Deprecate libxml_disable_entity_loader()

This method was used to protect code against XXE processing attacks.
Since PHP now requires libxml >= 2.9.0 external entity loading no longer
needs to be disabled to prevent these attacks. It is disabled by default.
Also, the method has an unwanted side effect that causes a lot of
confusion: Parsing XML data from resources like files is no longer possible.

Closes GH-5867.

diff --git a/UPGRADING b/UPGRADING
index d08dcb5df42da006520857f32127a6892f21e95e..101f53cbeff252ec3b29c2ee9771998cee83a31e 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -799,6 +799,11 @@ PHP 8.0 UPGRADE NOTES
   . enchant_broker_free and enchant_broker_free_dict, unset the object instead
   . ENCHANT_MYSPELL and ENCHANT_ISPELL constants
 
+- LibXML:
+  . libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now
+    required, external entity loading is guaranteed to be disabled by default,
+    and this function is no longer needed to protect against XXE attacks.
+
 - PGSQL / PDO PGSQL:
   . The constant PG_VERSION_STR has now the same value as PG_VERSION, and thus
     is deprecated.

diff --git a/ext/libxml/libxml.stub.php b/ext/libxml/libxml.stub.php
index 74a15e916994e69bb5f51a3f45381d7f0fe29c93..12685bd8ceea68b2208f728de27d04b4dd9fa723 100644 (file)
--- a/ext/libxml/libxml.stub.php
+++ b/ext/libxml/libxml.stub.php
@@ -13,6 +13,7 @@ function libxml_get_errors(): array {}
 
 function libxml_clear_errors(): void {}
 
+/** @deprecated */
 function libxml_disable_entity_loader(bool $disable = true): bool {}
 
 function libxml_set_external_entity_loader(?callable $resolver_function): bool {}

diff --git a/ext/libxml/libxml_arginfo.h b/ext/libxml/libxml_arginfo.h
index bf4bc2c01dd3ca73360e263bc95ab13e1d02bd43..217bff288bfae7b75ad04215ef7ae5ef2d43ac67 100644 (file)
--- a/ext/libxml/libxml_arginfo.h
+++ b/ext/libxml/libxml_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 2d793e5134ea8633c432f03d20c1d8b80a05795b */
+ * Stub hash: ded229511dc2bc3912d35b8055c0fd69420baff0 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_libxml_set_streams_context, 0, 1, IS_VOID, 0)
        ZEND_ARG_INFO(0, context)
@@ -42,7 +42,7 @@ static const zend_function_entry ext_functions[] = {
        ZEND_FE(libxml_get_last_error, arginfo_libxml_get_last_error)
        ZEND_FE(libxml_get_errors, arginfo_libxml_get_errors)
        ZEND_FE(libxml_clear_errors, arginfo_libxml_clear_errors)
-       ZEND_FE(libxml_disable_entity_loader, arginfo_libxml_disable_entity_loader)
+       ZEND_DEP_FE(libxml_disable_entity_loader, arginfo_libxml_disable_entity_loader)
        ZEND_FE(libxml_set_external_entity_loader, arginfo_libxml_set_external_entity_loader)
        ZEND_FE_END
 };

diff --git a/ext/libxml/tests/libxml_disable_entity_loader.phpt b/ext/libxml/tests/libxml_disable_entity_loader.phpt
index 790a98db1603506751c6afaa9b82c784aed5a9b0..d72a9b21d683769bbf7814fc9e5c1c4b678a4354 100644 (file)
--- a/ext/libxml/tests/libxml_disable_entity_loader.phpt
+++ b/ext/libxml/tests/libxml_disable_entity_loader.phpt
@@ -33,6 +33,8 @@ echo "Done\n";
 ?>
 --EXPECTF--
 bool(true)
+
+Deprecated: Function libxml_disable_entity_loader() is deprecated in %s on line %d
 bool(false)
 
 Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "%s" in %s on line %d