Merge branch 'PHP-8.3' into PHP-8.4

Author: bukka

NEWS

@@ -68,6 +68,8 @@ PHP                                                                        NEWS
     (DanielEScherzer)
   . Fixed bug GH-17866 (zend_mm_heap corrupted error after upgrading from
     8.4.3 to 8.4.4). (nielsdos)
+  . Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown
+    causes Use-After-Free). (CVE-2024-11235) (ilutov)
 
 - DOM:
   . Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of
@@ -94,6 +96,11 @@ PHP                                                                        NEWS
   . Fixed bug GH-17704 (ldap_search fails when $attributes contains a
     non-packed array with numerical keys). (nielsdos, 7u83)
 
+- LibXML:
+  . Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
+  . Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header
+    when requesting a redirected resource). (CVE-2025-1219) (timwolla)
+
 - MBString:
   . Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables).
     (cmb)
@@ -135,9 +142,17 @@ PHP                                                                        NEWS
 - Streams:
   . Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)
   . Fix memory leak on overflow in _php_stream_scandir(). (nielsdos)
+  . Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit
+    basic auth header). (CVE-2025-1736) (Jakub Zelenka)
+  . Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location
+    to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
+  . Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers
+    without colon). (CVE-2025-1734) (Jakub Zelenka)
+  . Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not
+    handle folded headers). (CVE-2025-1217) (Jakub Zelenka)
 
 - Windows:
-  . Fixed phpize for Windows 11 (24H2). (Bob)
+  . Fixed phpize for Windows 11 (24H2). (bwoebi)
   . Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
     (cmb)
 

Zend/tests/ghsa-rwp7-7vc6-8477_001.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GHSA-rwp7-7vc6-8477: Use-after-free for ??= due to incorrect live-range calculation
+--FILE--
+<?php
+
+class Foo {
+    public function foo() {
+        return $this;
+    }
+
+    public function __set($name, $value) {
+        throw new Exception('Hello');
+    }
+}
+
+$foo = new Foo();
+
+try {
+    $foo->foo()->baz ??= 1;
+} catch (Exception $e) {
+    echo $e->getMessage();
+}
+
+?>
+--EXPECT--
+Hello

Zend/tests/ghsa-rwp7-7vc6-8477_002.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GHSA-rwp7-7vc6-8477: Use-after-free for ??= due to incorrect live-range calculation
+--FILE--
+<?php
+
+class Foo {
+    public int $prop;
+
+    public function foo() {
+        return $this;
+    }
+}
+
+$foo = new Foo();
+
+try {
+    $foo->foo()->prop ??= 'foo';
+} catch (Error $e) {
+    echo $e->getMessage();
+}
+
+?>
+--EXPECT--
+Cannot assign string to property Foo::$prop of type int

Zend/tests/ghsa-rwp7-7vc6-8477_003.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GHSA-rwp7-7vc6-8477: Use-after-free for ??= due to incorrect live-range calculation
+--FILE--
+<?php
+
+class Foo {
+    public int $prop;
+}
+
+function newFoo() {
+    return new Foo();
+}
+
+try {
+    newFoo()->prop ??= 'foo';
+} catch (Error $e) {
+    echo $e->getMessage();
+}
+
+?>
+--EXPECT--
+Cannot assign string to property Foo::$prop of type int

Zend/zend_opcode.c

@@ -940,6 +940,14 @@ static void zend_calc_live_ranges(
 		opnum--;
 		opline--;
 
+		/* SEPARATE always redeclares its op1. For the purposes of live-ranges,
+		 * its declaration is irrelevant. Don't terminate the current live-range
+		 * to avoid breaking special handling of COPY_TMP. */
+		if (opline->opcode == ZEND_SEPARATE) {
+			ZEND_ASSERT(opline->op1.var == opline->result.var);
+			continue;
+		}
+
 		if ((opline->result_type & (IS_TMP_VAR|IS_VAR)) && !is_fake_def(opline)) {
 			uint32_t var_num = EX_VAR_TO_NUM(opline->result.var) - var_offset;
 			/* Defs without uses can occur for two reasons: Either because the result is

