WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 11 days ago

#50898 closed defect (bug) (fixed)

PHP 8.0: only call libxml_disable_entity_loader() in PHP < 8

Reported by: jrf Owned by: SergeyBiryukov
Milestone: 5.6 Priority: normal
Severity: minor Version:
Component: Embeds Keywords: has-patch php8 needs-dev-note commit
Focuses: coding-standards Cc:

Description

As per the PHP 8.0 changelog:

libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now
required, external entity loading is guaranteed to be disabled by default,
and this function is no longer needed to protect against XXE attacks.

Source: https://github.com/php/php-src/blob/71bfa5344ab207072f4cd25745d7023096338385/UPGRADING#L808-L811

Calling the function conditionally will prevent deprecation warnings.

The function is also used in GetID3 - a PR to the same effect as this PR has been pulled & merged and is expected to be included in the next GetID3 release.

Ref: https://github.com/JamesHeinrich/getID3/pull/260

Attachments (3)

50898-libxml_disable_entity_loader.patch (1.9 KB) - added by jrf 4 months ago.
50898-getid3.diff (1.3 KB) - added by desrosj 11 days ago.
50898-getid3.2.diff (1.3 KB) - added by desrosj 11 days ago.

Download all attachments as: .zip

Change History (13)

This ticket was mentioned in PR #468 on WordPress/wordpress-develop by jrfnl.


4 months ago

As per the PHP 8.0 changelog:

libxml_disable_entity_loader() has been deprecated. As libxml 2.9.0 is now
required, external entity loading is guaranteed to be disabled by default,
and this function is no longer needed to protect against XXE attacks.

Source: https://github.com/php/php-src/blob/71bfa5344ab207072f4cd25745d7023096338385/UPGRADING#L808-L811

Calling the function conditionally will prevent deprecation warnings.

Trac ticket: https://core.trac.wordpress.org/ticket/50898

#2 @SergeyBiryukov
4 months ago

  • Milestone changed from Awaiting Review to 5.6
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 @SergeyBiryukov
4 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 48789:

Code Modernization: Only call libxml_disable_entity_loader() in PHP < 8.

This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, so this function is no longer needed to protect against XXE attacks.

Props jrf.
Fixes #50898.

#4 @prbot
4 months ago

jrfnl commented on PR #468:

Patch has been committed. Closing.

#5 @desrosj
3 months ago

  • Keywords needs-dev-note added

Adding needs-dev-note to call out in the PHP 8 dev note.

@desrosj
11 days ago

#6 @desrosj
11 days ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

It looks like the needed getID3 changes have yet to make their way into a tagged release and still need to be ported over to WordPress.

50898-getid3.diff makes the related change for 5.6, and will be included in the next versioned update when available.

#7 @desrosj
11 days ago

Sorry for the noise! 50898-getid3.2.diff fixes an issue applying the diff I did not catch initially.

This ticket was mentioned in Slack in #core by desrosj. View the logs.


11 days ago

#9 @hellofromTonya
11 days ago

  • Keywords commit added

@desrosj Reviewing the patch 50898-getid3.2.diff, it looks good. It matches the combination of https://github.com/JamesHeinrich/getID3/pull/260 and https://github.com/JamesHeinrich/getID3/pull/261. Ship it!

#10 @desrosj
11 days ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 49621:

Code Modernization: Only call libxml_disable_entity_loader() in PHP < 8.

This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, so this function is no longer needed to protect against XXE attacks.

This change fixes an instance of libxml_disable_entity_loader() within the getID3 library that has not yet been included in a tagged release for the library.

Props jrf, hellofromtonya.
Fixes #50898.

Note: See TracTickets for help on using tickets.