Commit Graph

14082 Commits

Author SHA1 Message Date
Niels Dossche
0d07b6d647 Add missing check on EVP_VerifyUpdate() in phar util
Closes GH-11640.
2023-07-09 22:54:27 +02:00
Niels Dossche
3ccd8d7866 Fix crash when an invalid callback function is passed to CURLMOPT_PUSHFUNCTION
Previously this caused a SIGABRT.

Closes GH-11639.
2023-07-08 21:32:10 +02:00
Niels Dossche
bbe72f160d [ci skip] NEWS
The alphabet is hard...
2023-07-07 19:26:58 +02:00
Adam Saponara
119b062169 Fix GH-9669: phpdbg -h options doesn't list the -z option
Adds `-z` flag in phpdbg output.

Closes GH-9713.
2023-07-07 19:16:32 +02:00
Niels Dossche
c962a96c34 Fix GH-10562: Memory leak and invalid state with consecutive ftp_nb_fget
When the user does not fully consume the data stream, but instead opens
a new one, a memory leak occurs. Moreover, the state is invalid: when
more commands arrive they'll be handled out-of-sync because the state of
the client does not match what the server is doing.
This leads to all sorts of weirdness, for example:
  Warning: ftp_nb_fget(): OK.

Fix it by gracefully closing the old data stream when a new data stream
is started.

Closes GH-11606.
2023-07-07 17:55:53 +02:00
Niels Dossche
824d1f95ad Fix replaced error handling in SQLite3Stmt::__construct
The error handling is replaced using zend_replace_error_handling(), but
when SQLITE3_CHECK_INITIALIZED() returns early, the old error handling
isn't restored.

In the past, SQLITE3_CHECK_INITIALIZED() threw a warning when the check
failed. This was replaced a few years ago with an error exception. So we
can fix the bug by just removing the replacing error handling as it
accomplishes nothing anymore.

Closes GH-11607.
2023-07-07 10:24:54 +02:00
Michael Orlitzky
0aaad46c15 Fix most external GD 2.3.3 compatibility
* ext/gd/tests/bug45799.phpt: tweak to work with external gd.

The expected output from this test contains an extra newline with
gd-2.3.3 from the system (Gentoo). Adding a whitespace wildcard takes
care of it, and the test still passes with the bundled version of gd.

* ext/gd/tests: external gd-2.3.3 compatibility.

Support for the legacy "gd" image format was removed from gd-2.3.3
upstream:
  https://github.com/libgd/libgd/blob/master/CHANGELOG.md#233---2021-09-12

Several tests for the gd extension utilize that format, and naturally
fail when gd-2.3.3 from the system is used. This commit skips those
tests when the version of gd is at least 2.3.3.

* ext/gd/tests/bug73159.phpt: skip with external gd >= 2.3.3

This test uses the imagegd2() function to check that
  https://github.com/libgd/libgd/issues/289

is fixed. When an external gd without support for the "gd" format is
used, no error is thrown, but a nonsense result is printed: this is
normal. The corresponding upstream test is disabled in that situation;
it's not expected to work.

This commit skips the corresponding PHP test under the same
circumstances to fix a test failure with external gd >= 2.3.3.

* ext/gd/tests/bug73155.phpt: skip with external gd >= 2.3.3

This test uses the imagegd2() function to check that
  https://github.com/libgd/libgd/issues/309

is fixed. When an external gd without support for the "gd" format is
used, no error is thrown, but a nonsense result is printed: this is
normal. The corresponding upstream test is disabled in that situation;
it's not expected to work.

This commit skips the corresponding PHP test under the same
circumstances to fix a test failure with external gd >= 2.3.3.

* ext/gd/tests/bug73157.phpt: skip with external gd >= 2.3.3

This test ensures that the third (chunk_size) parameter to imagegd2()
is respected when a fourth parameter is also given. However, when an
external gd without support for the "gd" format is used, the call to
imagegd2() does not really work at all. It doesn't fail, but it
produces an "image" with a nonsense chunk size.

To avoid failures when an external gd >= 2.3.3 is used, we skip the
test entirely in that case.

* ext/gd/tests/bug77973.phpt: accept lowercase "Invalid"

This test fails with an external gd because the test expects "Invalid"
where upstream gd says "invalid". This commit tweaks the expected
output to accept an arbitrary character in the i/I position.

* ext/gd/tests/bug39780_extern.phpt: update for external gd-2.3.3.

Since there are no CI runs with external gd, I can only assume that
this test has fallen out-of-date due to changes in PHP itself. I've
tweaked the expected output (only slightly) so that the test passes
with both gd-2.3.2 and gd-2.3.3.

