1--TEST-- 2libxml_disable_entity_loader() 3--SKIPIF-- 4<?php 5if (!extension_loaded('libxml')) die('skip libxml extension not available'); 6if (!extension_loaded('dom')) die('skip dom extension not available'); 7--FILE-- 8<?php 9 10$xml = <<<EOT 11<?xml version="1.0" encoding="UTF-8"?> 12<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]> 13<foo>&xxe;</foo> 14EOT; 15 16$dir = str_replace('\\', '/', __DIR__); 17$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml); 18 19function parseXML1($xml) { 20 $doc = new DOMDocument(); 21 $doc->loadXML($xml, 0); 22 return $doc->saveXML(); 23} 24 25function parseXML2($xml) { 26 return simplexml_load_string($xml); 27} 28 29function parseXML3($xml) { 30 $p = xml_parser_create(); 31 xml_parse_into_struct($p, $xml, $vals, $index); 32 xml_parser_free($p); 33 return var_export($vals, true); 34} 35 36function parseXML4($xml) { 37 // This is the only time we enable external entity loading. 38 return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT); 39} 40 41var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false); 42var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false); 43var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false); 44var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false); 45 46echo "Done\n"; 47?> 48--EXPECTF-- 49bool(true) 50bool(true) 51bool(true) 52bool(false) 53Done 54
