Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#50898 closed defect (bug) (fixed)

PHP 8.0: only call libxml_disable_entity_loader() in PHP < 8

Reported by: jrf's profile jrf Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.6 Priority: normal
Severity: minor Version:
Component: Embeds Keywords: has-patch php8 commit has-dev-note
Focuses: coding-standards Cc:

Description

As per the PHP 8.0 changelog:

libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now
required, external entity loading is guaranteed to be disabled by default,
and this function is no longer needed to protect against XXE attacks.

Source: https://github.com/php/php-src/blob/71bfa5344ab207072f4cd25745d7023096338385/UPGRADING#L808-L811

Calling the function conditionally will prevent deprecation warnings.

The function is also used in GetID3 - a PR to the same effect as this PR has been pulled & merged and is expected to be included in the next GetID3 release.

Ref: https://github.com/JamesHeinrich/getID3/pull/260

Attachments (3)

50898-libxml_disable_entity_loader.patch (1.9 KB) - added by jrf 4 years ago.
50898-getid3.diff (1.3 KB) - added by desrosj 4 years ago.
50898-getid3.2.diff (1.3 KB) - added by desrosj 4 years ago.

Download all attachments as: .zip

Change History (14)

This ticket was mentioned in PR #468 on WordPress/wordpress-develop by jrfnl.


4 years ago
#1

As per the PHP 8.0 changelog:

libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now
required, external entity loading is guaranteed to be disabled by default,
and this function is no longer needed to protect against XXE attacks.

Source: https://github.com/php/php-src/blob/71bfa5344ab207072f4cd25745d7023096338385/UPGRADING#L808-L811

Calling the function conditionally will prevent deprecation warnings.

Trac ticket: https://core.trac.wordpress.org/ticket/50898

#2 @SergeyBiryukov
4 years ago

  • Milestone changed from Awaiting Review to 5.6
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 @SergeyBiryukov
4 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 48789:

Code Modernization: Only call libxml_disable_entity_loader() in PHP < 8.

This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, so this function is no longer needed to protect against XXE attacks.

Props jrf.
Fixes #50898.

jrfnl commented on PR #468:


4 years ago
#4

Patch has been committed. Closing.

#5 @desrosj
4 years ago

  • Keywords needs-dev-note added

Adding needs-dev-note to call out in the PHP 8 dev note.

@desrosj
4 years ago

#6 @desrosj
4 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

It looks like the needed getID3 changes have yet to make their way into a tagged release and still need to be ported over to WordPress.

50898-getid3.diff makes the related change for 5.6, and will be included in the next versioned update when available.

#7 @desrosj
4 years ago

Sorry for the noise! 50898-getid3.2.diff fixes an issue applying the diff I did not catch initially.

This ticket was mentioned in Slack in #core by desrosj. View the logs.


4 years ago

#9 @hellofromTonya
4 years ago

  • Keywords commit added

@desrosj Reviewing the patch 50898-getid3.2.diff, it looks good. It matches the combination of https://github.com/JamesHeinrich/getID3/pull/260 and https://github.com/JamesHeinrich/getID3/pull/261. Ship it!

#10 @desrosj
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 49621:

Code Modernization: Only call libxml_disable_entity_loader() in PHP < 8.

This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, so this function is no longer needed to protect against XXE attacks.

This change fixes an instance of libxml_disable_entity_loader() within the getID3 library that has not yet been included in a tagged release for the library.

Props jrf, hellofromtonya.
Fixes #50898.

#11 @daisyo
4 years ago

  • Keywords has-dev-note added; needs-dev-note removed
Note: See TracTickets for help on using tickets.