Doctrine 2 - ORM
  1. Doctrine 2 - ORM
  2. DDC-3020

simplexml_load_file(): I/O warning: failed to load external in XmlDriver.php

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: ORM
    • Security Level: All
    • Labels:
      None
    • Environment:
      PHP 5.5.9-1~dotdeb.1 (cli) (built: Feb 9 2014 21:29:47)
      Copyright (c) 1997-2014 The PHP Group
      Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies

      Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux

      Description

      PHP Warning: simplexml_load_file(): I/O warning : failed to load external entity "/path-to/doctrine/entities/mappings/my_entity.dcm.xml" in /path-to/lib/Doctrine/ORM/Mapping/Driver/XmlDriver.php on line 711

      PHP bug:
      https://bugs.php.net/bug.php?id=62577

      Possible solution:
      https://github.com/owncloud/core/pull/7498/files

        Activity

        Hide
        Marco Pivetta added a comment -

        You are not supposed to load external entities in mappings.

        Also, mappings are not user input, therefore they are not valid XXE/XEE attack vectors.

        Show
        Marco Pivetta added a comment - You are not supposed to load external entities in mappings. Also, mappings are not user input, therefore they are not valid XXE/XEE attack vectors.
        Show
        Marco Pivetta added a comment - Deployed a docs fix at https://github.com/doctrine/doctrine2/commit/02daf0049adff040259f1fe86c6a0c846a68c3c1
        Hide
        Rubens Matrono added a comment - - edited

        this is not a bug in Doctrine, who wants a quickfix can create a custom driver and force import of XXE/XEE before drivers are used:

        class MyQuickFixXmlDriver extends \Doctrine\ORM\Mapping\Driver\XmlDriver
        {
            /**
             * {@inheritDoc}
             */
            public function loadMetadataForClass($className, ClassMetadata $metadata)
            {
                $loadEntities = libxml_disable_entity_loader(false);
                parent::loadMetadataForClass($className, $metadata);
                libxml_disable_entity_loader($loadEntities);
            }
        } 
        
        Show
        Rubens Matrono added a comment - - edited this is not a bug in Doctrine, who wants a quickfix can create a custom driver and force import of XXE/XEE before drivers are used: class MyQuickFixXmlDriver extends \Doctrine\ORM\Mapping\Driver\XmlDriver { /** * {@inheritDoc} */ public function loadMetadataForClass($className, ClassMetadata $metadata) { $loadEntities = libxml_disable_entity_loader( false ); parent::loadMetadataForClass($className, $metadata); libxml_disable_entity_loader($loadEntities); } }

          People

          • Assignee:
            Marco Pivetta
            Reporter:
            Rubens Matrono
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: