Protect against XXE in php8

PHP8 disables external entities by default, but they can still be
explicitly used (cf. https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/), which is bad™.
The right way to defend against XXE is now to set libxml_set_external_entity_loader to null.

1 files changed, 9 insertions, 7 deletions

diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c
index 113d84b..3ef1a5d 100644
--- a/src/sp_disable_xxe.c
+++ b/src/sp_disable_xxe.c
@@ -5,20 +5,22 @@ PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; }
 int hook_libxml_disable_entity_loader() {
   TSRMLS_FETCH();
 
-// External entities are disabled by default in PHP8+
-#if PHP_VERSION_ID < 80000
-  /* Call the php function here instead of re-implementing it is a bit
-   * ugly, but we do not want to introduce compile-time dependencies against
-   * libxml. */
   zval func_name;
-  zval hmac;
+  zval retval;
   zval params[1];
 
+#if PHP_VERSION_ID < 80000
+        // This function is deprecated in PHP8, but better safe than sorry for php7.
   ZVAL_STRING(&func_name, "libxml_disable_entity_loader");
   ZVAL_STRING(&params[0], "true");
-  call_user_function(CG(function_table), NULL, &func_name, &hmac, 1, params);
+  call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
 #endif
 
+        // This is now the recommended way to disable external entities
+  ZVAL_STRING(&func_name, "libxml_set_external_entity_loader");
+  ZVAL_NULL(&params[0]);
+  call_user_function(CG(function_table), NULL, &func_name, &retval, 1, params);
+
   HOOK_FUNCTION("libxml_disable_entity_loader", sp_internal_functions_hook,
                 PHP_FN(sp_libxml_disable_entity_loader));