PHP 8.0: libxml_disable_entity_loader function is deprecated


XML standard allows external entities, which can refer to other external resources, which often leads severe security vulnerabilities commonly categorized as XXE, or XML EXternal Entities.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

In a text-book example above, the payload above will refer to the /etc/passwd file in the system the XML file is parsed.

Libxml, the library PHP uses to process XML in extensions such as DOM, XMLWriter and XMLReader was vulnerable to XXE attacks unless loading of external entities was disabled:


Calling libxml_disable_entity_loader() with a true/false value allowed to toggle disabling of this feature.

In PHP 8.0 and later, PHP uses libxml versions from 2.9.0, which disabled XXE by default. libxml_disable_entity_loader() is now deprecated.

Backwards Compatibility Impact

Attempting to call this function will now raise a warning:

Deprecated: Function libxml_disable_entity_loader() is deprecated in ... on line ...

On code that only runs on PHP 8.0 and later, it is now safe to remove all function calls.
For versions prior to PHP 8, a conditional call might be the best approach:

- libxml_disable_entity_loader(true);
+ if (\PHP_VERSION_ID < 80000) {
+      libxml_disable_entity_loader(true);
+ }

Alternately, LIBXML_VERSION < 20900 condition can be used for conditional entity loader toggle:

- libxml_disable_entity_loader(true);
+ if (\LIBXML_VERSION < 20900) {
+      libxml_disable_entity_loader(true);
+ }

Note that in libxml < 2.9.0, external entity loading is enabled by default. Removing libxml_disable_entity_loader(true) calls on environments that run PHP versions < 8.0 will open an XXE vulnerability.

Implementation & Discusion Discussion (2015 July)