On Wed, 29 Feb 2012 19:30:15 +0100, Simon Schick
<simonsimc...@googlemail.com> wrote:
I just read this post about a vulnerability by loading
doctype-declaration
of an xml-string given in a request:
http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
Would it be a good point to restrict which urls can be loaded in the
doctype, or is the following line the only possibility to prevent it in a
good way?
libxml_disable_entity_loader(true);
In PHP 5.4, you can use libxml_set_external_entity_loader() and define
your own logic. I'm afraid it's not documented yet, but it receives a
callback that takes two strings, a public id and system id and a context
(an array with four keys). The callback should return a resource, a string
from which a resource can be opened, or NULL.
--
Gustavo Lopes
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php