[zend-xml] PHP 8 compatibility: wrap deprecated libxml_disable_entity…

…_loader(). (#27) - PHP 8 cannot be compiled with libxml < 2.9.0 - libxml_disable_entity_loader(false) does not magically enable XXE on 2.9.0+ (verified) so this is safe. Co-authored-by: Leendert <[email protected]>
zf1s · Oct 7, 2020 · 399f6c9 · 399f6c9
1 parent 4306451
commit 399f6c9
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/packages/zend-xml/library/Zend/Xml/Security.php b/packages/zend-xml/library/Zend/Xml/Security.php
@@ -45,6 +45,19 @@ protected static function heuristicScan($xml)
         }
     }
 
+    /**
+     * Wrapper for libxml_disable_entity_loader which is deprecated in PHP 8. libxml 2.9.0 disables external entity
+     * loading by default. PHP 8.0 has deprecated libxml_disable_entity_loader() method and it requires libxml 2.9.0+.
+     * @see https://github.com/php/php-src/pull/5867
+     *
+     * @param bool $disable
+     * @return bool the previous value (true = disabled)
+     */
+    private static function disableEntityLoader($disable = true)
+    {
+        return LIBXML_VERSION < 20900 ? libxml_disable_entity_loader($disable) : true;
+    }
+
     /**
      * @param integer $errno
      * @param string $errstr
@@ -83,7 +96,7 @@ public static function scan($xml, DOMDocument $dom = null)
         }
 
         if (!self::isPhpFpm()) {
-            $loadEntities = libxml_disable_entity_loader(true);
+            $loadEntities = self::disableEntityLoader(true);
             $useInternalXmlErrors = libxml_use_internal_errors(true);
         }
 
@@ -97,7 +110,7 @@ public static function scan($xml, DOMDocument $dom = null)
         if (!$result) {
             // Entity load to previous setting
             if (!self::isPhpFpm()) {
-                libxml_disable_entity_loader($loadEntities);
+                self::disableEntityLoader($loadEntities);
                 libxml_use_internal_errors($useInternalXmlErrors);
             }
             return false;
@@ -117,7 +130,7 @@ public static function scan($xml, DOMDocument $dom = null)
 
         // Entity load to previous setting
         if (!self::isPhpFpm()) {
-            libxml_disable_entity_loader($loadEntities);
+            self::disableEntityLoader($loadEntities);
             libxml_use_internal_errors($useInternalXmlErrors);
         }