DDC-3020: simplexml_load_file(): I/O warning: failed to load external in XmlDriver.php #3753

New Issue

admin · 2026-01-22T14:27:24+01:00

admin commented

2026-01-22 14:27:24 +01:00

Originally created by @doctrinebot on GitHub (Mar 11, 2014).

Originally assigned to: @Ocramius on GitHub.

Jira issue originally created by user rmatrono:

PHP Warning: simplexml_load_file(): I/O warning : failed to load external entity "/path-to/doctrine/entities/mappings/my_entity.dcm.xml" in /path-to/lib/Doctrine/ORM/Mapping/Driver/XmlDriver.php on line 711

PHP bug:
https://bugs.php.net/bug.php?id=62577

Possible solution:
https://github.com/owncloud/core/pull/7498/files

Originally created by @doctrinebot on GitHub (Mar 11, 2014). Originally assigned to: @Ocramius on GitHub. Jira issue originally created by user rmatrono: PHP Warning: simplexml_load_file(): I/O warning : failed to load external entity "/path-to/doctrine/entities/mappings/my_entity.dcm.xml" in /path-to/lib/Doctrine/ORM/Mapping/Driver/XmlDriver.php on line 711 PHP bug: https://bugs.php.net/bug.php?id=62577 Possible solution: https://github.com/owncloud/core/pull/7498/files

admin added the Bug label 2026-01-22 14:27:24 +01:00

admin closed this issue

2026-01-22 14:27:24 +01:00

admin commented

2026-01-22 14:27:25 +01:00

@doctrinebot commented on GitHub (Mar 11, 2014):

Comment created by @ocramius:

You are not supposed to load external entities in mappings.

Also, mappings are not user input, therefore they are not valid XXE/XEE attack vectors.

@doctrinebot commented on GitHub (Mar 11, 2014): Comment created by @ocramius: You are not supposed to load external entities in mappings. Also, mappings are not user input, therefore they are not valid XXE/XEE attack vectors.

admin commented

2026-01-22 14:27:25 +01:00

@doctrinebot commented on GitHub (Mar 11, 2014):

Issue was closed with resolution "Invalid"

@doctrinebot commented on GitHub (Mar 11, 2014): Issue was closed with resolution "Invalid"

admin commented

2026-01-22 14:27:26 +01:00

@doctrinebot commented on GitHub (Mar 11, 2014):

Comment created by @ocramius:

Deployed a docs fix at 02daf0049a

@doctrinebot commented on GitHub (Mar 11, 2014): Comment created by @ocramius: Deployed a docs fix at https://github.com/doctrine/doctrine2/commit/02daf0049adff040259f1fe86c6a0c846a68c3c1

admin commented

2026-01-22 14:27:26 +01:00

@doctrinebot commented on GitHub (Mar 11, 2014):

Comment created by rmatrono:

this is not a bug in Doctrine, who wants a quickfix can create a custom driver and force import of XXE/XEE before drivers are used:

class MyQuickFixXmlDriver extends \Doctrine\ORM\Mapping\Driver\XmlDriver
{
    /****
     * {@inheritDoc}
     */
    public function loadMetadataForClass($className, ClassMetadata $metadata)
    {
        $loadEntities = libxml*disable_entity*loader(false);
        parent::loadMetadataForClass($className, $metadata);
        libxml*disable_entity*loader($loadEntities);
    }
}

@doctrinebot commented on GitHub (Mar 11, 2014): Comment created by rmatrono: this is not a bug in Doctrine, who wants a quickfix can create a custom driver and force import of XXE/XEE before drivers are used: ``` class MyQuickFixXmlDriver extends \Doctrine\ORM\Mapping\Driver\XmlDriver { /**** * {@inheritDoc} */ public function loadMetadataForClass($className, ClassMetadata $metadata) { $loadEntities = libxml*disable_entity*loader(false); parent::loadMetadataForClass($className, $metadata); libxml*disable_entity*loader($loadEntities); } } ```

admin commented

2026-01-22 14:27:27 +01:00

@layanto commented on GitHub (Dec 23, 2015):

This is an issue even with no external entities in orm mapping.
See https://groups.google.com/forum/m/#!topic/doctrine-user/vAb_3zcz6vU

@layanto commented on GitHub (Dec 23, 2015): This is an issue even with no external entities in orm mapping. See https://groups.google.com/forum/m/#!topic/doctrine-user/vAb_3zcz6vU

admin commented

2026-01-22 14:27:27 +01:00

@Ocramius commented on GitHub (Dec 26, 2015):

@layanto as explained above, this has nothing to do with the ORM itself.

