Bulgaria PHP Conference
    Edit Report a Bug

    libxml_disable_entity_loader

    (PHP 5 >= 5.2.11)

    libxml_disable_entity_loaderDeshabilita la capacidad de cargar entidades externas

    Descripción

    bool libxml_disable_entity_loader ([ bool $disable = true ] )

    Habilita/deshabilita la capacidad de cargar entidades externas.

    Parámetros

    disable

    Deshabilita (TRUE) o habilita (FALSE) extensiones libxml (tal como DOM, XMLWriter y XMLReader) para cargar entidades externas.

    Valores devueltos

    Devuelve el valor anterior.

    Ver también

    add a note add a note

    User Contributed Notes 4 notes

    up
    3
    phofstetter at sensational dot ch
    1 year ago
    Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
    up
    2
    simonsimcity
    3 years ago
    Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.

    You'll see it in an example where I load and validate the following string:

    <!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
    <scan>&test;</scan>

    One way to prevent that the file in given back is to set this value to 0.
    Please take a closer look at the release of symfony 2.0.11
    up
    2
    daschtour at me dot com
    1 year ago
    This function was reported to be not thread safe. So this might affect php-scripts on the same server.
    up
    0
    brendan at bloodbone dot ws
    11 months ago
    This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
    add a note add a note
    To Top