PHP 8.0 migration/deprecated: expand on libxml_disable_entity_loader() (#528)

The current text in the migration guide about the deprecation of `libxml_disable_entity_loader()` is misleading and can easily lead to the introduction of XXE vulnerable code.

In select circumstances, when `LIBXML_NOENT` is used, code can still be vulnerable to XXE attacks, even on PHP 8.0.
So I'm proposing to add an appropriate warning and mention the upgrade path in the migration guide.

Includes fixing a typo on the `libxml_disable_entity_loader()` page.

Co-authored-by: jrfnl <jrfnl@users.noreply.github.com>
This commit is contained in:
Juliette 2021-04-16 10:44:07 +02:00 committed by GitHub
parent 2a5459cd41
commit f3b5475eeb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 2 deletions

View file

@ -95,7 +95,10 @@ function test(?A $a, $b) {} // Recommended
<para>
<function>libxml_disable_entity_loader</function> has been deprecated. As libxml 2.9.0 is now
required, external entity loading is guaranteed to be disabled by default, and this function is
no longer needed to protect against XXE attacks.
no longer needed to protect against XXE attacks, unless the (still vulnerable).
<constant>LIBXML_NOENT</constant> is used.
In that case, it is recommended to refactor the code using
<function>libxml_set_external_entity_loader</function> to suppress loading of external entities.
</para>
</sect2>

View file

@ -99,7 +99,7 @@
<simplelist>
<member><function>libxml_use_internal_errors</function></member>
<member><function>libxml_set_external_entity_loader</function></member>
<member><link linkend="libxml.constants">The <constant>LIBXML_NONET</constant> constant</link></member>
<member><link linkend="libxml.constants">The <constant>LIBXML_NOENT</constant> constant</link></member>
</simplelist>
</para>
</refsect1>