Commit f33d4cef authored by Aaron Wells's avatar Aaron Wells

Documenting safe usage of simplexml_load_file()

Bug1047111

Change-Id: I850603dbc1d85f4360ce227d2658e5abb51af1aa
parent 1f7642cd
......@@ -61,6 +61,23 @@ if (!is_readable($CFG->docroot . 'config.php')) {
init_performance_info();
// Because the default XML loader is vulnerable to XEE attacks, we're disabling it by default.
// If you need to use it, you can re-enable the function, call it while passing in the
// LIBXML_NONET parameter, and then disable the function again, like this:
//
// EXAMPLE
// if (function_exists('libxml_disable_entity_loader')) {
// libxml_disable_entity_loader(false);
// }
// $options =
// LIBXML_COMPACT | // Reported to greatly speed XML parsing
// LIBXML_NONET // Disable network access - security check
// ;
// $xml = simplexml_load_file($filename, 'SimpleXMLElement', $options);
// if (function_exists('libxml_disable_entity_loader')) {
// libxml_disable_entity_loader(true);
// }
// END EXAMPLE
if (function_exists('libxml_disable_entity_loader')) {
libxml_disable_entity_loader(true);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment