Page MenuHomePhabricator

Suppress PHP 8 deprecation warning in __arcanist_init_script__
ClosedPublic

Authored by jrtc27 on Sun, Jan 10, 9:54 PM.

Details

Summary

As of PHP 8, the XML entity loader is disabled by default and the
libxml_disable_entity_loader function is deprecated. Thus suppress the
deprecation warning for now; we could skip the function call, but this
is safer.

Test Plan

Used to create this revision with PHP 8 on macOS

Diff Detail

Repository
rARC Arcanist
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Owners added a reviewer: Unknown Object (Owners Package).Sun, Jan 10, 9:54 PM
epriestley removed a reviewer: Unknown Object (Owners Package).Sun, Jan 10, 9:55 PM

What's the specific issue you run into with PHP8 with the existing code -- the function emits a deprecation warning when called?

Since the attack surface on the XML entity loader is huge/scary (historically, see D8049), I'd prefer to continue explicitly disabling it if we can. Although there's probably no real risk, I can imagine scenarios like some distro shipping a version of PHP which enables it by default, or users enabling it by default because they run some other software that needs it alongside Phabricator. In these cases, we're a little better off at runtime if we continue disabling the loader.

If this just raises a deprecation warning under PHP8, I'd be more comfortable "fixing" it by suppressing the warning with @ (so @libxml_disable_entity_loader(true); -- not sure how familiar you are with PHP) so that we're still making sure the loader is disabled. Is that reasonable, or does it create more problems?

This revision now requires changes to proceed.Sun, Jan 10, 10:08 PM

Suppress deprecation warning with @ rather than skip the function call.

What's the specific issue you run into with PHP8 with the existing code -- the function emits a deprecation warning when called?

Since the attack surface on the XML entity loader is huge/scary (historically, see D8049), I'd prefer to continue explicitly disabling it if we can. Although there's probably no real risk, I can imagine scenarios like some distro shipping a version of PHP which enables it by default, or users enabling it by default because they run some other software that needs it alongside Phabricator. In these cases, we're a little better off at runtime if we continue disabling the loader.

If this just raises a deprecation warning under PHP8, I'd be more comfortable "fixing" it by suppressing the warning with @ (so @libxml_disable_entity_loader(true); -- not sure how familiar you are with PHP) so that we're still making sure the loader is disabled. Is that reasonable, or does it create more problems?

Yeah, you just get a couple of annoying:

Deprecated: Function libxml_disable_entity_loader() is deprecated in /Users/Jess/Git/arcanist/support/init/init-script.php on line 98
jrtc27 retitled this revision from Fix PHP 8 deprecation warning in __arcanist_init_script__ to Suppress PHP 8 deprecation warning in __arcanist_init_script__.Sun, Jan 10, 10:19 PM
jrtc27 edited the summary of this revision. (Show Details)

Ah, great. Making this variation of the change will probably never actually matter compared to the first version, but I'll sleep at least a little better at night.

This revision is now accepted and ready to land.Sun, Jan 10, 10:20 PM

In trying to arc diff --update this I got an exception (but it worked with --head, which I had been using to submit each commit of the patch series). What's the best way to test out arc itself and reproduce that? Use admin.phacility.com to get a testing instance?

Feel free to test against secure within reason if that's easier. These patches might not seem like a big deal, but stuff like this which just makes my life easier is incredibly rare, so make yourself at home.

Otherwise, admin should work. If you want to sign up for a permanent instance, just shoot me a message via the Support interface and I can credit it indefinitely so you don't lose your config after a week (it won't ask for a card or anything).