WordPress.org

Make WordPress Core

Ticket #50898: 50898-libxml_disable_entity_loader.patch

File 50898-libxml_disable_entity_loader.patch, 1.9 KB (added by jrf, 6 months ago)
  • src/wp-includes/class-wp-oembed.php

    From 51311b0e2549a1f9449bba32b9e0dca29f99b347 Mon Sep 17 00:00:00 2001
    From: jrfnl <jrfnl@users.noreply.github.com>
    Date: Tue, 11 Aug 2020 04:07:35 +0200
    Subject: [PATCH] PHP 8.0: only call libxml_disable_entity_loader() in PHP < 8
    
    As per the PHP 8.0 changelog:
    
    > `libxml_disable_entity_loader()` has been deprecated. As libxml 2.9.0 is now
    > required, external entity loading is guaranteed to be disabled by default,
    > and this function is no longer needed to protect against XXE attacks.
    
    Source: https://github.com/php/php-src/blob/71bfa5344ab207072f4cd25745d7023096338385/UPGRADING#L808-L811
    
    Calling the function conditionally will prevent deprecation warnings.
    ---
     src/wp-includes/class-wp-oembed.php | 12 ++++++++++--
     1 file changed, 10 insertions(+), 2 deletions(-)
    
    diff --git a/src/wp-includes/class-wp-oembed.php b/src/wp-includes/class-wp-oembed.php
    index 1c10f44489..ac139e4f62 100644
    a b class WP_oEmbed { 
    597597                        return false;
    598598                }
    599599
    600                 $loader = libxml_disable_entity_loader( true );
     600                if ( PHP_VERSION_ID < 80000 ) {
     601                        // This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
     602                        // disabled by default, so this function is no longer needed to protect against XXE attacks.
     603                        // phpcs:ignore PHPCompatibility.FunctionUse.RemovedFunctions.libxml_disable_entity_loaderDeprecated
     604                        $loader = libxml_disable_entity_loader( true );
     605                }
    601606                $errors = libxml_use_internal_errors( true );
    602607
    603608                $return = $this->_parse_xml_body( $response_body );
    604609
    605610                libxml_use_internal_errors( $errors );
    606                 libxml_disable_entity_loader( $loader );
     611                if ( PHP_VERSION_ID < 80000 && isset( $loader ) ) {
     612                        // phpcs:ignore PHPCompatibility.FunctionUse.RemovedFunctions.libxml_disable_entity_loaderDeprecated
     613                        libxml_disable_entity_loader( $loader );
     614                }
    607615
    608616                return $return;
    609617        }