From 0d2c2963170fae74dfcfaa853c937ab002be2cb7 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:09:52 +0100 Subject: [PATCH 1/2] Fix GH-1408: Deprecation of libxml_disable_entity_loader() should warn about constants which will override the new default behaviour Based on stale PR GH-1409. Closes GH-1409. Closes GH-1408. Co-authored-by: Andrew Nicols --- reference/libxml/constants.xml | 13 +++++++++++++ .../functions/libxml-disable-entity-loader.xml | 11 +++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/reference/libxml/constants.xml b/reference/libxml/constants.xml index 507946f3e5fd..df83bbb034c1 100644 --- a/reference/libxml/constants.xml +++ b/reference/libxml/constants.xml @@ -46,6 +46,12 @@ Default DTD attributes + + + Enabling loading of DTD attributes will enable fetching of external entities. + The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). + + @@ -57,6 +63,12 @@ Load the external subset + + + Enabling loading of external subsets will enable fetching of external entities. + The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). + + @@ -71,6 +83,7 @@ Enabling validating the DTD may facilitate XML External Entity (XXE) attacks. + The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). diff --git a/reference/libxml/functions/libxml-disable-entity-loader.xml b/reference/libxml/functions/libxml-disable-entity-loader.xml index 8d9d4ab2e7e7..01927ae69d9f 100644 --- a/reference/libxml/functions/libxml-disable-entity-loader.xml +++ b/reference/libxml/functions/libxml-disable-entity-loader.xml @@ -20,12 +20,17 @@ Disable/enable the ability to load external entities. Note that disabling the loading of external entities may cause general issues - with loading XML documents. However, as of libxml 2.9.0 entity substitution + with loading XML documents. + + + As of libxml 2.9.0 entity substitution is disabled by default, so there is no need to disable the loading of external entities, - unless there is the need to resolve internal entity references with LIBXML_NOENT. + unless there is the need to resolve internal entity references with LIBXML_NOENT, + LIBXML_DTDVALID, or LIBXML_DTDLOAD. Generally, it is preferable to use libxml_set_external_entity_loader to suppress loading of external entities. + The LIBXML_NO_XXE constant can be used to prevent this as well (only available in Libxml >= 2.13.0, as of PHP 8.4.0). @@ -100,6 +105,8 @@ libxml_use_internal_errors libxml_set_external_entity_loader The LIBXML_NOENT constant + The LIBXML_DTDVALID constant + The LIBXML_NO_XXE constant From 7a825e5c17531f9241770ba6c5d4af4ed45b695d Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:19:11 +0100 Subject: [PATCH 2/2] review stuff --- reference/libxml/constants.xml | 6 +++--- .../libxml/functions/libxml-disable-entity-loader.xml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/reference/libxml/constants.xml b/reference/libxml/constants.xml index df83bbb034c1..261846565cda 100644 --- a/reference/libxml/constants.xml +++ b/reference/libxml/constants.xml @@ -49,7 +49,7 @@ Enabling loading of DTD attributes will enable fetching of external entities. - The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). + The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). @@ -66,7 +66,7 @@ Enabling loading of external subsets will enable fetching of external entities. - The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). + The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). @@ -83,7 +83,7 @@ Enabling validating the DTD may facilitate XML External Entity (XXE) attacks. - The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). + The LIBXML_NO_XXE constant can be used to prevent this (only available in Libxml >= 2.13.0, as of PHP 8.4.0). diff --git a/reference/libxml/functions/libxml-disable-entity-loader.xml b/reference/libxml/functions/libxml-disable-entity-loader.xml index 01927ae69d9f..d4e605d92f60 100644 --- a/reference/libxml/functions/libxml-disable-entity-loader.xml +++ b/reference/libxml/functions/libxml-disable-entity-loader.xml @@ -30,7 +30,7 @@ LIBXML_DTDVALID, or LIBXML_DTDLOAD. Generally, it is preferable to use libxml_set_external_entity_loader to suppress loading of external entities. - The LIBXML_NO_XXE constant can be used to prevent this as well (only available in Libxml >= 2.13.0, as of PHP 8.4.0). + The LIBXML_NO_XXE constant can be used to prevent this as well (only available in Libxml >= 2.13.0, as of PHP 8.4.0). @@ -104,9 +104,9 @@ libxml_use_internal_errors libxml_set_external_entity_loader - The LIBXML_NOENT constant - The LIBXML_DTDVALID constant - The LIBXML_NO_XXE constant + The LIBXML_NOENT constant + The LIBXML_DTDVALID constant + The LIBXML_NO_XXE constant