ext/dom/tests/ghsa-p3x9-6h7p-cgfc_001.phpt

@@ -0,0 +1,60 @@
+--TEST--
+GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Basic)
+--EXTENSIONS--
+dom
+--SKIPIF--
+<?php
+if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
+http_server_skipif();
+?>
+--FILE--
+<?php
+require "./ext/standard/tests/http/server.inc";
+
+function genResponses($server) {
+    $uri = 'http://' . stream_socket_get_name($server, false);
+    yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
+    $xml = <<<'EOT'
+        <!doctype html>
+        <html>
+            <head>
+                <title>GHSA-p3x9-6h7p-cgfc</title>
+
+                <meta charset="utf-8" />
+                <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+            </head>
+
+            <body>
+                <h1>GHSA-p3x9-6h7p-cgfc</h1>
+            </body>
+        </html>
+        EOT;
+    // Intentionally using non-standard casing for content-type to verify it is matched not case sensitively.
+    yield "data://text/plain,HTTP/1.1 200 OK\r\nconteNt-tyPe: text/html; charset=utf-8\r\n\r\n{$xml}";
+}
+
+['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
+$document = new \DOMDocument();
+$document->loadHTMLFile($uri);
+
+$h1 = $document->getElementsByTagName('h1');
+var_dump($h1->length);
+var_dump($document->saveHTML());
+http_server_kill($pid);
+?>
+--EXPECT--
+int(1)
+string(266) "<!DOCTYPE html>
+<html>
+    <head>
+        <title>GHSA-p3x9-6h7p-cgfc</title>
+
+        <meta charset="utf-8">
+        <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+    </head>
+
+    <body>
+        <h1>GHSA-p3x9-6h7p-cgfc</h1>
+    </body>
+</html>
+"

ext/dom/tests/ghsa-p3x9-6h7p-cgfc_002.phpt

@@ -0,0 +1,60 @@
+--TEST--
+GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Missing content-type)
+--EXTENSIONS--
+dom
+--SKIPIF--
+<?php
+if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
+http_server_skipif();
+?>
+--FILE--
+<?php
+require "./ext/standard/tests/http/server.inc";
+
+function genResponses($server) {
+    $uri = 'http://' . stream_socket_get_name($server, false);
+    yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
+    $xml = <<<'EOT'
+        <!doctype html>
+        <html>
+            <head>
+                <title>GHSA-p3x9-6h7p-cgfc</title>
+
+                <meta charset="utf-8" />
+                <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+            </head>
+
+            <body>
+                <h1>GHSA-p3x9-6h7p-cgfc</h1>
+            </body>
+        </html>
+        EOT;
+    // Missing content-type in actual response.
+    yield "data://text/plain,HTTP/1.1 200 OK\r\n\r\n{$xml}";
+}
+
+['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
+$document = new \DOMDocument();
+$document->loadHTMLFile($uri);
+
+$h1 = $document->getElementsByTagName('h1');
+var_dump($h1->length);
+var_dump($document->saveHTML());
+http_server_kill($pid);
+?>
+--EXPECT--
+int(1)
+string(266) "<!DOCTYPE html>
+<html>
+    <head>
+        <title>GHSA-p3x9-6h7p-cgfc</title>
+
+        <meta charset="utf-8">
+        <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+    </head>
+
+    <body>
+        <h1>GHSA-p3x9-6h7p-cgfc</h1>
+    </body>
+</html>
+"

ext/dom/tests/ghsa-p3x9-6h7p-cgfc_003.phpt

@@ -0,0 +1,60 @@
+--TEST--
+GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Reason with colon)
+--EXTENSIONS--
+dom
+--SKIPIF--
+<?php
+if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
+http_server_skipif();
+?>
+--FILE--
+<?php
+require "./ext/standard/tests/http/server.inc";
+
+function genResponses($server) {
+    $uri = 'http://' . stream_socket_get_name($server, false);
+    yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
+    $xml = <<<'EOT'
+        <!doctype html>
+        <html>
+            <head>
+                <title>GHSA-p3x9-6h7p-cgfc</title>
+
+                <meta charset="utf-8" />
+                <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+            </head>
+
+            <body>
+                <h1>GHSA-p3x9-6h7p-cgfc</h1>
+            </body>
+        </html>
+        EOT;
+    // Missing content-type in actual response.
+    yield "data://text/plain,HTTP/1.1 200 OK: This is fine\r\n\r\n{$xml}";
+}
+
+['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
+$document = new \DOMDocument();
+$document->loadHTMLFile($uri);
+
+$h1 = $document->getElementsByTagName('h1');
+var_dump($h1->length);
+var_dump($document->saveHTML());
+http_server_kill($pid);
+?>
+--EXPECT--
+int(1)
+string(266) "<!DOCTYPE html>
+<html>
+    <head>
+        <title>GHSA-p3x9-6h7p-cgfc</title>
+
+        <meta charset="utf-8">
+        <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+    </head>
+
+    <body>
+        <h1>GHSA-p3x9-6h7p-cgfc</h1>
+    </body>
+</html>
+"