International PHP Conference 2019 - Spring Edition

libxml_disable_entity_loader

(PHP 5 >= 5.2.11, PHP 7)

libxml_disable_entity_loader外部エンティティの読み込み機能を無効にする

説明

bool libxml_disable_entity_loader ([ bool $disable = true ] )

外部エンティティ読み込み機能の有効/無効を切り替えます。

パラメータ

disable

libxml を使用する拡張モジュール (DOMXMLWriter および XMLReader) で、外部エンティティの読み込み機能を 無効 (TRUE) あるいは有効 (FALSE) にします。

返り値

変更前の値を返します。

参考

add a note add a note

User Contributed Notes 5 notes

up
5
simonsimcity
6 years ago
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.

You'll see it in an example where I load and validate the following string:

<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>

One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11
up
3
phofstetter at sensational dot ch
4 years ago
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
up
1
vavra at 602 dot cz
9 months ago
If is called
libxml_disable_entity_loader(true);

, it causes that new SoapClient(.) fails with

SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl

because this wsdl imports a xsd as an another external file.
Tested on php 7.1.12, win x64.
up
-2
daschtour at me dot com
4 years ago
This function was reported to be not thread safe. So this might affect php-scripts on the same server.
up
-2
brendan at bloodbone dot ws
4 years ago
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
To Top