diff options
author | Dik Takken <d.h.j.takken@freedom.nl> | 2020-07-16 14:20:41 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-08-03 21:53:29 +0200 |
commit | e0fa48f69dd14b52c8f1b2904ac7bd30472849a8 (patch) | |
tree | c450a30da315153fd49b441e57051ea846107147 /UPGRADING | |
parent | 691a09f291a909cba8821ef16a447a5e615dee69 (diff) | |
download | php-git-e0fa48f69dd14b52c8f1b2904ac7bd30472849a8.tar.gz |
Deprecate libxml_disable_entity_loader()
This method was used to protect code against XXE processing attacks.
Since PHP now requires libxml >= 2.9.0 external entity loading no longer
needs to be disabled to prevent these attacks. It is disabled by default.
Also, the method has an unwanted side effect that causes a lot of
confusion: Parsing XML data from resources like files is no longer possible.
Closes GH-5867.
Diffstat (limited to 'UPGRADING')
-rw-r--r-- | UPGRADING | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -799,6 +799,11 @@ PHP 8.0 UPGRADE NOTES . enchant_broker_free and enchant_broker_free_dict, unset the object instead . ENCHANT_MYSPELL and ENCHANT_ISPELL constants +- LibXML: + . libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now + required, external entity loading is guaranteed to be disabled by default, + and this function is no longer needed to protect against XXE attacks. + - PGSQL / PDO PGSQL: . The constant PG_VERSION_STR has now the same value as PG_VERSION, and thus is deprecated. |