ViaThinkSoft CodeLib

This article is in:
CodeLib → Programming aids → PHP


<?php

$x = '<!DOCTYPE scan [<!ENTITY test SYSTEM "/etc/passwd">]><scan>&test;</scan>';

// Unsafe:
libxml_disable_entity_loader(false);
$xml = simplexml_load_string($x, 'SimpleXMLElement', LIBXML_NOENT);
var_dump($xml);

// Safe:
libxml_disable_entity_loader(true);
$xml = simplexml_load_string($x, 'SimpleXMLElement');
var_dump($xml);

Summary: If you use simplexml_load_string in the "normal" way (i.e. without LIBXML_NOENT), you are safe.
Please note that LIBXML_NOENT is enabling loading foreign entries. The name is very misleading!

Daniel Marschall
ViaThinkSoft Co-Founder

Autor: Daniel Marschall
Datum: 29 October 2020
Gelesen: 720 Mal

ViaThinkSoft CodeLib

News