@Ocramius commented on GitHub (Dec 26, 2015): @layanto as explained above, this has nothing to do with the ORM itself.

admin commented

2026-01-22 14:27:27 +01:00

@layanto commented on GitHub (Dec 26, 2015):

@ocramius agree that the root of the problem is not Doctrine ORM, but rather it is a bug in PHP/libxml2. However, this bug has not been resolved for over 3 years and still exists in the latest versions of php5.6 and php7. Doctrine xml mapping will fail regardless of whether external entities are used or not (FosUserBundle xml mapping has no external entities) when libxml_disable_entity_loader is set to true.

If you do a Google search on "failed to load external entity symfony" or "failed to load external FosUserBundle" you will find quite a few people having issues due to Doctrine mapping failed to load xml mapping (mostly of FosUserBundle). Most people describe the problem as randomly happening, unexplained and resolved by restarting PHP (which will reset libxml_disable_entity_loader back to false).

As you described above, xml mapping is not a valid attack vector as such should be safe for Doctrine xml driver to set libxml_disable_entity_loader to false prior to loading xml mapping and then reset libxml_disable_entity_loader setting back (exactly what OwnCloud did to work around this bug https://github.com/owncloud/core/pull/7498/files).

Just wanting to say that despite being nothing to do with the ORM itself, it is a PHP/libxml bug that affects Doctrine xml mapping loader which, in my opinion, Doctrine should work around this bug. Will save people a lot of head scratching why they code randomly stopped working (as this bug is not threadsafe, another application on the same server can trigger this issue - in my case RSS app tt-rss.org).

Thanks for responding to a closed issue. At least I now know what to do to work around this issue. Just trying to save others the trouble.

http://stackoverflow.com/questions/27035821/random-error-symfonycontexterrorexception-warning-simplexml-load-file-i-o
http://www.scriptscoop.net/t/08fbd49b7bfc/php-simplexml-load-file-i-o-warning-failed-to-load-external-entity-user-bu.html

@layanto commented on GitHub (Dec 26, 2015): @ocramius agree that the root of the problem is not Doctrine ORM, but rather it is a bug in PHP/libxml2. However, this bug has not been resolved for over 3 years and still exists in the latest versions of php5.6 and php7. Doctrine xml mapping will fail regardless of whether external entities are used or not (FosUserBundle xml mapping has no external entities) when libxml_disable_entity_loader is set to true. If you do a Google search on "failed to load external entity symfony" or "failed to load external FosUserBundle" you will find quite a few people having issues due to Doctrine mapping failed to load xml mapping (mostly of FosUserBundle). Most people describe the problem as randomly happening, unexplained and resolved by restarting PHP (which will reset libxml_disable_entity_loader back to false). As you described above, xml mapping is not a valid attack vector as such should be safe for Doctrine xml driver to set libxml_disable_entity_loader to false prior to loading xml mapping and then reset libxml_disable_entity_loader setting back (exactly what OwnCloud did to work around this bug https://github.com/owncloud/core/pull/7498/files). Just wanting to say that despite being nothing to do with the ORM itself, it is a PHP/libxml bug that affects Doctrine xml mapping loader which, in my opinion, Doctrine should work around this bug. Will save people a lot of head scratching why they code randomly stopped working (as this bug is not threadsafe, another application on the same server can trigger this issue - in my case RSS app tt-rss.org). Thanks for responding to a closed issue. At least I now know what to do to work around this issue. Just trying to save others the trouble. http://stackoverflow.com/questions/27035821/random-error-symfonycontexterrorexception-warning-simplexml-load-file-i-o http://www.scriptscoop.net/t/08fbd49b7bfc/php-simplexml-load-file-i-o-warning-failed-to-load-external-entity-user-bu.html

admin commented

2026-01-22 14:27:30 +01:00

@Ocramius commented on GitHub (Dec 26, 2015):

Doctrine should work around this bug

Won't happen.

There is a already a workaround: enabling metadata caching

messing with libxml is not feasible, since it is not thread safe
we won't mess with libxml at all, as that is a security-sensitive area that requires horrible hacks to keep our users safe.
the risk is enabling external entity loading, and then having a security issue in a different script

Therefore no-go: not touching this, this has to be fixed in PHP and by PHP only, or else we just make things worse.

