Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.
You'll see it in an example where I load and validate the following string:
<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>
One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11
libxml_disable_entity_loader
(PHP 5 >= 5.2.11, PHP 7)
libxml_disable_entity_loader — Deshabilita la capacidad de cargar entidades externas
Descripción
bool libxml_disable_entity_loader
([ bool
$disable = true
] )Habilita/deshabilita la capacidad de cargar entidades externas.
Parámetros
Valores devueltos
Devuelve el valor anterior.
Ver también
- libxml_use_internal_errors() - Deshabilita errores libxml y permite al usuario extraer información de errores según sea necesario
- La constante
LIBXML_NONET
add a note
User Contributed Notes 4 notes
simonsimcity ¶
5 years ago
phofstetter at sensational dot ch ¶
3 years ago
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
daschtour at me dot com ¶
3 years ago
This function was reported to be not thread safe. So this might affect php-scripts on the same server.
brendan at bloodbone dot ws ¶
3 years ago
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
