Documenting safe usage of simplexml_load_file()

Bug1047111 Change-Id: I850603dbc1d85f4360ce227d2658e5abb51af1aa

Documenting safe usage of simplexml_load_file()
Bug1047111 Change-Id: I850603dbc1d85f4360ce227d2658e5abb51af1aa
f33d4cef · Aaron Wells · 1f7642cd · f33d4cef
Commit f33d4cef authored May 01, 2013 by Aaron Wells
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

htdocs/init.php htdocs/init.php +17 -0

No files found.
--- a/htdocs/init.php
+++ b/htdocs/init.php
@@ -61,6 +61,23 @@ if (!is_readable($CFG->docroot . 'config.php')) {

 init_performance_info();

+// Because the default XML loader is vulnerable to XEE attacks, we're disabling it by default.
+// If you need to use it, you can re-enable the function, call it while passing in the
+// LIBXML_NONET parameter, and then disable the function again, like this:
+//
+// EXAMPLE
+//     if (function_exists('libxml_disable_entity_loader')) {
+//         libxml_disable_entity_loader(false);
+//     }
+//     $options =
+//         LIBXML_COMPACT |    // Reported to greatly speed XML parsing
+//         LIBXML_NONET        // Disable network access - security check
+//     ;
+//     $xml = simplexml_load_file($filename, 'SimpleXMLElement', $options);
+//     if (function_exists('libxml_disable_entity_loader')) {
+//         libxml_disable_entity_loader(true);
+//     }
+// END EXAMPLE
 if (function_exists('libxml_disable_entity_loader')) {
    libxml_disable_entity_loader(true);
 }