From 828ee6c1edcdd1fcae2bb01c2f7ac557c0c1d45a Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers Date: Tue, 17 Nov 2020 00:58:33 +0000 Subject: [PATCH] Code Modernization: Only call `libxml_disable_entity_loader()` in PHP < 8. This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, so this function is no longer needed to protect against XXE attacks. This change fixes an instance of `libxml_disable_entity_loader()` within the getID3 library that has not yet been included in a tagged release for the library. Props jrf, hellofromtonya. Fixes #50898. git-svn-id: https://develop.svn.wordpress.org/trunk@49621 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/ID3/getid3.lib.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/ID3/getid3.lib.php b/src/wp-includes/ID3/getid3.lib.php index ebdc569864..3a5983fc26 100644 --- a/src/wp-includes/ID3/getid3.lib.php +++ b/src/wp-includes/ID3/getid3.lib.php @@ -720,12 +720,18 @@ class getid3_lib */ public static function XML2array($XMLstring) { if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) { - // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html - // https://core.trac.wordpress.org/changeset/29378 - $loader = libxml_disable_entity_loader(true); + if (PHP_VERSION_ID < 80000) { + // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + // https://core.trac.wordpress.org/changeset/29378 + // This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is + // disabled by default, so this function is no longer needed to protect against XXE attacks. + $loader = libxml_disable_entity_loader(true); + } $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); $return = self::SimpleXMLelement2array($XMLobject); - libxml_disable_entity_loader($loader); + if (PHP_VERSION_ID < 80000 && isset($loader)) { + libxml_disable_entity_loader($loader); + } return $return; } return false;