* ext/gd/tests/bug66356.phpt: update expected output for external gd.

Newer (external) versions of GD start their error messages with
lowercase characters, whereas this test is expecting them in
uppercase. A single-character wildcard now supports both formats.

* ext/gd/tests/imagegd_truecolor.phpt: skip with external gd >= 2.3.3.

This test uses the imagegd() function, but the "gd" format has been
disabled by default in upstream gd-2.3.3. We still get some kind of
image data back from the call to imagegd(), but its "signature",
"truecolor", and "size" no longer match the expected values. This
commit skips the test when an external gd >= 2.3.3 is used.

* ext/gd/tests/createfromwbmp2_extern.phpt: update for external gd-2.3.3.
* ext/gd/tests/libgd00086_extern.phpt: update for external gd-2.3.3.

Since there are no CI runs with external gd, I can only assume that
this test has fallen out-of-date due to changes in PHP itself. I've
tweaked the expected output (only slightly) so that the test passes
with both gd-2.3.2 and gd-2.3.3.

* ext/gd/tests/bug77272.phpt: update expected output for external gd.

Newer (external) versions of GD start their error messages with
lowercase characters, whereas this test is expecting them in
uppercase. A single-character wildcard now supports both formats.

* ext/gd/tests/bug77479.phpt: update for newer external gd.

This test fails with gd-2.3.3 (at least) due to minor capitalization
and whitespace issues. We add some wildcards to account for the
difference.

Closes GH-11257.
Closes GH-11262.
Closes GH-11264.
Closes GH-11280.
2023-07-06 21:39:40 +02:00
Ilija Tovilo
84a2e48050
Fix use-of-uninitialized-value with ??= on assert
Normally, PHP evaluates all expressions in offsets (property or array), as well
as the right hand side of assignments before actually fetching the offsets. This
is well explained in this blog post.

https://www.npopov.com/2017/04/14/PHP-7-Virtual-machine.html#writes-and-memory-safety

For ??= we have a bit of a problem in that the rhs must only be evaluated if the
lhs is null or undefined. Thus, we have to first compile the lhs with BP_VAR_IS,
conditionally run the rhs and then re-fetch the lhs with BP_VAR_W to to make
sure the offsets are valid if they have been invalidated.

However, we don't want to just re-evaluate the entire lhs because it may contain
side-effects, as in $array[$x++] ??= 42;. In this case, we don't want to
re-evaluate $x++ because it would result in writing to a different offset than
was previously tested. The same goes for function calls, like
$array[foo()] ??= 42;, where the second call to foo() might result in a
different value. PHP behaves correctly in these cases. This is implemented by
memoizing sub-expressions in the lhs of ??= and reusing them when compiling the
lhs for the second time. This is done for any expression that isn't a variable,
i.e. anything that can (potentially) be written to.

Unfortunately, this also means that function calls are considered writable due
to their return-by-reference semantics, and will thus not be memoized. The
expression foo()['bar'] ??= 42; will invoke foo() twice. Even worse,
foo(bar()) ??= 42; will call both foo() and bar() twice, but
foo(bar() + 1) ??= 42; will only call foo() twice. This is likely not by design,
and was just overlooked in the implementation. The RFC does not specify how
function calls in the lhs of the coalesce assignment behaves. This should
probably be improved in the future.

Now, the problem this commit actually fixes is that ??= may memoize expressions
inside assert() function calls that may not actually execute. This is not only
an issue when using the VAR in the second expression (which would usually also
be skipped) but also when freeing the VAR. For this reason, it is not safe to
memoize assert() sub-expressions.

There are two possible solutions:

1. Don't memoize any sub-expressions of assert(), meaning they will execute
   twice.
2. Throw a compile error.

Option 2 is not quite simple, because we can't disallow all memoization inside
assert(), as that would break assertions like assert($array[foo()] ??= 'bar');.
Code like this is highly unlikely (and dubious) but possible. In this case, we
would need to make sure that a memoized value could not be used across the
assert boundary it was created in. The complexity for this is not worthwhile. So
we opt for option 1 and disable memoization immediately inside assert().

