Deprecate libxml_disable_entity_loader()

This method was used to protect code against XXE processing attacks. Since PHP now requires libxml >= 2.9.0 external entity loading no longer needs to be disabled to prevent these attacks. It is disabled by default. Also, the method has an unwanted side effect that causes a lot of confusion: Parsing XML data from resources like files is no longer possible. Closes GH-5867.
author: Dik Takken <d.h.j.takken@freedom.nl> 2020-07-16 14:20:41 +0200
committer: Nikita Popov <nikita.ppv@gmail.com> 2020-08-03 21:53:29 +0200
commit: e0fa48f69dd14b52c8f1b2904ac7bd30472849a8 (patch)
tree: c450a30da315153fd49b441e57051ea846107147 /UPGRADING
parent: 691a09f291a909cba8821ef16a447a5e615dee69 (diff)
download: php-git-e0fa48f69dd14b52c8f1b2904ac7bd30472849a8.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/UPGRADING b/UPGRADING
index d08dcb5df4..101f53cbef 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -799,6 +799,11 @@ PHP 8.0 UPGRADE NOTES
   . enchant_broker_free and enchant_broker_free_dict, unset the object instead
   . ENCHANT_MYSPELL and ENCHANT_ISPELL constants
 
+- LibXML:
+  . libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now
+    required, external entity loading is guaranteed to be disabled by default,
+    and this function is no longer needed to protect against XXE attacks.
+
 - PGSQL / PDO PGSQL:
   . The constant PG_VERSION_STR has now the same value as PG_VERSION, and thus
     is deprecated.
author	Dik Takken <d.h.j.takken@freedom.nl>	2020-07-16 14:20:41 +0200
committer	Nikita Popov <nikita.ppv@gmail.com>	2020-08-03 21:53:29 +0200
commit	e0fa48f69dd14b52c8f1b2904ac7bd30472849a8 (patch)
tree	c450a30da315153fd49b441e57051ea846107147 /UPGRADING
parent	691a09f291a909cba8821ef16a447a5e615dee69 (diff)
download	php-git-e0fa48f69dd14b52c8f1b2904ac7bd30472849a8.tar.gz