1--TEST-- 2libxml_disable_entity_loader() 3--EXTENSIONS-- 4libxml 5dom 6xml 7simplexml 8--FILE-- 9<?php 10 11$xml = <<<EOT 12<?xml version="1.0" encoding="UTF-8"?> 13<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]> 14<foo>&xxe;</foo> 15EOT; 16 17$dir = str_replace('\\', '/', __DIR__); 18$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml); 19 20function parseXML1($xml) { 21 $doc = new DOMDocument(); 22 $doc->loadXML($xml, 0); 23 return $doc->saveXML(); 24} 25 26function parseXML2($xml) { 27 return simplexml_load_string($xml); 28} 29 30function parseXML3($xml) { 31 $p = xml_parser_create(); 32 xml_parse_into_struct($p, $xml, $vals, $index); 33 xml_parser_free($p); 34 return var_export($vals, true); 35} 36 37function parseXML4($xml) { 38 // This is the only time we enable external entity loading. 39 return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT); 40} 41 42var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false); 43var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false); 44var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false); 45var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false); 46 47echo "Done\n"; 48?> 49--EXPECT-- 50bool(true) 51bool(true) 52bool(true) 53bool(false) 54Done 55