Mahara

  1. Series 1.9
  2. Bug #1340151
  3. Comment #11

Comment 11 for bug 1340151

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Okay, I wrote up a little test script to check for this. Ubuntu 14.04 is still on PHP 5.5.9, so it is still affected by this bug (not patched in 5.5 until 5.5.23).

    <pre><?php
    $before = libxml_disable_entity_loader(true);
    libxml_disable_entity_loader($before);
    var_dump($before);
    exit();

This will basically find out the state of the XML entity loader (true means you can load them; false means you can't), and print that out.

When I run this on a CLI script, or in a newly restarted Apache site, it always returns false.

When I install Mahara and load up the Mahara front page, and then access this page via the web browser, it intermittently returns true. The intermittency is because this setting leaks across processes (and maybe also threads, but my Apache is unthreaded). So in my case, if I hit a process that had previously served Mahara, it came back true, otherwise, it came back false.

Tweaking my Apache config file /etc/apache2/mods-enabled/mpm_prefork.conf to force Apache to use only one workerprocess, I found that it returned true every time after I hit Mahara.

<IfModule mpm_prefork_module>
# StartServers 5
# MinSpareServers 5
# MaxSpareServers 10
# MaxRequestWorkers 150
# MaxConnectionsPerChild 0
        StartServers 1
        MinSpareServers 1
        MaxSpareServers 1
        MaxConnectionsPerChild 0
        MaxRequestWorkers 1
        ServerLimit 1
</IfModule>

Note that if you use this configuration to test, the Mahara front page takes a long time to load! :-D Because the request for every image, CSS, and JS file must be made one at a time. I worked around that by calling the front page via CURL, which doesn't automatically attempt to load any assets.

After I loaded the code in patch 5738 and rebooted Apache, I found that after hitting the front page of Mahara, the state of libxml_disable_entity_loader() did not change! So I think we can call that a success. Although to be more thorough I should also hit some of the code that temporarily enables it.

Cheers,
Aaron