libxml_disable_entity_loader

(PHP 5 >= 5.2.11, PHP 7)

libxml_disable_entity_loader — Disable the ability to load external entities

说明

bool libxml_disable_entity_loader ([ bool $disable = true ] )

Disable/enable the ability to load external entities.

参数

disable: Disable (TRUE) or enable (FALSE) libxml extensions (such as DOM, XMLWriter and XMLReader) to load external entities.

返回值

Returns the previous value.

参见

libxml_use_internal_errors() - Disable libxml errors and allow user to fetch error information as needed
The LIBXML_NONET constant

User Contributed Notes

brendan at bloodbone dot ws 25-Mar-2014 07:23


This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.

phofstetter at sensational dot ch 28-Jan-2014 01:36


Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs

daschtour at me dot com 25-Dec-2013 08:56


This function was reported to be not thread safe. So this might affect php-scripts on the same server.

simonsimcity 01-Mar-2012 03:23


Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.



You'll see it in an example where I load and validate the following string:



<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>

<scan>&test;</scan>



One way to prevent that the file in given back is to set this value to 0.

Please take a closer look at the release of symfony 2.0.11