Disable XML entity loader by default in libphutil
By default, SimpleXMLElement will pretty much just run whatever code you want when handed a specially crafted document. We currently load XML only from trusted (S3, EC2, git/svn/hg) or local sources (unit test runners) so there are no concrete vulnerabilities in Phabricator, but this behavior is incredibly dangerous, surprising, and highly undesirable.
Test Plan: There's an example of a document which does bad things on http://www.php.net/manual/en/function.libxml-disable-entity-loader.php. I verified that SimpleXMLElement reads /etc/passwd when handed this document, then applied the fix. It no longer reads arbitrary files off disk.
Reviewed By: btrahan
Differential Revision: https://secure.phabricator.com/D8049