Using DOM, this can be achieved with $domDocument->resolveExternals = false; before loading a document.
Julien.P On Wed, Feb 29, 2012 at 9:52 PM, Gustavo Lopes <[email protected]>wrote: > On Wed, 29 Feb 2012 19:30:15 +0100, Simon Schick < > [email protected]> wrote: > > I just read this post about a vulnerability by loading doctype-declaration >> of an xml-string given in a request: >> http://www.idontplaydarts.com/**2011/02/scanning-the-internal-** >> network-using-simplexml/<http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/> >> >> Would it be a good point to restrict which urls can be loaded in the >> doctype, or is the following line the only possibility to prevent it in a >> good way? >> libxml_disable_entity_loader(**true); >> >> > In PHP 5.4, you can use libxml_set_external_entity_**loader() and define > your own logic. I'm afraid it's not documented yet, but it receives a > callback that takes two strings, a public id and system id and a context > (an array with four keys). The callback should return a resource, a string > from which a resource can be opened, or NULL. > > -- > Gustavo Lopes > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
