Skip to content

Commit eae558e

Browse files
ndosscheandrewnicols
ndossche
and
andrewnicols
authored
Fix GH-1408: Deprecation of libxml_disable_entity_loader() should warn about constants which will override the new default behaviour (#4036)
Based on stale PR GH-1409. Closes GH-1409. Closes GH-1408. Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
1 parent 3f1cd51 commit eae558e

File tree

2 files changed

+23
-3
lines changed

2 files changed

+23
-3
lines changed

reference/libxml/constants.xml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,12 @@
4646
<simpara>
4747
Default DTD attributes
4848
</simpara>
49+
<caution>
50+
<simpara>
51+
Enabling loading of DTD attributes will enable fetching of external entities.
52+
The <constant>LIBXML_NO_XXE</constant> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
53+
</simpara>
54+
</caution>
4955
</listitem>
5056
</varlistentry>
5157
<varlistentry xml:id="constant.libxml-dtdload">
@@ -57,6 +63,12 @@
5763
<simpara>
5864
Load the external subset
5965
</simpara>
66+
<caution>
67+
<simpara>
68+
Enabling loading of external subsets will enable fetching of external entities.
69+
The <constant>LIBXML_NO_XXE</constant> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
70+
</simpara>
71+
</caution>
6072
</listitem>
6173
</varlistentry>
6274
<varlistentry xml:id="constant.libxml-dtdvalid">
@@ -71,6 +83,7 @@
7183
<caution>
7284
<simpara>
7385
Enabling validating the DTD may facilitate XML External Entity (XXE) attacks.
86+
The <constant>LIBXML_NO_XXE</constant> constant can be used to prevent this (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
7487
</simpara>
7588
</caution>
7689
</listitem>

reference/libxml/functions/libxml-disable-entity-loader.xml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,17 @@
2020
<para>
2121
Disable/enable the ability to load external entities.
2222
Note that disabling the loading of external entities may cause general issues
23-
with loading XML documents. However, as of libxml 2.9.0 entity substitution
23+
with loading XML documents.
24+
</para>
25+
<para>
26+
As of libxml 2.9.0 entity substitution
2427
is disabled by default, so there is no need to disable the loading of external
2528
entities,
26-
unless there is the need to resolve internal entity references with <constant>LIBXML_NOENT</constant>.
29+
unless there is the need to resolve internal entity references with <constant>LIBXML_NOENT</constant>,
30+
<constant>LIBXML_DTDVALID</constant>, or <constant>LIBXML_DTDLOAD</constant>.
2731
Generally, it is preferable to use <function>libxml_set_external_entity_loader</function>
2832
to suppress loading of external entities.
33+
The <constant>LIBXML_NO_XXE</constant> constant can be used to prevent this as well (only available in Libxml &gt;= 2.13.0, as of PHP 8.4.0).
2934
</para>
3035
</refsect1>
3136

@@ -99,7 +104,9 @@
99104
<simplelist>
100105
<member><function>libxml_use_internal_errors</function></member>
101106
<member><function>libxml_set_external_entity_loader</function></member>
102-
<member><link linkend="libxml.constants">The <constant>LIBXML_NOENT</constant> constant</link></member>
107+
<member>The <constant>LIBXML_NOENT</constant> constant</member>
108+
<member>The <constant>LIBXML_DTDVALID</constant> constant</member>
109+
<member>The <constant>LIBXML_NO_XXE</constant> constant</member>
103110
</simplelist>
104111
</para>
105112
</refsect1>

0 commit comments

Comments
 (0)