PHP Unconference Europe 2015

libxml_disable_entity_loader

(PHP 5 >= 5.2.11)

libxml_disable_entity_loaderDisable the ability to load external entities

Description

bool libxml_disable_entity_loader ([ bool $disable = true ] )

Disable/enable the ability to load external entities.

Parameters

disable

Disable (TRUE) or enable (FALSE) libxml extensions (such as DOM, XMLWriter and XMLReader) to load external entities.

Return Values

Returns the previous value.

See Also

add a note add a note

User Contributed Notes 4 notes

up
2
simonsimcity
2 years ago
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.

You'll see it in an example where I load and validate the following string:

<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>

One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11
up
2
daschtour at me dot com
10 months ago
This function was reported to be not thread safe. So this might affect php-scripts on the same server.
up
1
phofstetter at sensational dot ch
9 months ago
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
up
0
brendan at bloodbone dot ws
7 months ago
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
To Top