Skip to content

Fix #71592: External entity processing never fails#3596

Closed
cmb69 wants to merge 1 commit intophp:PHP-7.3from
cmb69:bug-71592
Closed

Fix #71592: External entity processing never fails#3596
cmb69 wants to merge 1 commit intophp:PHP-7.3from
cmb69:bug-71592

Conversation

@cmb69
Copy link
Member

@cmb69 cmb69 commented Oct 9, 2018

If the callback set via xml_set_external_entity_ref_handler() returns
a falsy value, parsing is supposed to stop and the error number set to
XML_ERROR_EXTERNAL_ENTITY_HANDLING. This is already correctly done
by the libexpat binding, but the libxml2 binding ignores the return
value. We fix this by calling xmlStopParser() which is available as
of libxml 2.1.0[1] (PHP-7.1 requires at least libxml 2.6.11 anyway),
and setting the desired errNo ourselves.

[1] http://xmlsoft.org/news.html

@cmb69
Fix #71592: External entity processing never fails
d22828b 
If the callback set via `xml_set_external_entity_ref_handler()` returns
a falsy value, parsing is supposed to stop and the error number set to
`XML_ERROR_EXTERNAL_ENTITY_HANDLING`.  This is already correctly done
by the libexpat binding, but the libxml2 binding ignores the return
value.  We fix this by calling `xmlStopParser()` which is available as
of libxml 2.1.0[1] (PHP-7.1 requires at least libxml 2.6.11 anyway),
and setting the desired `errNo` ourselves.

[1] <http://xmlsoft.org/news.html>
@cmb69
Copy link
Member Author

cmb69 commented Oct 9, 2018

Almost any ext/xml nowadays likely runs on libxml2, and it's not unlikely that a lot of xml_set_external_entity_ref_handler() callbacks don't explicitly return, so this fix likely breaks some code. It appears to be sensible to apply it to PHP-7.3 (which is presently in RC) and up only.

@php-pulls
Copy link

php-pulls commented Oct 12, 2018

Comment on behalf of petk at php.net:

Labelling

@php-pulls php-pulls added the Bug label Oct 12, 2018
@cmb69
Copy link
Member Author

cmb69 commented Oct 16, 2018

Is any of the XML maintainers still around to review this PR? While this PR is primarily intended to fix a bug in ext/xml, it might also affect other extensions which use the expat compatibility layer (e.g. ext/wddx and ext/xmlrpc).

@cmb69
Copy link
Member Author

cmb69 commented Oct 21, 2018

Unless there are objections, I'm going to merge this on the next weekend.

@php-pulls
Copy link

php-pulls commented Oct 27, 2018

Comment on behalf of cmb at php.net:

Applied as 829b0df.

@php-pulls php-pulls closed this Oct 27, 2018
@cmb69 cmb69 deleted the bug-71592 branch October 27, 2018 15:34
@cmb69
Copy link
Member Author

cmb69 commented Oct 27, 2018

Documented via http://svn.php.net/viewvc?view=revision&revision=345905.

salathe pushed a commit to salathe/phpdoc-en that referenced this pull request Oct 27, 2018
@cmb69
Document xml_set_external_entity_ref_handler() fix
4dda752 
Cf. <php/php-src#3596>.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@345905 c90b9560-bf6c-de11-be94-00142212c4b1
svn2github pushed a commit to svn2github/phpdoc_en that referenced this pull request Oct 28, 2018
Document xml_set_external_entity_ref_handler() fix
3303269 
Cf. <php/php-src#3596>.

git-svn-id: http://svn.php.net/repository/phpdoc/en@345905 c90b9560-bf6c-de11-be94-00142212c4b1
heiglandreas pushed a commit to phpdoctest/en that referenced this pull request Feb 4, 2020
Document xml_set_external_entity_ref_handler() fix
1e78ca1 
Cf. <php/php-src#3596>.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@345905 c90b9560-bf6c-de11-be94-00142212c4b1
salathe pushed a commit to salathe/phpdoc-en that referenced this pull request Sep 3, 2020
@cmb69
Document xml_set_external_entity_ref_handler() fix
6badbcf 
Cf. <php/php-src#3596>.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@345905 c90b9560-bf6c-de11-be94-00142212c4b1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cmb69 @php-pulls