Merge branch 'PHP-7.0' into PHP-7.1

NEWS

@@ -74,6 +74,10 @@ PHP                                                                        NEWS
   . Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for
     non-existent directories). (vhuk)
 
+- Wddx:
+  . Fixed bug #72142 (WDDX Packet Injection Vulnerability in
+    wddx_serialize_value()). (Taoguang Chen)
+
 - XMLRPC:
   . Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing
     array elements). (Laruence)

ext/wddx/tests/bug72142.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Bug #72142: WDDX Packet Injection Vulnerability in wddx_serialize_value()
+--FILE--
+<?php
+
+$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>');
+var_dump($wddx);
+var_dump(wddx_deserialize($wddx));
+
+?>
+--EXPECT--
+string(301) "<wddxPacket version='1.0'><header><comment>&lt;/comment&gt;&lt;/header&gt;&lt;data&gt;&lt;struct&gt;&lt;var name=&quot;php_class_name&quot;&gt;&lt;string&gt;stdClass&lt;/string&gt;&lt;/var&gt;&lt;/struct&gt;&lt;/data&gt;&lt;/wddxPacket&gt;</comment></header><data><string></string></data></wddxPacket>"
+string(0) ""

ext/wddx/wddx.c

@@ -360,11 +360,18 @@ void php_wddx_packet_start(wddx_packet *packet, char *comment, size_t comment_le
 {
 	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
 	if (comment) {
+		char *escaped;
+		size_t escaped_len;
+		escaped = php_escape_html_entities(
+			comment, comment_len, &escaped_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
 		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
 		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-		php_wddx_add_chunk_ex(packet, comment, comment_len);
+		php_wddx_add_chunk_ex(packet, escaped, escaped_len);
 		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
 		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
+
+		str_efree(escaped);
 	} else {
 		php_wddx_add_chunk_static(packet, WDDX_HEADER);
 	}