File: /www/server/php/83/src/ext/libxml/tests/libxml_entity_loading_disabled_by_default.phpt
--TEST--
libxml_disable_entity_loader()
--EXTENSIONS--
libxml
dom
xml
simplexml
--FILE--
<?php
$xml = <<<EOT
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
<foo>&xxe;</foo>
EOT;
$dir = str_replace('\\', '/', __DIR__);
$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
function parseXML1($xml) {
$doc = new DOMDocument();
$doc->loadXML($xml, 0);
return $doc->saveXML();
}
function parseXML2($xml) {
return simplexml_load_string($xml);
}
function parseXML3($xml) {
$p = xml_parser_create();
xml_parse_into_struct($p, $xml, $vals, $index);
xml_parser_free($p);
return var_export($vals, true);
}
function parseXML4($xml) {
// This is the only time we enable external entity loading.
return simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
}
var_dump(strpos(parseXML1($xml), 'SECRET_DATA') === false);
var_dump(strpos(parseXML2($xml), 'SECRET_DATA') === false);
var_dump(strpos(parseXML3($xml), 'SECRET_DATA') === false);
var_dump(strpos(parseXML4($xml), 'SECRET_DATA') === false);
echo "Done\n";
?>
--EXPECT--
bool(true)
bool(true)
bool(true)
bool(false)
Done