libxml 函数
在线手册:中文 英文
PHP手册

libxml_disable_entity_loader

(PHP 5 >= 5.2.11)

libxml_disable_entity_loaderDisable the ability to load external entities

说明

bool libxml_disable_entity_loader ([ bool $disable = true ] )

Disable/enable the ability to load external entities.

参数

disable

Disable (TRUE) or enable (FALSE) libxml extensions (such as DOM, XMLWriter and XMLReader) to load external entities.

返回值

Returns the previous value.

参见


libxml 函数
在线手册:中文 英文
PHP手册
PHP手册 - N: Disable the ability to load external entities

用户评论:

simonsimcity (01-Mar-2012 02:23)

Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.

You'll see it in an example where I load and validate the following string:

<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>

One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11