libxml_disable_entity_loader()
(PHP 5 >= 5.2.11, PHP 7)
Disable the ability to load external entities
说明
libxml_disable_entity_loader([bool $disable= TRUE
]): bool
Disable/enable the ability to load external entities.
参数
- $disable
Disable(
TRUE
)or enable(FALSE
)libxml extensions(such as DOM,XMLWriter and XMLReader)to load external entities.
返回值
Returns the previous value.
参见
libxml_use_internal_errors()
Disable libxml errors and allow user to fetch error information as needed- The
LIBXML_NONET
constant
If is called libxml_disable_entity_loader(true); , it causes that new SoapClient(.) fails with SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl because this wsdl imports a xsd as an another external file. Tested on php 7.1.12, win x64.
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks. You'll see it in an example where I load and validate the following string: <!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> <scan>&test;</scan> One way to prevent that the file in given back is to set this value to 0. Please take a closer look at the release of symfony 2.0.11
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
This function was reported to be not thread safe. So this might affect php-scripts on the same server.