@Ocramius commented on GitHub (Dec 26, 2015): > Doctrine should work around this bug Won't happen. There is a already a workaround: enabling metadata caching - messing with libxml is not feasible, since it is not thread safe - we won't mess with libxml at all, as that is a security-sensitive area that requires [horrible hacks](https://github.com/zendframework/ZendXml/blob/54edb3875aba5b45f02824f65f311c9fb2743a38/library/ZendXml/Security.php) to keep our users safe. - the risk is enabling external entity loading, and then having a security issue in a different script Therefore no-go: not touching this, this has to be fixed in PHP and by PHP only, or else we just make things worse.

admin commented

2026-01-22 14:27:30 +01:00

@Sicaine commented on GitHub (Jul 5, 2016):

@Ocramius how is enabling metadata caching a workaround?

Would have been nice to have a proper way to activate a 'workaround' because the problem apperently still exists ( i have it :( )

@Sicaine commented on GitHub (Jul 5, 2016): @Ocramius how is enabling metadata caching a workaround? Would have been nice to have a proper way to activate a 'workaround' because the problem apperently still exists ( i have it :( )

admin commented

2026-01-22 14:27:30 +01:00

@Ocramius commented on GitHub (Jul 5, 2016):

The workaround is to disable external entity loading completely inside your PHP installation. External entity loading should be done in a quite well armored environment anyway, as it is a really powerful and dangerous feature of XML

@Ocramius commented on GitHub (Jul 5, 2016): The workaround is to disable external entity loading completely inside your PHP installation. External entity loading should be done in a quite well armored environment anyway, as it is a really powerful and dangerous feature of XML

admin commented

2026-01-22 14:27:30 +01:00

@apapsch commented on GitHub (Aug 14, 2017):

[1] suggests this can be fixed by avoiding SimpleXML functions which operate on files, e.g. replace simplexml_load_file(...) with simplexml_load_string(file_get_contents(...)).

@apapsch commented on GitHub (Aug 14, 2017): [[1]](https://stackoverflow.com/questions/20534866/intermittent-simplexml-load-file-i-o-warning-on-local-joomla-site) suggests this can be fixed by avoiding SimpleXML functions which operate on files, e.g. replace `simplexml_load_file(...)` with `simplexml_load_string(file_get_contents(...))`.

admin commented

2026-01-22 14:27:31 +01:00

@Ocramius commented on GitHub (Aug 14, 2017):

The external entity would still be there, unless the simplexml internals completely skip external references when loading from string.

@Ocramius commented on GitHub (Aug 14, 2017): The external entity would still be there, unless the simplexml internals completely skip external references when loading from string.

admin commented

2026-01-22 14:27:31 +01:00

@apapsch commented on GitHub (Aug 14, 2017):

That is what the Stackoverflow answer suggests. I'm applying the proposed workaround live in the vendor folder of some affected app and see if the error perists. Also I'm removing libxml_disable_entity_loader(false); that's in place as a workaround right now.

If no error pops up, then I would say the Stackoverflow answer ist right and the proposed workaround should be applied in Doctrine proper. All very voodo, of course. To gain full confidence, one would need to dig in the SimpleXml internals, I guess.

@apapsch commented on GitHub (Aug 14, 2017): That is what the Stackoverflow answer suggests. I'm applying the proposed workaround live in the vendor folder of some affected app and see if the error perists. Also I'm removing `libxml_disable_entity_loader(false);` that's in place as a workaround right now. If no error pops up, then I would say the Stackoverflow answer ist right and the proposed workaround should be applied in Doctrine proper. All very voodo, of course. To gain full confidence, one would need to dig in the SimpleXml internals, I guess.

admin commented

2026-01-22 14:27:31 +01:00

@apapsch commented on GitHub (Aug 14, 2017):

So far, so good: no crash after the changes.

@apapsch commented on GitHub (Aug 14, 2017): So far, so good: no crash after the changes.

admin commented

2026-01-22 14:27:31 +01:00

@apapsch commented on GitHub (Aug 18, 2017):

Even OP of the PHP bug says:

I have tried with simplexml_load_string(), it works; same with new SimpleXMLElement() etc. The bug is restricted to the simplexml_load_file() function.

@apapsch commented on GitHub (Aug 18, 2017): Even OP of the PHP bug says: > I have tried with simplexml_load_string(), it works; same with new SimpleXMLElement() etc. The bug is restricted to the simplexml_load_file() function.

admin commented

2026-01-22 14:27:31 +01:00

@Ocramius commented on GitHub (Aug 18, 2017):

Handled in #6633

@Ocramius commented on GitHub (Aug 18, 2017): Handled in #6633

admin referenced this issue

2026-01-22 15:29:03 +01:00

Attributes in annotations to specify Constraint, Index (etc.) name. #6215

Sign in to join this conversation.