mirror of
https://github.com/php/php-src.git
synced 2024-09-23 10:57:26 +00:00
691a09f291
Since libxml version 2.9.0 external entity loading is disabled by default. Bumping the version requirement means that XML processing in PHP is no longer vulnerable to XXE processing attacks by default.
54 lines
1.3 KiB
PHP
54 lines
1.3 KiB
PHP
--TEST--
|
|
libxml_disable_entity_loader()
|
|
--SKIPIF--
|
|
<?php
|
|
if (!extension_loaded('libxml')) die('skip libxml extension not available');
|
|
if (!extension_loaded('dom')) die('skip dom extension not available');
|
|
--FILE--
|
|
<?php
|
|
|
|
$xml = <<<EOT
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
|
|
<foo>&xxe;</foo>
|
|
EOT;
|
|
|
|
$dir = str_replace('\\', '/', __DIR__);
|
|
$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
|
|
|
|
function parseXML1($xml) {
|
|
$doc = new DOMDocument();
|
|
$doc->loadXML($xml, 0);
|
|
return $doc->saveXML();
|
|
}
|
|
|
|
function parseXML2($xml) {
|
|
return simplexml_load_string($xml);
|
|
}
|
|
|
|
function parseXML3($xml) {
|
|
$p = xml_parser_create();
|
|
xml_parse_into_struct($p, $xml, $vals, $index);
|
|
xml_parser_free($p);
|
|
return var_export($vals, true);
|
|
}
|
|
|
|
function parseXML4($xml) {
|
|
// This is the only time we enable external entity loading.
|
|
return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
|
|
}
|
|
|
|
var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false);
|
|
var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false);
|
|
var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false);
|
|
var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false);
|
|
|
|
echo "Done\n";
|
|
?>
|
|
--EXPECTF--
|
|
bool(true)
|
|
bool(true)
|
|
bool(true)
|
|
bool(false)
|
|
Done
|