If libxml_disable_entity_loader(true), simplexml_load_file() fails;

Piskvor · franmomu · commit 3f053f855fc1 · 2021-11-16T16:31:18.000+01:00
this avoids the limitation by avoiding file operations in libXML.

The only difference here is that the file operations are done via file_get_contents() and the resulting string is passed to simplexml_load_string() from PHP, instead of simplexml_load_file() doing these two things internally.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,8 @@ a release.
 
 ## [Unreleased]
 ### Fixed
+- `Gedmo\Mapping\Driver\Xml::_loadMappingFile()` behavior in scenarios where `libxml_disable_entity_loader(true)` was previously
+  called.
 - Loggable: Missing support for `versioned` fields at `attribute-override` in XML mapping.
 
 ## [3.3.0] - 2021-11-15
diff --git a/src/Mapping/Driver/Xml.php b/src/Mapping/Driver/Xml.php
@@ -84,7 +84,11 @@ protected function _isAttributeSet(SimpleXmlElement $node, $attributeName)
     protected function _loadMappingFile($file)
     {
         $result = [];
-        $xmlElement = simplexml_load_file($file);
+        // We avoid calling `simplexml_load_file()` in order to prevent file operations in libXML.
+        // If `libxml_disable_entity_loader(true)` is called before, `simplexml_load_file()` fails,
+        // that's why we use `simplexml_load_string()` instead.
+        // @see https://bugs.php.net/bug.php?id=62577.
+        $xmlElement = simplexml_load_string(file_get_contents($file));
         $xmlElement = $xmlElement->children(self::DOCTRINE_NAMESPACE_URI);
 
         if (isset($xmlElement->entity)) {
