Security: harden user-import XML parsing against XXE

AngelFQC · claude · AngelFQC · commit 393590a2294c · 2026-06-16T11:01:52.000-05:00
The user import/update XML parsing relied entirely on the libxml runtime
default to avoid external entity resolution, leaving the code unhardened on
PHP &lt; 8 or misconfigured environments.

Explicitly block external entity loading with a null
libxml_set_external_entity_loader() around each addXmlContent() call (user
import and update flows), restoring the default loader afterwards. This is
the non-deprecated, PHP 8.x-safe equivalent and does not enable entity
substitution (LIBXML_NOENT is intentionally not used).

Refs GHSA-h24x-xw47-2wwx

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/public/main/admin/user_import.php b/public/main/admin/user_import.php
@@ -451,8 +451,12 @@ function parse_csv_data($users, $fileName, $sendEmail = 0, $checkUniqueEmail = t
  */
 function parse_xml_data($file)
 {
+    // XXE hardening: block loading of any external entity regardless of the
+    // libxml runtime default, then restore the default loader.
+    libxml_set_external_entity_loader(static fn () => null);
     $crawler = new \Symfony\Component\DomCrawler\Crawler();
     $crawler->addXmlContent(file_get_contents($file));
+    libxml_set_external_entity_loader(null);
     $crawler = $crawler->filter('Contacts > Contact ');
     $array = [];
     foreach ($crawler as $domElement) {
diff --git a/public/main/admin/user_update_import.php b/public/main/admin/user_update_import.php
@@ -247,8 +247,12 @@ function parse_csv_data($file)
 
 function parse_xml_data($file)
 {
+    // XXE hardening: block loading of any external entity regardless of the
+    // libxml runtime default, then restore the default loader.
+    libxml_set_external_entity_loader(static fn () => null);
     $crawler = new Crawler();
     $crawler->addXmlContent(file_get_contents($file));
+    libxml_set_external_entity_loader(null);
     $crawler = $crawler->filter('Contacts > Contact ');
     $array = [];
     foreach ($crawler as $domElement) {
diff --git a/public/main/inc/lib/myspace.lib.php b/public/main/inc/lib/myspace.lib.php
@@ -3106,8 +3106,12 @@ public static function parse_csv_data($file)
      */
     public static function parse_xml_data($file)
     {
+        // XXE hardening: block loading of any external entity regardless of the
+        // libxml runtime default, then restore the default loader.
+        libxml_set_external_entity_loader(static fn () => null);
         $crawler = new \Symfony\Component\DomCrawler\Crawler();
         $crawler->addXmlContent(file_get_contents($file));
+        libxml_set_external_entity_loader(null);
         $crawler = $crawler->filter('Contacts > Contact ');
         $array = [];
         foreach ($crawler as $domElement) {
