From a07808fdd74a7ebda792e77c4c7b377e6d44f26a Mon Sep 17 00:00:00 2001 From: Christoph Michael Becker Date: Mon, 31 Aug 2020 16:29:59 +0000 Subject: [PATCH] Fix #62577: simplexml_load_file does not file if libxml_disable_entity_loader(true) git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@350442 c90b9560-bf6c-de11-be94-00142212c4b1 --- reference/dom/domdocument.xml | 5 +++++ reference/libxml/constants.xml | 5 +++++ reference/libxml/functions/libxml-disable-entity-loader.xml | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/reference/dom/domdocument.xml b/reference/dom/domdocument.xml index 38a0e74ba1..1f88ecee63 100644 --- a/reference/dom/domdocument.xml +++ b/reference/dom/domdocument.xml @@ -283,6 +283,11 @@ entities. This attribute is not part of the DOM specification and is specific to libxml. + + + Enabling entity substitution may facilitate XML External Entity (XXE) attacks. + + diff --git a/reference/libxml/constants.xml b/reference/libxml/constants.xml index 527b151451..5ad810869a 100644 --- a/reference/libxml/constants.xml +++ b/reference/libxml/constants.xml @@ -154,6 +154,11 @@ Substitute entities + + + Enabling entity substitution may facilitate XML External Entity (XXE) attacks. + + diff --git a/reference/libxml/functions/libxml-disable-entity-loader.xml b/reference/libxml/functions/libxml-disable-entity-loader.xml index fec188f96e..f64a54b1a0 100644 --- a/reference/libxml/functions/libxml-disable-entity-loader.xml +++ b/reference/libxml/functions/libxml-disable-entity-loader.xml @@ -15,6 +15,10 @@ Disable/enable the ability to load external entities. + Note that disabling the loading of external entities may cause general issues + with loading XML documents. However, as of libxml 2.9.0 entity substitution + is disabled by default, so there is no need to disable the loading of external + entities.