Skip to content

Commit 4af1830

Browse files
bukkabukka
committed
Merge branch 'PHP-8.1' into PHP-8.2
2 parents b547130 + 74d548b commit 4af1830

23 files changed

+1265
-207
lines changed

NEWS

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,21 @@ PHP NEWS
66
. Fixed bug GH-17211 (observer segfault on function loaded with dl()).
77
(Arnaud)
88

9+
- LibXML:
10+
. Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
11+
. Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header
12+
when requesting a redirected resource). (CVE-2025-1219) (timwolla)
13+
14+
- Streams:
15+
. Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit
16+
basic auth header). (CVE-2025-1736) (Jakub Zelenka)
17+
. Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location
18+
to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
19+
. Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers
20+
without colon). (CVE-2025-1734) (Jakub Zelenka)
21+
. Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not
22+
handle folded headers). (CVE-2025-1217) (Jakub Zelenka)
23+
924
- Windows:
1025
. Fixed phpize for Windows 11 (24H2). (bwoebi)
1126

ext/dom/tests/ghsa-p3x9-6h7p-cgfc_001.phpt

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
--TEST--
2+
GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Basic)
3+
--EXTENSIONS--
4+
dom
5+
--SKIPIF--
6+
<?php
7+
if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
8+
http_server_skipif();
9+
?>
10+
--FILE--
11+
<?php
12+
require "./ext/standard/tests/http/server.inc";
13+
14+
function genResponses($server) {
15+
$uri = 'http://' . stream_socket_get_name($server, false);
16+
yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
17+
$xml = <<<'EOT'
18+
<!doctype html>
19+
<html>
20+
<head>
21+
<title>GHSA-p3x9-6h7p-cgfc</title>
22+
23+
<meta charset="utf-8" />
24+
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
25+
</head>
26+
27+
<body>
28+
<h1>GHSA-p3x9-6h7p-cgfc</h1>
29+
</body>
30+
</html>
31+
EOT;
32+
// Intentionally using non-standard casing for content-type to verify it is matched not case sensitively.
33+
yield "data://text/plain,HTTP/1.1 200 OK\r\nconteNt-tyPe: text/html; charset=utf-8\r\n\r\n{$xml}";
34+
}
35+
36+
['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
37+
$document = new \DOMDocument();
38+
$document->loadHTMLFile($uri);
39+
40+
$h1 = $document->getElementsByTagName('h1');
41+
var_dump($h1->length);
42+
var_dump($document->saveHTML());
43+
http_server_kill($pid);
44+
?>
45+
--EXPECT--
46+
int(1)
47+
string(266) "<!DOCTYPE html>
48+
<html>
49+
<head>
50+
<title>GHSA-p3x9-6h7p-cgfc</title>
51+
52+
<meta charset="utf-8">
53+
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
54+
</head>
55+
56+
<body>
57+
<h1>GHSA-p3x9-6h7p-cgfc</h1>
58+
</body>
59+
</html>
60+
"

ext/dom/tests/ghsa-p3x9-6h7p-cgfc_002.phpt

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
--TEST--
2+
GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Missing content-type)
3+
--EXTENSIONS--
4+
dom
5+
--SKIPIF--
6+
<?php
7+
if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
8+
http_server_skipif();
9+
?>
10+
--FILE--
11+
<?php
12+
require "./ext/standard/tests/http/server.inc";
13+
14+
function genResponses($server) {
15+
$uri = 'http://' . stream_socket_get_name($server, false);
16+
yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
17+
$xml = <<<'EOT'
18+
<!doctype html>
19+
<html>
20+
<head>
21+
<title>GHSA-p3x9-6h7p-cgfc</title>
22+
23+
<meta charset="utf-8" />
24+
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
25+
</head>
26+
27+
<body>
28+
<h1>GHSA-p3x9-6h7p-cgfc</h1>
29+
</body>
30+
</html>
31+
EOT;
32+
// Missing content-type in actual response.
33+
yield "data://text/plain,HTTP/1.1 200 OK\r\n\r\n{$xml}";
34+
}
35+
36+
['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
37+
$document = new \DOMDocument();
38+
$document->loadHTMLFile($uri);
39+
40+
$h1 = $document->getElementsByTagName('h1');
41+
var_dump($h1->length);
42+
var_dump($document->saveHTML());
43+
http_server_kill($pid);
44+
?>
45+
--EXPECT--
46+
int(1)
47+
string(266) "<!DOCTYPE html>
48+
<html>
49+
<head>
50+
<title>GHSA-p3x9-6h7p-cgfc</title>
51+
52+
<meta charset="utf-8">
53+
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
54+
</head>
55+
56+
<body>
57+
<h1>GHSA-p3x9-6h7p-cgfc</h1>
58+
</body>
59+
</html>
60+
"

