Skip to content

Commit

Permalink
#429 libxml_disable_entity_loader is deprecated
Browse files Browse the repository at this point in the history 
#429
  • Loading branch information
@JamesHeinrich
JamesHeinrich committed Nov 10, 2023
1 parent a300844 commit 58b883d
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 13 deletions.
44 changes: 32 additions & 12 deletions getid3/getid3.lib.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@
// ///
/////////////////////////////////////////////////////////////////

if(!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) {
if(LIBXML_VERSION >= 20621) {
if (!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) {
if (LIBXML_VERSION >= 20621) {
define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
} else {
define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING);
Expand Down Expand Up @@ -744,16 +744,36 @@ public static function array_min($arraydata, $returnkey=false) {
* @return array|false
*/
public static function XML2array($XMLstring) {
if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
// https://core.trac.wordpress.org/changeset/29378
// This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
// disabled by default, but is still needed when LIBXML_NOENT is used.
$loader = @libxml_disable_entity_loader(true);
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', GETID3_LIBXML_OPTIONS);
$return = self::SimpleXMLelement2array($XMLobject);
@libxml_disable_entity_loader($loader);
return $return;
if (function_exists('simplexml_load_string')) {
if (PHP_VERSION_ID < 80000) {
if (function_exists('libxml_disable_entity_loader')) {
// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
// https://core.trac.wordpress.org/changeset/29378
// This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
// disabled by default, but is still needed when LIBXML_NOENT is used.
$loader = @libxml_disable_entity_loader(true);
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', GETID3_LIBXML_OPTIONS);
$return = self::SimpleXMLelement2array($XMLobject);
@libxml_disable_entity_loader($loader);
return $return;
}
} else {
$allow = false;
if (defined('LIBXML_VERSION') && (LIBXML_VERSION >= 20900)) {
// https://www.php.net/manual/en/function.libxml-disable-entity-loader.php
// "as of libxml 2.9.0 entity substitution is disabled by default, so there is no need to disable the loading
// of external entities, unless there is the need to resolve internal entity references with LIBXML_NOENT."
$allow = true;
} elseif (function_exists('libxml_set_external_entity_loader')) {
libxml_set_external_entity_loader(function () { return null; }); // https://www.zend.com/blog/cve-2023-3823
$allow = true;
}
if ($allow) {
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', GETID3_LIBXML_OPTIONS);
$return = self::SimpleXMLelement2array($XMLobject);
return $return;
}
}
}
return false;
}
Expand Down
2 changes: 1 addition & 1 deletion getid3/getid3.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,7 +387,7 @@ class getID3
*/
protected $startup_warning = '';

const VERSION = '1.9.23-202311041554';
const VERSION = '1.9.23-202311100900';
const FREAD_BUFFER_SIZE = 32768;

const ATTACHMENTS_NONE = false;
Expand Down

0 comments on commit 58b883d

Please sign in to comment.