The PR where the function was deprecated, php/php-src#5867, claims that XXE loading is diabled by default since libxml 2.9.0.

However, this was not the case in at least the following systems:

* the php:7.4-fpm-alpine docker image

* the php:8.0-rc-cli-alpine

* the default php-7.4 package from the Ubuntu 20.04 package repositories

All of these installations report LIBXML_VERSION > 20900 and are still vulnerable to XXE attacks unless libxml_disable_entity_loader() is used.

this should be reported as a bug in the PHP issue tracker IMO, as that might invalidate the decision to deprecate the function.

I tried reporting it this morning, the bug tracker was down :(

We have a bug report: https://bugs.php.net/bug.php?id=80235

I'd like some guidance on this PR:

1. Travis fails on PHP 5.5 because phpunit is too old there, I can't figure out how to test this myself
2. Appveyor fails for the same reason
3. Travis also fails on PHP nigly because of legacy deprecation related to exactly this issue. I'm not sure what to do about this.
4. fabbot's suggestion changes an error meesage:

+++ src/Symfony/Component/Serializer/Encoder/XmlEncoder.php     2020-10-14 11:56:38.534401092 +0000
@@ -431,7 +431,7 @@
             return $this->appendNode($parentNode, $data, 'data');
         }
 
-        throw new NotEncodableValueException('An unexpected value could not be serialized: '.(!\is_resource($data) ? var_export($data, true) : sprintf('%s resource', get_resource_type($data))));
+        throw new NotEncodableValueException('An unexpected value could not be serialized: '.(!\is_resource($data) ? var_export($data, true) : sprintf('"%s" resource', get_resource_type($data))));
     }
 
     /**

I have nothing against chaning it here, idk if you would accept unrelated changes.

3\. Travis also fails on PHP nigly because of legacy deprecation related to exactly this issue. I'm not sure what to do about this.

well, that's precisely why I asked to report an issue to PHP. Symfony has a policy of not using deprecated APIs. So if using the deprecated API of PHP cannot be avoided, there is an issue with the fact of deprecating.

We have a bug report: https://bugs.php.net/bug.php?id=80235

this link is private

I also think we should wait to see what the PHP devs do with this, since they might not consider it serious enough to address. Installations are still safe from the traditional XXE attacks that reads local files.

We have a bug report: https://bugs.php.net/bug.php?id=80235

this link is private

I think they set all tickets related to security to private by default

I rebased the PR for branch 3.4 but there are some failure to fix, could you please have a look?

(nvm the rebase for 3.4, that's on another PR)

The PHP bug has been closed. Calling libxml_disable_entity_loader is not required and trigger deprecation on PHP 8. Shall we close this PR?

The PHP bug has been closed. Calling libxml_disable_entity_loader is not required and trigger deprecation on PHP 8. Shall we close this PR?

Yes, closing.