Hi! > The problem here is that imagine the following:
I think if we separate the loading the initial file (i.e., staring point of the XML parser) and the loading the entities from that file (which is not happening right now) we'd solve many BC problems. Not sure about SOAP, but many others for sure. > I know that you want it to work, but this is actually a great place to > fail, because you're loading a trusted resource over HTTP. Meaning > that an attacker could MITM and inject malicous XML into the response, > and own your server without even needing to own the endpoint. I feel like XML parser is a wrong place to solve this problem, transport security can be done in HTTPS, signatures, etc. Otherwise many protocols that rely on XML - such as SAML, which is quite widely used - would be completely useless. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
