55 lines
1.2 KiB
Plaintext
55 lines
1.2 KiB
Plaintext
== How to fix it in Core PHP
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
$xml = file_get_contents('xxe.xml');
|
|
$doc = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT); // Noncompliant
|
|
----
|
|
|
|
[source,php,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
$doc = new DOMDocument();
|
|
$doc->load('xxe.xml', LIBXML_NOENT); // Noncompliant
|
|
----
|
|
|
|
[source,php,diff-id=3,diff-type=noncompliant]
|
|
----
|
|
$reader = new XMLReader();
|
|
$reader->open('xxe.xml');
|
|
$reader->setParserProperty(XMLReader::SUBST_ENTITIES, true); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
External entity substitution is disabled by default in `simplexml_load_string()` and `DOMDocument::open()`.
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
$xml = file_get_contents('xxe.xml');
|
|
$doc = simplexml_load_string($xml, 'SimpleXMLElement');
|
|
----
|
|
|
|
|
|
[source,php,diff-id=2,diff-type=compliant]
|
|
----
|
|
$doc = new DOMDocument();
|
|
$doc->load('xxe.xml');
|
|
----
|
|
|
|
[source,php,diff-id=3,diff-type=compliant]
|
|
----
|
|
$reader = new XMLReader();
|
|
$reader->open('xxe.xml');
|
|
$reader->setParserProperty(XMLReader::SUBST_ENTITIES, false);
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/xxe.adoc[]
|