[pull] master from JamesHeinrich:master #76
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix a free format mp3 files
In 9ce8040 I introduced a divide-by-zero bug into the aspect ratio handling for MPEG-2 videos. In production at Wikipedia we've seen a few attempted uploads for files that trigger a divide by zero on the width, which either means corrupt files or something's wrong elsewhere. Unfortunately our logging doesn't include the files being uploaded, so I don't have a test case to analyze. But this workaround will at least avoid a fatal error that can't be caught. On our bug tracker: https://phabricator.wikimedia.org/T289189
Work around divide by zero bug in MPEG-2 aspect ratio
The action used to install Composer packages and handle the caching has released a new major (and some follow-up patch releases), which means, the action reference needs to be updated to benefit from it. Refs: * https://github.com/ramsey/composer-install/releases/tag/2.0.0 * https://github.com/ramsey/composer-install/releases/tag/2.0.1 * https://github.com/ramsey/composer-install/releases/tag/2.0.2
…action GH Actions: version update for `ramsey/composer-install`
[ASF] Improve support of Header Extension Object data
…place) of type array|string is deprecated
… of type string is deprecated
Fix a few PHP 8.1-related deprecations & improve support of animated gif files
Typo fixed in getid3/getid3.php
Add Installation docs
…, and add to the defences of XML entity injection. This PR adds LIBXML_WARNING, LIBXML_NONET and LIBXML_COMPACT (if supported), in addition to LIBXML_NOENT, to simplexml_load_string(), which is currently only used for parsing RIFF iXML (http://www.gallery.co.uk/ixml/) * LIBXML_NONET, to deny access to entites included remotely. This is the most interesting one, as there is other code nearby which is supposed to address the same issue. * LIBXML_NOWARNING, to suppress recoverable parsing warnings which we can't do anything about (and may even be deliberate) * If your version of libxml supports it, LIBXML_COMPACT, which is described at https://www.php.net/manual/en/libxml.constants.php/ as "Activate small nodes allocation optimization. This may speed up your application without needing to change the code." The gotcha is that the DOM is readonly, but we're not using this code to manipulate tags so that should be fine. I'll explain the rationale for each. Invalid XML / LIBXML_NOWARNING ============================== I encountered a .wav file with an iXML studio mastering tag in my collection. Here's an excerpt from the file: <?xml version="1.0" encoding="UTF-8"?> ... <PROJECT>Optiv & CZA - Invisible Things-13 Mixdown-32 NEW 1--22</PROJECT> ... <BWF_CODING_HISTORY>A=PCM,F=44100,W=16,T=SOUND FORGE Pro 12.1, </BWF_CODING_HISTORY> As you can see, the `<PROJECT>` tag is technically invalid because it has a nameless entity (`&`). The exact warning is `PHP Warning: simplexml_load_string(): Entity: line 3: parser error : xmlParseEntityRef: no name`. This is clearly both recoverable and harmless, and may even be intentional given that Sound Forge Pro 12 is not old (2018). Suppressing parser warnings seems to fit with the other warning suppressions nearby in the code. XML Inclusion / LIBXML_NONET ============================ This one's more interesting. In commit `afbdaa04` (2014) additional code was added by the wordpress team with the commit "improved XXE fix". The change adds option LIBXML_NOENT, and references the article http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html. The problem is that I think LIBXML_NOENT was a typo and should have been LIBXML_NONET. The article does not mention NOENT at all. Ironically, the NOENT option does the _exact opposite_ of what it sounds like it does - it *enables* entity parsing. Refs: * https://www.php.net/manual/en/libxml.constants.php - comment "The name of the constant LIBXML_NOENT is very misleading. Adding this flag actually causes the parser to load and insert the external entities. Omitting it leaves the tags untouched, which is probably what you want." * https://stackoverflow.com/q/38807506/367456 - "What does LIBXML_NOENT do (and why isn't it called LIBXML_ENT)?" I suspect this was a mistake by the original author. Nevertheless, it's fairly harmless to have entities enabled in the XML as long as it's not possible to do remote inclusions, and that's already disabled with `libxml_disable_entity_loader()`. Adding LIBXML_NONET (as referenced in the article to improve XXE defences) prevents libxml from using the network. I did not remove LIBXML_NOENT as theoretically you can define your own entites inline at the top of an XML doc, even though I very much doubt it would work properly if you did, given the first bug addressed in this PR. Performance / LIBXML_COMPACT ============================ If your version of libxml supports it this flag "Activate small nodes allocation optimization. This may speed up your application without needing to change the code." according to https://www.php.net/manual/en/libxml.constants.php . The gotcha is that the returned DOM object is readonly, but we're not using this code to manipulate a DOM so that should be fine.
Define options to suppress warnings generated by invalid iXML content, and add to the defences of XML entity injection.
The type has been identified. ($BitrateCache[$FrameLength]])
Ignore demos in gitattributes
#449 If a file contained Lyrics3 tags the getid3>option_tag_apetag flag was not respected, it now skips the tag check and appends a warning. Also Lyrics3 lyrics are now properly returned in the tags/comments structure.
I noticed a few action runners used are out of date. Most updates are related to the Node version the action runners use under the hood updating to Node 20. Not having those updates will become problematic soonish when GHA drops support for Node 16. So, instead of manually updating the workflows, I'm proposing enabling Dependabot to submit updates for the GHA runners. This should take care of it via Dependabot opening PRs to do the updates.
Add dependabot config
Bumps [ramsey/composer-install](https://github.com/ramsey/composer-install) from 2 to 3. - [Release notes](https://github.com/ramsey/composer-install/releases) - [Commits](ramsey/composer-install@v2...v3) --- updated-dependencies: - dependency-name: ramsey/composer-install dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…ramsey/composer-install-3 GH Actions: Bump ramsey/composer-install from 2 to 3
This will make it more intuitive for contributors to run PHPStan locally.
PHPStan keeps improving and adding more and better checks. Let's use the latest version to get the most benefit from it ;-) Includes ignoring one newly flagged issue and fixing another. ``` ------ --------------------------------------------------------------- Line module.audio-video.quicktime.php ------ --------------------------------------------------------------- 1653 Variable $altitude in empty() always exists and is not falsy. ------ --------------------------------------------------------------- ------ ----------------------------------------------------------------------------------------- Line module.audio-video.riff.php ------ ----------------------------------------------------------------------------------------- 101 Binary operation "+" between (float|int) and array|float|int|false results in an error. ------ ----------------------------------------------------------------------------------------- ```
PHPStan: update to latest version
* Builds against PHP 8.4 are no longer allowed to fail. * Add _allowed to fail_ build against PHP 8.5. Ref: https://www.php.net/releases/8.4/en.php
….4-release GH Actions: PHP 8.4 has been released
It's possible (if inadvisable) to have multiple entries with the same filename, getID3 will now show these. Breaking change: `[tar][file_details]` is now numeric-keyed rather than filename-keyed (the filename is still present under `[tar][file_details][#][name]`)
missing required file
Update demo.cache.dbm.php
+ Added $lock_filename property with PHPDoc + Modified lock file handling to use w+ mode + Added safe_close() method with error handling + Updated destructor to use safe_close() + Added try-catch blocks in constructor and analyze() + Changed dba_insert() to dba_replace() in analyze() + Added resource type checks before cleanup
Update extension.cache.dbm.php
Tiny refactoring for extension.cache.dbm.php based on some errors into logfile
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied
2D38
or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )