diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php index aec550b3..ac7d737f 100644 --- a/getid3/getid3.lib.php +++ b/getid3/getid3.lib.php @@ -11,8 +11,8 @@ // /// ///////////////////////////////////////////////////////////////// -if(!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) { - if(LIBXML_VERSION >= 20621) { +if (!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) { + if (LIBXML_VERSION >= 20621) { define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT); } else { define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING); @@ -744,16 +744,36 @@ public static function array_min($arraydata, $returnkey=false) { * @return array|false */ public static function XML2array($XMLstring) { - if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) { - // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html - // https://core.trac.wordpress.org/changeset/29378 - // This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is - // disabled by default, but is still needed when LIBXML_NOENT is used. - $loader = @libxml_disable_entity_loader(true); - $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', GETID3_LIBXML_OPTIONS); - $return = self::SimpleXMLelement2array($XMLobject); - @libxml_disable_entity_loader($loader); - return $return; + if (function_exists('simplexml_load_string')) { + if (PHP_VERSION_ID < 80000) { + if (function_exists('libxml_disable_entity_loader')) { + // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + // https://core.trac.wordpress.org/changeset/29378 + // This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is + // disabled by default, but is still needed when LIBXML_NOENT is used. + $loader = @libxml_disable_entity_loader(true); + $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', GETID3_LIBXML_OPTIONS); + $return = self::SimpleXMLelement2array($XMLobject); + @libxml_disable_entity_loader($loader); + return $return; + } + } else { + $allow = false; + if (defined('LIBXML_VERSION') && (LIBXML_VERSION >= 20900)) { + // https://www.php.net/manual/en/function.libxml-disable-entity-loader.php + // "as of libxml 2.9.0 entity substitution is disabled by default, so there is no need to disable the loading + // of external entities, unless there is the need to resolve internal entity references with LIBXML_NOENT." + $allow = true; + } elseif (function_exists('libxml_set_external_entity_loader')) { + libxml_set_external_entity_loader(function () { return null; }); // https://www.zend.com/blog/cve-2023-3823 + $allow = true; + } + if ($allow) { + $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', GETID3_LIBXML_OPTIONS); + $return = self::SimpleXMLelement2array($XMLobject); + return $return; + } + } } return false; } diff --git a/getid3/getid3.php b/getid3/getid3.php index 580d0972..8c91639a 100644 --- a/getid3/getid3.php +++ b/getid3/getid3.php @@ -387,7 +387,7 @@ class getID3 */ protected $startup_warning = ''; - const VERSION = '1.9.23-202311041554'; + const VERSION = '1.9.23-202311100900'; const FREAD_BUFFER_SIZE = 32768; const ATTACHMENTS_NONE = false;