Hi everyone,
since the latest upgrade to libxml2 on my Ubuntu CI box, 2-3 DOM tests
started to fail when trying to parse external entities.
The fix is trivial and I'm ready for pushing to PHP-5.4+, but before
doing so I wanted to give a heads up to everyone involved.
The fix is basically about adding some:
$domDocument->substituteEntities = true;
to the failing tests.
As far as I understand, the default "false" (equivalent to
XML_PARSE_NOENT) was ignored by previous libxml2 versions, leading to
the vulnerability.
Maybe this is worth mentioning in the docs too?
For reference:
http://www.ubuntu.com/usn/usn-2214-1/
https://revive.beccati.com/bamboo/browse/PHP-SRC-10/
http://php.net/manual/en/class.domdocument.php#domdocument.props.substituteentities
Cheers
Matteo Beccati
Development & Consulting - http://www.beccati.com/