From: Dik Takken Date: Thu, 16 Jul 2020 12:20:41 +0000 (+0200) Subject: Deprecate libxml_disable_entity_loader() X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e0fa48f69dd14b52c8f1b2904ac7bd30472849a8;p=php Deprecate libxml_disable_entity_loader() This method was used to protect code against XXE processing attacks. Since PHP now requires libxml >= 2.9.0 external entity loading no longer needs to be disabled to prevent these attacks. It is disabled by default. Also, the method has an unwanted side effect that causes a lot of confusion: Parsing XML data from resources like files is no longer possible. Closes GH-5867. --- diff --git a/UPGRADING b/UPGRADING index d08dcb5df4..101f53cbef 100644 --- a/UPGRADING +++ b/UPGRADING @@ -799,6 +799,11 @@ PHP 8.0 UPGRADE NOTES . enchant_broker_free and enchant_broker_free_dict, unset the object instead . ENCHANT_MYSPELL and ENCHANT_ISPELL constants +- LibXML: + . libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now + required, external entity loading is guaranteed to be disabled by default, + and this function is no longer needed to protect against XXE attacks. + - PGSQL / PDO PGSQL: . The constant PG_VERSION_STR has now the same value as PG_VERSION, and thus is deprecated. diff --git a/ext/libxml/libxml.stub.php b/ext/libxml/libxml.stub.php index 74a15e9169..12685bd8ce 100644 --- a/ext/libxml/libxml.stub.php +++ b/ext/libxml/libxml.stub.php @@ -13,6 +13,7 @@ function libxml_get_errors(): array {} function libxml_clear_errors(): void {} +/** @deprecated */ function libxml_disable_entity_loader(bool $disable = true): bool {} function libxml_set_external_entity_loader(?callable $resolver_function): bool {} diff --git a/ext/libxml/libxml_arginfo.h b/ext/libxml/libxml_arginfo.h index bf4bc2c01d..217bff288b 100644 --- a/ext/libxml/libxml_arginfo.h +++ b/ext/libxml/libxml_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 2d793e5134ea8633c432f03d20c1d8b80a05795b */ + * Stub hash: ded229511dc2bc3912d35b8055c0fd69420baff0 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_libxml_set_streams_context, 0, 1, IS_VOID, 0) ZEND_ARG_INFO(0, context) @@ -42,7 +42,7 @@ static const zend_function_entry ext_functions[] = { ZEND_FE(libxml_get_last_error, arginfo_libxml_get_last_error) ZEND_FE(libxml_get_errors, arginfo_libxml_get_errors) ZEND_FE(libxml_clear_errors, arginfo_libxml_clear_errors) - ZEND_FE(libxml_disable_entity_loader, arginfo_libxml_disable_entity_loader) + ZEND_DEP_FE(libxml_disable_entity_loader, arginfo_libxml_disable_entity_loader) ZEND_FE(libxml_set_external_entity_loader, arginfo_libxml_set_external_entity_loader) ZEND_FE_END }; diff --git a/ext/libxml/tests/libxml_disable_entity_loader.phpt b/ext/libxml/tests/libxml_disable_entity_loader.phpt index 790a98db16..d72a9b21d6 100644 --- a/ext/libxml/tests/libxml_disable_entity_loader.phpt +++ b/ext/libxml/tests/libxml_disable_entity_loader.phpt @@ -33,6 +33,8 @@ echo "Done\n"; ?> --EXPECTF-- bool(true) + +Deprecated: Function libxml_disable_entity_loader() is deprecated in %s on line %d bool(false) Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "%s" in %s on line %d