Fixes GH-11580
Closes GH-11581
2023-07-06 09:38:41 +02:00
Niels Dossche
ee42621ff6 Fix GH-11300: license issue: restricted unicode license headers
Closes GH-11572.
2023-07-01 21:55:21 +02:00
Anatol Belski
928fc68c9e NEWS: Add note for #11298
[ci skip]

Signed-off-by: Anatol Belski <ab@php.net>
2023-07-01 18:56:07 +02:00
Ilija Tovilo
d7d36692fd
Fix serialization of RC1 objects appearing in object graph twice
Previously, if an object had RC1 it would never be recorded in
php_serialize_data.ht because it was assumed that it could not be encountered
again. This assumption is incorrect though as the object itself may be saved
inside an array with RCn. This results in a new instance of the object, instead
of a second reference to the same object.

This is solved by tracking these objects in php_serialize_data.ht. To retain
performance, track if the current object resides in a potentially nested RCn
array. If not, and if the object is RC1 itself it may be omitted from
php_serialize_data.ht.

Additionally, we may treat the array root itself as RC1 because it may not
appear in the object graph again without recursion. Recursive arrays are still
somewhat broken even with this change, as the tracking of the array only happens
when the reference is encountered, thus resulting in a -> a' -> a' for a self
recursive array a -> a. Recursive arrays have limited support in serialize
anyway, so we ignore this case for now.

Co-authored-by: Dmitry Stogov <dmitry@zend.com>
Co-authored-by: Martin Hoch <martin@littlerobot.de>

Closes GH-11349
Closes GH-11305
2023-06-28 21:15:03 +02:00
Ilija Tovilo
dc73b73f8b
Fix mis-compilation of by-reference nullsafe operator
Fixes oss-fuzz #60011
Closes GH-11540

Co-authored-by: Dmitry Stogov <dmitry@zend.com>
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
2023-06-28 20:35:29 +02:00
SVGAnimate
3483229199 Fix GH-11522: PHP version check fails with '-' separator
Remove php version suffix from '-' separator.

Closes GH-11524.
2023-06-27 18:28:04 +02:00
Jonas
1d369a871d Fix context option check for "overwrite" in FTP
Use zend_is_true() to read value of FTP context option "overwrite".

Closes GH-11332.
2023-06-27 17:53:45 +02:00
nielsdos
f39b513916 Fix GH-11498: SIGCHLD is not always returned from proc_open
Linux, and maybe other unixes, may merge multiple standard signals into
a single one. This causes issues when keeping track of process IDs.
Solve this by manually checking which children are dead using waitpid().

Test case is based on taka-oyama's test code.

Closes GH-11509.
2023-06-23 21:56:21 +02:00
nielsdos
1111a9517b Fix interrupted CLI output causing the process to exit
When writing the output in the CLI is interrupted by a signal, the
writing will fail in sapi_cli_single_write(), causing an exit later in
sapi_cli_ub_write(). This was the other part of the issue in GH-11498.
The solution is to restart the write if an EINTR has been observed.

Closes GH-11510.
2023-06-23 17:39:04 +02:00
Vinicius Dias
039dd0b4bd Fix GH-11492: Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt
Closes GH-11494.
2023-06-22 20:49:00 +02:00
Derick Rethans
0747616f84 Fixed GH-11368: Date modify returns invalid datetime 2023-06-22 17:58:19 +01:00
Ilija Tovilo
f160eff441
Remove session ID set through REQUEST_URI 2023-06-22 12:35:55 +02:00
Michael Voříšek
466fc78d2c
Mangle PCRE regex cache key with JIT option
Closes GH-11396
2023-06-22 11:08:54 +02:00
Remi Collet
2be4d91f82
[ci skip] add CVE in NEWS 2023-06-22 08:04:56 +02:00
Patrick Allaert
6c4b1e0417
PHP-8.1 is now for PHP 8.1.22-dev 2023-06-20 16:07:05 +02:00
nielsdos
c174ebfce0 Revert "Fix GH-11404: DOMDocument::savexml and friends ommit xmlns="" declaration for null namespace, creating incorrect xml representation of the DOM"
This reverts commit 7eb3e9cd17.

Although the fix follows the spec, it causes issues because a lot of old
code assumes the incorrect behaviour PHP had since a long time.
We cannot do this yet, especially not in a stable release.
We revert this for the time being.
See GH-11428.
2023-06-19 19:37:46 +02:00
Niels Dossche
9f7d88802e Fix #80332: Completely broken array access functionality with DOMNamedNodeMap
The problem is the usage of zval_get_long(). In particular, if the
string is non-numeric the result of zval_get_long() will be 0 without
giving an error or warning. This is misleading for users: users get the
impression that they can use strings to access the map because it
coincidentally works for the first item (which is at index 0). Of
course, this fails with any other index which causes confusion and bugs.

This patch adds proper support for using string offsets while accessing
the map. It does so by detecting if it's a non-numeric string, and then
using the getNamedItem() method instead of item(). I had to split up the
array access implementation code for DOMNodeList and DOMNamedNodeMap
first to be able to do this.

Closes GH-11468.
2023-06-18 14:59:19 +02:00
David CARLIER
f194cdf852 ext/pgsql: fix PGtrace invalid free issue.
disable trace when closing the connection, is a no op if there is no stream
attached to it.

Close GH-11403
2023-06-18 13:44:39 +01:00
nielsdos
7eb3e9cd17 Fix GH-11404: DOMDocument::savexml and friends ommit xmlns="" declaration for null namespace, creating incorrect xml representation of the DOM
The NULL namespace is only correct when there is no default namespace
override. When there is, we need to manually set it to the empty string
namespace.

Closes GH-11428.
2023-06-17 13:36:00 +02:00
nielsdos
b30be40b86 Fix bug #55294 and #47530 and #47847: namespace reconciliation issues
We'll use the DOM wrapper version of libxml2 instead of the regular one.
It's conforming to the behaviour we expect of DOM.
Most of this patch is tests.

I based and extended the tests on the code attached with the aforementioned
bug reports. Therefore the credits for the tests:
Co-authored-by: hilse at web dot de
Co-authored-by: robin2008 at altruists dot org
Co-authored-by: sgunderson at bigfoot dot com

We'll also change the searching point of the internal reconciliation to
start at the top of the added tree to avoid redundant work now that the
function is changed.

Closes GH-11454.
2023-06-15 21:50:00 +02:00
Peter
4fcb3e0d34 Fix cross-compilation check in phar generation for FreeBSD
FreeBSD's shell is very POSIX strict. This patch makes sure it works
correctly under FreeBSD too.

Closes GH-11441.
2023-06-13 19:09:58 +02:00
nielsdos
a8a3b99e00 Fix GH-11433: Unable to set CURLOPT_ACCEPT_ENCODING to NULL
Closes GH-11446.
2023-06-13 17:30:57 +02:00
Niels Dossche
10d94aca4c Fix "invalid state error" with cloned namespace declarations
Closes GH-11429.
2023-06-13 17:30:18 +02:00
Niels Dossche
e309fd8461 Fix lifetime issue with getAttributeNodeNS()
It's the same issue that I fixed previously in GH-11402, but in a
different place.

Closes GH-11422.
2023-06-13 17:29:37 +02:00
nielsdos
f2d673fb18 Fix #70359 and #78577: segfaults with DOMNameSpaceNode
* Fix type confusion and parent reference
* Manually manage the lifetime of the parent
* Add regression tests
* Break out to a helper, and apply the use-after-free fix to xpath

Closes GH-11402.
2023-06-09 21:35:55 +02:00
James Lucas
fd09728bb6
Fix bug GH-9356: Incomplete SAN validation of IPv6 address
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses except
if they fall within addresses in the RFC 4193 range. Google and
CloudFlare provide IPv6 addresses in their DNS over HTTPS services.

Internal CAs do not have those restrictions and can issue Unique
local addresses in certificates.

Closes GH-11145
2023-06-09 16:33:46 +01:00
Pierrick Charron
5604f7ae22
Update NEWS 2023-06-06 18:06:13 -04:00
Niels Dossche
0e34ac864a Fix bug #77686: Removed elements are still returned by getElementById
From the moment an ID is created, libxml2's behaviour is to cache that element,
even if that element is not yet attached to the document. Similarly, only upon
destruction of the element the ID is actually removed by libxml2.
Since libxml2 has such behaviour deeply ingrained in the library, and uses the
cache for various purposes, it seems like a bad idea and lost cause to fight it.
Instead, we'll simply walk the tree upwards to check if the node is attached to
the document.

Closes GH-11369.
2023-06-04 16:20:34 +02:00
Niels Dossche
23f7002527 Fix bug #81642: DOMChildNode::replaceWith() bug when replacing a node with itself
Closes GH-11363.
2023-06-04 16:19:48 +02:00
Niels Dossche
b1d8e240e6 Fix bug #67440: append_node of a DOMDocumentFragment does not reconcile namespaces
The test was amended from the original issue report. For the test:
Co-authored-by: php@deep-freeze.ca

The problem is that the regular dom_reconcile_ns() only works on a
single node. We actually have to reconciliate the whole tree in case a
fragment was added. This also required to move some code around such
that this special case could be handled separately.

