1--TEST-- 2libxml_disable_entity_loader() 3--SKIPIF-- 4<?php if (!extension_loaded('libxml') || !extension_loaded('dom') || defined('PHP_WINDOWS_VERSION_MAJOR')) die('skip'); ?> 5--FILE-- 6<?php 7 8$xml = <<<EOT 9<?xml version="1.0" encoding="UTF-8"?> 10<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]> 11<foo>&xxe;</foo> 12EOT; 13 14$xml = str_replace('XXE_URI', __DIR__ . '/libxml_disable_entity_loader_payload.txt', $xml); 15 16function parseXML($xml) { 17 $doc = new DOMDocument(); 18 $doc->resolveExternals = true; 19 $doc->substituteEntities = true; 20 $doc->validateOnParse = false; 21 $doc->loadXML($xml, 0); 22 return $doc->saveXML(); 23} 24 25var_dump(strpos(parseXML($xml), 'SECRET_DATA') !== false); 26var_dump(libxml_disable_entity_loader(true)); 27var_dump(strpos(parseXML($xml), 'SECRET_DATA') === false); 28 29echo "Done\n"; 30?> 31--EXPECTF-- 32bool(true) 33bool(false) 34 35Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "%s" in %s on line %d 36 37Warning: DOMDocument::loadXML(): Failure to process entity xxe in Entity, line: %d in %s on line %d 38 39Warning: DOMDocument::loadXML(): Entity 'xxe' not defined in Entity, line: %d in %s on line %d 40bool(true) 41Done 42
