Setting the stream context via php_stream_context_to_zval() will
increase the reference count. So if the new context is created, then it
will end up with a reference count of 2 while it should be 1.
Credits to cmb for the analysis. I arrived at the same patch as he did.
Closes GH-12523.
When we have two processes both trying to cache a WSDL, they might start
writing the data to the same temporary file, causing file corruption due
to the race condition. Fix this by creating a temporary file first, and
then moving it to the final location. If moving fails then we know
another process finished caching first.
This also fixes#67617 as a consequence of its implementation.
Closes GH-12469.
When redeclaring an overridden static property with a trait we're removing the
property from the class. However, because the property itself does not belong to
the class we must not free its associated data.
This issue is exposed by 9a250cc9d6 in PHP 8.3+ because duplicate static
properties in traits are no longer skipped, but redeclared.
Fixes GH-12468
This always results in a segfault when trying to instantiate, so this never
worked. At least throw an error instead of segfaulting to prevent developers
from being confused.
Closes GH-12420.
There are two issues:
- UAF because the hashmap resized while being iterated over, yet the local
variables used internally in the macros are not updated.
- The hashmap being iterated over is modified: entries are deleted after
other entries have been added. This causes the deletion to fail sometimes
because indices of buckets have shifted.
Fix it by using a while loop iteration and HashPosition position tracker
instead.
Issue exists on PHP 8.1 too, but is much harder to trigger.
The test file reproduces the issue reliably on PHP 8.2 and up.
Closes GH-12409.
PHP 8.1 introduced a seemingly unintentional BC break in ca94d55a19 by
blocking the (un)serialization of DOM objects.
This was done because the serialization never really worked and just
resulted in an empty object, which upon unserialization just resulted in
an object that you can't use.
Users can however implement their own serialization methods, but the
commit made that impossible as the ACC flag gets passed down to the
child class. An approach was tried in #10307 with a new ACC flag to
selectively allow serialization with subclasses if they implement the
right methods. However, that was found to be too ad hoc.
Instead, let's abuse how the __sleep and __wakeup methods work to throw
the exception instead. If the child class implements the __serialize /
__unserialize method, then the throwing methods won't be called.
Similarly, if the child class implements __sleep and __wakeup, then
they're overridden and it doesn't matter that they throw.
For the user, this PR has the exact same behaviour for (sub)classes that
don't implement the serialization methods: an exception will be thrown.
For code that previously implemented subclasses with these methods, this
approach will make that code work again. This approach should be both BC
preserving and unbreak user's code.
Closes GH-12388.
For the test:
Co-authored-by: wazelin <contact@sergeimikhailov.com>
Currently the PHP Development Server appends a Date header in the
response, despite already set from user code.
Added a check condition before append the header, and a test file.
Closes GH-12363.
After preloading has executed, the executor globals for class_table and
function_table are still referring to the values during preloading.
If no request happens after that then these values will remain dangling
pointers. If then the -v option on CLI or -h option (and possibly
others) on CGI is provided, there is a double free.
Fix it by nulling the pointers explicitly after preloading has finished
to fix it for all SAPIs.
Closes GH-12311.
Many methods in SimpleXML reset the iterator when called. This has the
consequence that mixing these operations with loops can cause infinite
loops, or the loss of iteration data.
Some people may however rely on the resetting behaviour. To prevent
unintended breaks in stable branches, let's only apply the fix to master.
This reverts GH-12193, GH-12229, GG-12247 for stable branches while
keeping them on master, adding a note in UPGRADING as well.
This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.
The type inference happens in the following order:
1) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080 (packed flag is set),
arr_type=0 at this point because it hasn't been set by ZEND_INIT_ARRAY yet.
2) The ZEND_INIT_ARRAY infers type 0x40804080
3) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080, arr_type=0x40804080,
which does not have the packed flag set while the existing result of
ZEND_ADD_ARRAY_ELEMENT has the packed flag set.
This seems to occur because of the phi node introduced by the while
loop. If I remove the loop the problem goes away.
As Arnaud noted, this seems to be caused by a too wide type inference
for arr_type==0. We should keep the invariant that if x>=y then
key_type(x) >= key_type(y).
If we write the possible results down in a table we get:
```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
```
As we can see, `HASH_ONLY > 0` but
`MAY_BE_ARRAY_NUMERIC_HASH < MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED`,
which violates the invariant.
Instead if we modify the zero case to have MAY_BE_ARRAY_NUMERIC_HASH instead,
we get the following table which satisfies the invariant.
```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH
```
Broke in 1ffbb73.
Closes GH-10294.
The return type is wrong. You can also use this method with SimpleXML.
In fact, PHP provides a way that even third party libraries can hook
into its XML handling. Therefore, we cannot even use the
SimpleXML|DOMDocument|false union type as third party extensions may
extend the possibilities.
Broke in 8.1 in 1b35056a33.
Closes GH-12315.
The xmlDOMWrapReconcileNamespaces method we used to fix the namespace
corruption issues in 8.1.21/8.2.8 caused regressions.
Primarily, there is a similar corruption that the xmlReconciliateNs method
used to have in which a namespace is suddenly shifted
(SAML-Toolkits/php-saml#562) and the side-effect of removing redundant
namespaces causes problems when a specific serialization is required.
Closes GH-12308.
Currently, a common function is used where a function pointer gets
passed to check the character class type. If we instead use a macro, the
macro version of these character class type checkers can be used. While
this gives only a minor speed-up for glibc-based systems, on Alpine this
gives a multi-facor speed-up
This is essentially a manual revert of dc80ea7e38.
Full discussion in GH-11997.
Closes GH-12300.
On some configurations, the COMPILE_DL_MYSQLND must come from config.h.
If it isn't set, the get_module function won't be exposed, resulting in
a failure when trying to load the library.
It's the same issue ext/fileinfo had a while back that was fixed in
b0ba368d5.
Closes GH-12299.
Prior to the 8.1 rewrite, inet_aton was used for ipv4 addresses
therefore addresses like `0` passed.
For the bindto's case where both ip and port are set as such, we discard
the address binding.
Close GH-12195
When we try to load an extension multiple times, we still overwrite the
type, module number, and handle. If the module number is used to
indicate module boundaries (e.g. in reflection and in dom, see e.g.
dom_objects_set_class_ex), then all sorts of error can happen.
In the case of ext/dom, OP's error happens because the following
happens:
- The property handler is set up incorrectly in
dom_objects_set_class_ex() because the wrong module number is
specified. The class highest in the hierarchy is DOMNode, so the
property handler is incorrectly set to that of DOMNode instead of
DOMDocument.
- The documentElement property doesn't exist on DOMNode, it only exists
on DOMDocument, so it tries to read using zend_std_read_property().
As there is no user property called documentElement, that read
operation returns an undef value.
However, the type is still checked, resulting in the strange exception.
Closes GH-12219.
The code in the attached test used to work correctly in PHP 8.0, but not
in 8.1+. This is because PHP 8.1+ uses a more modern version of pcre2
than PHP 8.0, and that pcre2 versions has a regression.
While upgrading pcre2lib seems to be only done for the master branch, it
is possible to backport upstream fixes to stable branches. This has been
already done in the past in for JIT regressions [1], so it is not
unprecedented.
We backport the upstream pcre2 fix [2].
[1] https://github.com/php/php-src/commit/788a701e222
[2] https://github.com/PCRE2Project/pcre2/pull/135
Closes GH-12108.
When declaring the same static property with a doc block in a class and in a trait,
the doc block of the property in the class is leaked. While at it, possibly fix doc
comment for internal classes.
Close GH-12238