Closes GH-11362.
2023-06-04 16:19:04 +02:00
nielsdos
7812772105 Fix GH-11347: Memory leak when calling a static method inside an xpath query
It's a type confusion bug. `zend_make_callable` may change the function name
of the fci to become an array, causing a crash in debug mode on
`zval_ptr_dtor_str(&fci.function_name);` in `dom_xpath_ext_function_php`.
On a production build it doesn't crash but only causes a leak, because
the array elements are not destroyed, only the array container itself
is. We can use the nogc variant because it cannot contain cycles, the
potential array can only contain 2 strings.

Closes GH-11350.
2023-05-31 17:14:57 +02:00
James Lucas
c6ae7a55b7
Fix bug GH-11246 cli/get_set_process_title
Fail to clobber_error only when the argv is a non-contiguous area
Don't increment the end_of_error if a non-contiguous area is encountered in environ

Closes GH-11247
2023-05-31 17:08:37 +02:00
nielsdos
b374ec399d Fix DOMElement::append() and DOMElement::prepend() hierarchy checks
We could end up in an invalid hierarchy, resulting in infinite loops and
eventual crashes if we don't check for the DOM hierarchy validity.

Closes GH-11344.
2023-05-30 17:36:26 +02:00
Niels Dossche
154c251013 Fix spec compliance error for DOMDocument::getElementsByTagNameNS
Spec link: https://dom.spec.whatwg.org/#concept-getelementsbytagnamens
Spec says we should match any namespace when '*' is provided. This was
however not the case: elements that didn't have a namespace were not
returned. This patch fixes the error by modifying the namespace check.

Closes GH-11343.
2023-05-30 17:35:38 +02:00
Niels Dossche
9c59d22a7b Fix GH-11336: php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked
I chose to check for the value of lock_file instead of checking the
file_cache_only, because it is probably a little bit faster and we're
going to access the lock_file variable anyway. It's also more generic.

Closes GH-11341.
2023-05-30 17:32:02 +02:00
Niels Dossche
bce536067c Fix GH-11338: SplFileInfo empty getBasename with more than one slash
Regressed in 13e4ce386b.

Closes GH-11340.
2023-05-30 17:29:18 +02:00
divinity76
761b9a44f8 Fix return value in stub file for DOMNodeList::item
Not explicitly documenting the possibility of returning DOMElement causes
the Intelephense linter (a popular PHP linter with ~9 million downloads:
https://marketplace.visualstudio.com/items?itemName=bmewburn.vscode-intelephense-client)
to think this code is bad:

  $xp->query("whatever")->item(0)->getAttribute("foo");

DOMNode does not have getAttribute (while DOMElement does).
Documenting the DOMElement return type should fix Intelephense's linter.

Closes GH-11342.
2023-05-29 18:49:26 +02:00
Niels Dossche
c473787abb Fix GH-10234: Setting DOMAttr::textContent results in an empty attribute value
We can't directly call xmlNodeSetContent, because it might encode the string
through xmlStringLenGetNodeList for types
XML_DOCUMENT_FRAG_NODE, XML_ELEMENT_NODE, XML_ATTRIBUTE_NODE.
In these cases we need to use a text node to avoid the encoding.
For the other cases, we *can* rely on xmlNodeSetContent because it is either
a no-op, or handles the content without encoding and clears the properties
field if needed.

The test was taken from the issue report, for the test:
Co-authored-by: ThomasWeinert <thomas@weinert.info>

Closes GH-10245.
2023-05-29 14:10:59 +02:00
Daniil Gentili
1dfa277a96 Fix GCC 12 compilation on riscv64
Close GH-11321
2023-05-27 16:37:19 +01:00
nielsdos
cba335d61e Fix GH-11288 and GH-11289 and GH-11290 and GH-9142: DOMExceptions and segfaults with replaceWith
This replaces the implementation of before and after with one following
the spec very strictly, instead of trying to figure out the state we're
in by looking at the pointers. Also relaxes the condition on text node
copying to prevent working on a stale node pointer.

Closes GH-11299.
2023-05-25 23:04:19 +02:00
KoudelkaB
8946b7b141
Access violation when ALLOC_FALLBACK fixed
Close GH-11312
2023-05-25 11:01:17 +02:00
nielsdos
6267601f84 Fix allocation loop in zend_shared_alloc_startup()
The break is outside the if, so if it succeeds or not this will always
stop after the first loop iteration instead of trying more allocators if
the first one fails.

Closes GH-11306.
2023-05-24 20:09:14 +02:00
Ilija Tovilo
b2ec6c24f8
Fix exception handling in array_multisort()
Closes GH-11302
2023-05-24 13:55:25 +02:00