As of PHP 8, the XML entity loader is disabled by default and the
libxml_disable_entity_loader function is deprecated. Thus suppress the
deprecation warning for now; we could skip the function call, but this
is safer.
Details
- Reviewers
epriestley - Group Reviewers
Blessed Reviewers - Maniphest Tasks
- T13588: PHP 8 Compatibility
- Commits
- rARC930f7e117d81: Suppress PHP 8 deprecation warning in __arcanist_init_script__
- Required Signatures
L28 Phacility Individual Contributor License Agreement
Used to create this revision with PHP 8 on macOS
Diff Detail
- Repository
- rARC Arcanist
- Branch
- php-8
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 24976 Build 34466: arc lint + arc unit
Event Timeline
What's the specific issue you run into with PHP8 with the existing code -- the function emits a deprecation warning when called?
Since the attack surface on the XML entity loader is huge/scary (historically, see D8049), I'd prefer to continue explicitly disabling it if we can. Although there's probably no real risk, I can imagine scenarios like some distro shipping a version of PHP which enables it by default, or users enabling it by default because they run some other software that needs it alongside Phabricator. In these cases, we're a little better off at runtime if we continue disabling the loader.
If this just raises a deprecation warning under PHP8, I'd be more comfortable "fixing" it by suppressing the warning with @ (so @libxml_disable_entity_loader(true); -- not sure how familiar you are with PHP) so that we're still making sure the loader is disabled. Is that reasonable, or does it create more problems?
Yeah, you just get a couple of annoying:
Deprecated: Function libxml_disable_entity_loader() is deprecated in /Users/Jess/Git/arcanist/support/init/init-script.php on line 98
Ah, great. Making this variation of the change will probably never actually matter compared to the first version, but I'll sleep at least a little better at night.
In trying to arc diff --update this I got an exception (but it worked with --head, which I had been using to submit each commit of the patch series). What's the best way to test out arc itself and reproduce that? Use admin.phacility.com to get a testing instance?
Feel free to test against secure within reason if that's easier. These patches might not seem like a big deal, but stuff like this which just makes my life easier is incredibly rare, so make yourself at home.
Otherwise, admin should work. If you want to sign up for a permanent instance, just shoot me a message via the Support interface and I can credit it indefinitely so you don't lose your config after a week (it won't ask for a card or anything).