pfSense

Reading through the various notes for 7.4 (https://www.php.net/manual/en/migration74.php), the only bits which stand out are:

https://www.php.net/manual/en/migration74.incompatible.php

htmlentities() function

htmlentities() will now raise a notice (instead of a strict standards warning) if it is used with an encoding for which only basic entity substitution is supported, in which case it is equivalent to htmlspecialchars().

-- This does not appear as if it would affect any of our uses of the function. I don't see where we set any specific encodings in the ~40 uses in the main repo. We may still be on the lookout for these notices just in case.

The openssl_random_pseudo_bytes() function will now throw an exception in error situations, similar to random_bytes(). In particular, an Error is thrown if the number of requested bytes is less than or equal to zero, and an Exception is thrown if sufficient randomness cannot be gathered. The $crypto_strong output argument is guaranteed to always be TRUE if the function does not throw, so explicitly checking it is not necessary.

-- There is one use of that function in source:src/usr/local/www/services_dhcp.php#L301 - it may need wrapped in a try and such to handle that potential error case.

Calling get_object_vars() on an ArrayObject instance will now always return the properties of the ArrayObject itself (or a subclass). Previously it returned the values of the wrapped array/object unless the ArrayObject::STD_PROP_LIST flag was specified.

-- The one instance of this I can find ( source:src/etc/inc/dyndns.class#L1173 ) appears to be OK when I run it in PHP 7.4, but we may still want to be wary of any other uses.

https://www.php.net/manual/en/migration74.deprecated.php

Nested ternary operations must explicitly use parentheses to dictate the order of the operations. Previously, when used without parentheses, the left-associativity would not result in the expected behaviour in most cases.

-- This was hard to grep for but I did find one instance in Factory (src/usr/local/www/switch_vlans_edit.php:430), and that one instance appears to be OK as it properly uses parenthesis.

Passing invalid characters to base_convert(), bindec(), octdec() and hexdec() will now generate a deprecation notice. The result will still be computed as if the invalid characters did not exist. Leading and trailing whitespace, as well as prefixes of type 0x (depending on base) continue to be allowed.

-- Several uses of these but at least at a glance they appear to be using OK data sources like data which has already been validated as a MAC address, IPv6 address, etc. There are a few uses that trust output from other programs like ifconfig or 3gstats to be sane, so we may still want to be wary.

Using array_key_exists() on objects is deprecated. Instead either isset() or property_exists() should be used.

-- Hard to check for this but we don't use a lot of objects in general, especially not in that kind of way, so it may be safe.

Passing parameters to implode() in reverse order is deprecated, use implode($glue, $parts) instead of implode($parts, $glue).

-- Two instances in base need fixed:

src/usr/local/www/diag_states_summary.php:130:    return implode($ports, ', ');
src/usr/local/www/diag_packet_capture.php:550:        $matchstr = implode($matches, " and ");