Rob Richards wrote on 30/07/2015 14:12:
If you are already working with a trusted document then you should safely be able to disable the entity loader. If you aren't then wouldn't you want to do some sort of checking (especially if you dont have an XML gateway fronting the system) for other malicious things before even opening the document regardless if it has external entities or not.
Can you give any pointers to what kind of checking this would be, and how it would be carried out without parsing the XML document in the first place?
According to the bug report, one of the affected uses is the SoapClient, which by definition is dealing with remote data. I can see how that could be considered "untrusted", but I can't think of any particular action that would make it more trusted (quite apart from the lack of an obvious point to intercept the data before it is parsed).
Would it not make more sense for the parser to operate in an "untrusted" mode - disabling external entities, maybe different limits on stack depth, etc?
Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
