#21990 closed defect (bug) (fixed)
SimplePie: DOMDocument can be disabled
Reported by: | nacin | Owned by: | rmccue |
---|---|---|---|
Milestone: | 3.5 | Priority: | low |
Severity: | normal | Version: | 3.5 |
Component: | External Libraries | Keywords: | needs-unit-tests needs-patch |
Focuses: | Cc: |
Description
SimplePie uses DOMDocument in a few places. But, it can be disabled, either by a distro messing with PHP (see Redhat) or with --disable-dom
. When we use DOMDocument in core, we always check class_exists(). SimplePie does not.
We'll need to get this fixed to avoid fatal errors when SimplePie is used.
SimplePie 1.2 did not use DOMDocument. I wonder what else was added/used in 1.3 that could potentially be disabled.
Attachments (5)
Change History (34)
#3
follow-up:
↓ 4
@
12 years ago
Regarding changes: this occurred because the autodiscovery was rewritten to use DOMDocument instead of parsing HTML with regex. I don't want to switch back to regex, so I'm willing to just disable autodiscovery on installations without DOMDocument.
Thanks for the upstream, I'll get on that later today if I can.
#4
in reply to:
↑ 3
@
12 years ago
Replying to rmccue:
I don't want to switch back to regex, so I'm willing to just disable autodiscovery on installations without DOMDocument.
Perfectly fine with me.
#6
@
12 years ago
Fixed for one-dot-three: https://github.com/simplepie/simplepie/commit/f0e144e1952e4ca083f11941d482f65f71f46397
#8
@
12 years ago
- Milestone 3.5 deleted
- Resolution set to duplicate
- Status changed from new to closed
Duplicate of #22321.
#9
@
12 years ago
- Keywords needs-patch added; has-patch removed
- Milestone set to 3.5
- Resolution duplicate deleted
- Status changed from closed to reopened
- Version set to trunk
Seems like 1.3.1 missed a placed, where new DOMDocument()
is called. See source:/trunk/wp-includes/SimplePie/Sanitize.php@22639#L250
Still ends with a fatal error, reported in the forum: http://wordpress.org/support/topic/dashboardplugins-simplepie-error?replies=5#post-3399249
#13
@
12 years ago
- Keywords has-patch needs-docs dev-feedback needs-testing needs-unit-tests added; needs-patch removed
First attempt at sublassing SimplePie_Sanitize. New file needed because the SP files are loaded conditionally, and I wanted to leave those pristine. Avoided the fancy registration stuff, because we're manually instantiating the sanitization object ourselves. So I just changed that. Only did very preliminary testing: both branches of logic seem to not break the dashboard RSS feed.
Will need PHPDoc, security testing, and unit testing — just wanted to get a first effort up here ASAP.
#14
@
12 years ago
Also, the logic was swiped from rmccue's recommendation on IRC. That could use auditing.
#15
@
12 years ago
21990-subclass.2.diff
doesn't touch class-simplepie.php, and instead modifies fetch_feed()
.
Note that registering the sanitization class isn't enough, as $feed->sanitize
has already been instantiated as the default SP sanitization class. So after registering, I explicitly instantiate the subclass over top of that.
#16
@
12 years ago
- Keywords needs-docs removed
Existing unit tests run cleanly. Documentation added in 21990-subclass.3.diff
. We should consider adding unit tests to make sure no untrusted data can seep through. Still needs more thorough testing and feedback.
#17
@
12 years ago
Looking again at SimplePie_Sanitize
, looks like we'll also need to test SIMPLEPIE_CONSTRUCT_MAYBE_HTML
and SIMPLEPIE_CONSTRUCT_BASE64
.
#19
follow-up:
↓ 21
@
12 years ago
- Keywords dev-feedback removed
- Priority changed from normal to low
- Severity changed from blocker to normal
Nice work. In [22811], I tossed WP_SimplePie_Sanitize_KSES into the existing class-feed.php file where we already extend SimplePie_File, SimplePie_Cache, etc.
Lowering priority and severity now that this is no longer critical under most situations.
We still need to update SimplePie core to avoid calling DOMDocument when it is not available. A plugin using SimplePie directly (thus sidestepping fetch_feed()) will not be able to rely on kses, but they should still be given an opportunity to avoid the fatal error. My suggestion would be to pass an error back up the stack (if that makes sense — I'm not that familiar with SP) or just return ''
, as rmccue and I had discussed.
#20
@
12 years ago
This fixed the problem for me. The dashboard is no longer crashing in 3.5-RC1 because DOMDocument isn't loaded.
#21
in reply to:
↑ 19
@
12 years ago
- Keywords needs-patch added; has-patch needs-testing removed
Replying to nacin:
We still need to update SimplePie core to avoid calling DOMDocument when it is not available. A plugin using SimplePie directly (thus sidestepping fetch_feed()) will not be able to rely on kses, but they should still be given an opportunity to avoid the fatal error. My suggestion would be to pass an error back up the stack (if that makes sense — I'm not that familiar with SP) or just return
''
, as rmccue and I had discussed.
Due to the nature of SimplePie::sanitize()
, passing up the stack is best done by throwing an exception where needed. To ensure API compatibility, that'll need to be shielded from the end-user, but in the next major version, they'll have the ability to get those exceptions themselves. I know how I'm going to fix this, so I'll get that patched upstream ASAP.
#22
@
12 years ago
We still need to update SimplePie core to avoid calling DOMDocument when it is not available.
Not seeing anything upstream. Is there a new timeline for this? Happy to look, but if you know how you're going to fix it, I'd rather leave it for you.
#24
@
12 years ago
- Keywords has-patch added; needs-patch removed
21990.diff — This brace styling is going to be the death of me.
#26
follow-up:
↓ 28
@
12 years ago
- Keywords needs-patch added; has-patch commit removed
Patched upstream. Fix is similar to nacin's patch, but with better whitespacing, consistent with the SimplePie style guidelines.
(Marking as needs-patch, since it doesn't have a WP diff for it, but it's simple to port from the raw diff.)
Thanks dd32 for the report.