!defined('LIBXML_NO_XXE')) die('skip LIBXML_NO_XXE not available');
+?>
+--FILE--
+<?php
+
+$xml = <<< XML
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE set [
+    <!ENTITY foo '<foo>bar</foo>'>
+    <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<set>&foo;&xxe;</set>
+XML;
+
+var_dump(simplexml_load_string($xml, options: LIBXML_NOENT | LIBXML_NO_XXE));
+
+?>
+--EXPECT--
+object(SimpleXMLElement)#1 (1) {
+  ["foo"]=>
+  string(3) "bar"
+}