Commit 0a394765 authored by Benni Mack's avatar Benni Mack Committed by Benjamin Franzke
Browse files

[BUGFIX] Do not call "libxml_disable_entity_loader" in PHP 8

Because the method (finally) is deprecated in PHP 8,
all calls in TYPO3 Core are wrapped in if statements
to avoid deprecation warnings.

PHP 8 effectively is more secure by default,
which is a good thing, but we need to consider this
in our code base, which still supports PHP 7
as well.

Resolves: #93204
Releases: master, 10.4
Change-Id: I18d7e76e3de5cf48cd4c3cab0d68dea4e518f674
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67329

Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke's avatarBenjamin Franzke <bfr@qbus.de>
Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benjamin Franzke's avatarBenjamin Franzke <bfr@qbus.de>
parent 5489967f
......@@ -53,12 +53,17 @@ abstract class AbstractSvgIconProvider
}
$svgContent = (string)preg_replace('/<script[\s\S]*?>[\s\S]*?<\/script>/i', '', $svgContent);
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
$svgElement = simplexml_load_string($svgContent);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
if ($svgElement === false) {
return '';
}
libxml_disable_entity_loader($previousValueOfEntityLoader);
// remove xml version tag
$domXml = dom_import_simplexml($svgElement);
......
......@@ -80,9 +80,14 @@ abstract class AbstractXmlParser implements LocalizationParserInterface
);
}
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
$rootXmlNode = simplexml_load_string($xmlContent, \SimpleXMLElement::class, LIBXML_NOWARNING);
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
if ($rootXmlNode === false) {
$xmlError = libxml_get_last_error();
throw new InvalidXmlFileException(
......
......@@ -124,15 +124,19 @@ class ImageInfo extends FileInfo implements LoggerAwareInterface
return false;
}
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
$xml = simplexml_load_string($fileContent, \SimpleXMLElement::class, LIBXML_NOERROR | LIBXML_NOWARNING);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
// If something went wrong with simpleXml don't try to read information
if ($xml === false) {
return false;
}
libxml_disable_entity_loader($previousValueOfEntityLoader);
$xmlAttributes = $xml->attributes();
// First check if width+height are set
......
......@@ -1256,7 +1256,10 @@ class GeneralUtility
public static function xml2tree($string, $depth = 999, $parserOptions = [])
{
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
$parser = xml_parser_create();
$vals = [];
$index = [];
......@@ -1266,7 +1269,9 @@ class GeneralUtility
xml_parser_set_option($parser, $option, $value);
}
xml_parse_into_struct($parser, $string, $vals, $index);
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
if (xml_get_error_code($parser)) {
return 'Line ' . xml_get_current_line_number($parser) . ': ' . xml_error_string(xml_get_error_code($parser));
}
......@@ -1480,7 +1485,10 @@ class GeneralUtility
protected static function xml2arrayProcess($string, $NSprefix = '', $reportDocTag = false)
{
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
// Create parser:
$parser = xml_parser_create();
$vals = [];
......@@ -1495,7 +1503,9 @@ class GeneralUtility
xml_parser_set_option($parser, XML_OPTION_TARGET_ENCODING, $theCharset);
// Parse content:
xml_parse_into_struct($parser, $string, $vals, $index);
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
// If error, return error message:
if (xml_get_error_code($parser)) {
return 'Line ' . xml_get_current_line_number($parser) . ': ' . xml_error_string(xml_get_error_code($parser));
......
......@@ -105,9 +105,14 @@ class RssWidget implements WidgetInterface
if ($rssContent === false) {
throw new \RuntimeException('RSS URL could not be fetched', 1573385431);
}
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
$rssFeed = simplexml_load_string($rssContent);
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
$items = [];
foreach ($rssFeed->channel->item as $item) {
$items[] = [
......
......@@ -67,7 +67,10 @@ class ExtensionXmlPushParser extends AbstractExtensionXmlParser
throw new ExtensionManagerException('Unable to create XML parser.', 1342640663);
}
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
// keep original character case of XML document
xml_parser_set_option($this->objXml, XML_OPTION_CASE_FOLDING, false);
xml_parser_set_option($this->objXml, XML_OPTION_SKIP_WHITE, false);
......@@ -82,7 +85,9 @@ class ExtensionXmlPushParser extends AbstractExtensionXmlParser
throw new ExtensionManagerException(sprintf('XML error %s in line %u of file resource %s.', xml_error_string(xml_get_error_code($this->objXml)), xml_get_current_line_number($this->objXml), $file), 1342640703);
}
}
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
xml_parser_free($this->objXml);
}
......
......@@ -55,9 +55,14 @@ class ScalableVectorGraphicsContentObject extends AbstractContentObject
$svgContent = (string)file_get_contents($src);
$svgContent = preg_replace('/<script[\s\S]*?>[\s\S]*?<\/script>/i', '', $svgContent) ?? '';
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader();
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader();
}
$svgElement = simplexml_load_string($svgContent);
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
$domXml = dom_import_simplexml($svgElement);
if (!$isDefaultWidth) {
......
......@@ -96,9 +96,13 @@ abstract class AbstractRecycleTestCase extends FunctionalTestCase
$data = [];
$fileContent = file_get_contents($path);
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader(true);
}
$xml = simplexml_load_string($fileContent);
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
/** @var $table \SimpleXMLElement */
foreach ($xml->children() as $table) {
......
......@@ -52,10 +52,15 @@ class TypoScriptReferenceController
protected function loadFile($filepath)
{
// Disables the functionality to allow external entities to be loaded when parsing the XML, must be kept
$previousValueOfEntityLoader = libxml_disable_entity_loader();
$previousValueOfEntityLoader = null;
if (PHP_MAJOR_VERSION < 8) {
$previousValueOfEntityLoader = libxml_disable_entity_loader();
}
$this->xmlDoc = new \DOMDocument('1.0', 'utf-8');
$this->xmlDoc->loadXML(file_get_contents($filepath));
libxml_disable_entity_loader($previousValueOfEntityLoader);
if (PHP_MAJOR_VERSION < 8) {
libxml_disable_entity_loader($previousValueOfEntityLoader);
}
// @TODO: oliver@typo3.org: I guess this is not required here
$this->xmlDoc->saveXML();
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment