libxml_disable_entity_loader() is deprecated starting with PHP 8.0

"As libxml 2.9.0 is now required, external entity loading is guaranteed to be disabled by default, and this function is no longer needed to protect against XXE attacks, unless the (still vulnerable). LIBXML_NOENT is used" https://www.php.net/migration80.deprecated#migration80.deprecated.libxml
spaze · May 23, 2021 · 9af02f1 · 9af02f1
1 parent cc93036
commit 9af02f1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/site/app/CompanyInfo/Ares.php b/site/app/CompanyInfo/Ares.php
@@ -41,7 +41,6 @@ public function getData(string $companyId): Data
 				throw new RuntimeException('Company Id is empty');
 			}
 			$content = $this->fetch($companyId);
-			libxml_disable_entity_loader();
 			$xml = simplexml_load_string($content);
 			if (!$xml) {
 				throw new RuntimeException("Can't parse XML received for company {$companyId}");

diff --git a/site/disallowed-calls.neon b/site/disallowed-calls.neon
@@ -2,6 +2,10 @@ parameters:
 	disallowedFunctionCalls:
 		-
 			function: 'pcntl_*()'
+	disallowedConstants:
+		-
+			constant: 'LIBXML_NOENT'
+			message: 'libxml_disable_entity_loader() has been deprecated in PHP 8.0, no longer needed to protect against XXE attacks, unless the (still vulnerable) LIBXML_NOENT is used https://www.php.net/migration80.deprecated#migration80.deprecated.libxml'
 
 includes:
 	- vendor/spaze/phpstan-disallowed-calls/extension.neon