Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Do not allow to change XML external entities processing in the global scope

Download Browse

Starting LibXML 2.9.0 external entity loading is disabled by default, that means it becomes unnecessary to explicitly disable it at the beginning of the script. CentOS 7 comes LibXML 2.9.1 so all the OS supported by Tuleap is safe by default. This change allow us to remove our PHPUnit extension that was checking if the XML entity loading was put back in the appropriate state after each test. It is also good for the global security of Tuleap because it is not possible anymore to leave the XML external entity loading in a dangerous state by mistake. The usage of \libxml_disable_entity_loader() is banned in the codebase thanks to PHPCS. It also helps reducing (a bit) the usage of \libxml_disable_entity_loader() which is needed because PHP 8.0 deprecates its usage [0]. Part of request #17931: Unit tests should pass with PHP 8.0 [0] https://github.com/php/php-src/blob/php-8.0.0RC3/UPGRADING#L873 Change-Id: I26b0d13434d9d4645c755c8d9239d8a8bae3a61a

+49 −243
Thomas Gerbet (tgerbet) 2020-11-27 18:48
Thomas Gerbet (tgerbet) 2020-11-27 18:48
6cd1f2fd80b4830dd8c0bfdf58039dbd307794e7
110ac242ab0c277a2cdcdc2803f8ff26d78a6db0
git #tuleap/stable/6cd1f2fd80b4830dd8c0bfdf58039dbd307794e7

Modified Files

Side by side diff
Inline diff
Name
M plugins/docman/bin/DocmanImport/ImportFromDocmanV1.class.php +7 −5 Go to diff View file
M plugins/docman/bin/DocmanImport/XMLDocmanImport.class.php +14 −13 Go to diff View file
M plugins/mediawiki/www/LocalSettings.php +1 −2 Go to diff View file
M plugins/statistics/include/statisticsPlugin.php +3 −4 Go to diff View file
M src/common/soap/TuleapSOAPServer.class.php +3 −4 Go to diff View file
M src/common/xml/Security.class.php +7 −25 Go to diff View file
M src/www/include/pre.php +0 −3 Go to diff View file
M src/www/soap/index.php +3 −4 Go to diff View file
M src/www/soap/project/index.php +5 −4 Go to diff View file
M src/www/soap/svn/index.php +5 −4 Go to diff View file
D tests/lib/PHPUnit/XMLEntityLoadingNotRestoredToDisabledState.php +0 −41 Go to diff View file
M tests/phpcs/non-psr-rules.xml +1 −0 Go to diff View file
D tests/unit/common/xml/SecurityTest.php +0 −61 Go to diff View file
M tests/unit/phpunit.xml +0 −1 Go to diff View file
D tests/unit/tests/PHPUnit/XMLEntityLoadingNotRestoredToDefaultStateTest.php +0 −56 Go to diff View file
M tests/unit/tests/Psalm/PsalmCILauncherTest.php +0 −16 Go to diff View file