Update Security.php

Add a PHP version condition check. In PHP 8.0 and later, PHP uses libxml versions from 2.9.0, which disabled XXE by default. libxml_disable_entity_loader() is now deprecated. This will throw errors for essentially the same feature. Signed-off-by: Sem Schilder <[email protected]>
laminas · Nov 17, 2020 · e05e95e · e05e95e
1 parent cc9f12e
commit e05e95e
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/Security.php b/src/Security.php
@@ -43,7 +43,7 @@ protected static function heuristicScan($xml)
     private static function scanString($xml, DOMDocument $dom = null, $libXmlConstants, callable $callback)
     {
         // If running with PHP-FPM we perform an heuristic scan
-        // We cannot use libxml_disable_entity_loader because of this bug
+        // We cannot use because of this bug
         // @see https://bugs.php.net/bug.php?id=64938
         if (self::isPhpFpm()) {
             self::heuristicScan($xml);
@@ -55,7 +55,9 @@ private static function scanString($xml, DOMDocument $dom = null, $libXmlConstan
         }
 
         if (! self::isPhpFpm()) {
-            $loadEntities = libxml_disable_entity_loader(true);
+            if (\PHP_VERSION_ID < 80000) {
+                $loadEntities = libxml_disable_entity_loader(true);
+            }
             $useInternalXmlErrors = libxml_use_internal_errors(true);
         }
 
@@ -75,7 +77,9 @@ private static function scanString($xml, DOMDocument $dom = null, $libXmlConstan
         if (! $result) {
             // Entity load to previous setting
             if (! self::isPhpFpm()) {
-                libxml_disable_entity_loader($loadEntities);
+                if (\PHP_VERSION_ID < 80000) {
+                    libxml_disable_entity_loader($loadEntities);
+                }
                 libxml_use_internal_errors($useInternalXmlErrors);
             }
             return false;
@@ -94,7 +98,9 @@ private static function scanString($xml, DOMDocument $dom = null, $libXmlConstan
 
         // Entity load to previous setting
         if (! self::isPhpFpm()) {
-            libxml_disable_entity_loader($loadEntities);
+            if (\PHP_VERSION_ID < 80000) {
+                libxml_disable_entity_loader($loadEntities);
+            }
             libxml_use_internal_errors($useInternalXmlErrors);
         }