ext/dom/tests/ghsa-p3x9-6h7p-cgfc_003.phpt

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
--TEST--
2+
GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Reason with colon)
3+
--EXTENSIONS--
4+
dom
5+
--SKIPIF--
6+
<?php
7+
if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
8+
http_server_skipif();
9+
?>
10+
--FILE--
11+
<?php
12+
require "./ext/standard/tests/http/server.inc";
13+
14+
function genResponses($server) {
15+
$uri = 'http://' . stream_socket_get_name($server, false);
16+
yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
17+
$xml = <<<'EOT'
18+
<!doctype html>
19+
<html>
20+
<head>
21+
<title>GHSA-p3x9-6h7p-cgfc</title>
22+
23+
<meta charset="utf-8" />
24+
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
25+
</head>
26+
27+
<body>
28+
<h1>GHSA-p3x9-6h7p-cgfc</h1>
29+
</body>
30+
</html>
31+
EOT;
32+
// Missing content-type in actual response.
33+
yield "data://text/plain,HTTP/1.1 200 OK: This is fine\r\n\r\n{$xml}";
34+
}
35+
36+
['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
37+
$document = new \DOMDocument();
38+
$document->loadHTMLFile($uri);
39+
40+
$h1 = $document->getElementsByTagName('h1');
41+
var_dump($h1->length);
42+
var_dump($document->saveHTML());
43+
http_server_kill($pid);
44+
?>
45+
--EXPECT--
46+
int(1)
47+
string(266) "<!DOCTYPE html>
48+
<html>
49+
<head>
50+
<title>GHSA-p3x9-6h7p-cgfc</title>
51+
52+
<meta charset="utf-8">
53+
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
54+
</head>
55+
56+
<body>
57+
<h1>GHSA-p3x9-6h7p-cgfc</h1>
58+
</body>
59+
</html>
60+
"

ext/libxml/libxml.c

Lines changed: 43 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -364,41 +364,52 @@ php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc)
364364
if (Z_TYPE(s->wrapperdata) == IS_ARRAY) {
365365
zval *header;
366366

367-
ZEND_HASH_FOREACH_VAL_IND(Z_ARRVAL(s->wrapperdata), header) {
367+
/* Scan backwards: The header array might contain the headers for multiple responses, if
368+
* a redirect was followed.
369+
*/
370+
ZEND_HASH_REVERSE_FOREACH_VAL_IND(Z_ARRVAL(s->wrapperdata), header) {
368371
const char buf[] = "Content-Type:";
369-
if (Z_TYPE_P(header) == IS_STRING &&
370-
!zend_binary_strncasecmp(Z_STRVAL_P(header), Z_STRLEN_P(header), buf, sizeof(buf)-1, sizeof(buf)-1)) {
371-
char needle[] = "charset=";
372-
char *haystack = estrndup(Z_STRVAL_P(header), Z_STRLEN_P(header));
373-
char *encoding = php_stristr(haystack, needle, Z_STRLEN_P(header), strlen(needle));
374-
375-
if (encoding) {
376-
char *end;
377-
378-
encoding += sizeof("charset=")-1;
379-
if (*encoding == '"') {
380-
encoding++;
381-
}
382-
end = strchr(encoding, ';');
383-
if (end == NULL) {
384-
end = encoding + strlen(encoding);
385-
}
386-
end--; /* end == encoding-1 isn't a buffer underrun */
387-
while (*end == ' ' || *end == '\t') {
388-
end--;
389-
}
390-
if (*end == '"') {
391-
end--;
392-
}
393-
if (encoding >= end) continue;
394-
*(end+1) = '\0';
395-
enc = xmlParseCharEncoding(encoding);
396-
if (enc <= XML_CHAR_ENCODING_NONE) {
397-
enc = XML_CHAR_ENCODING_NONE;
372+
if (Z_TYPE_P(header) == IS_STRING) {
373+
/* If no colon is found in the header, we assume it's the HTTP status line and bail out. */
374+
char *colon = memchr(Z_STRVAL_P(header), ':', Z_STRLEN_P(header));
375+
char *space = memchr(Z_STRVAL_P(header), ' ', Z_STRLEN_P(header));
376+
if (colon == NULL || space < colon) {
377+
break;
378+
}
379+
380+
if (!zend_binary_strncasecmp(Z_STRVAL_P(header), Z_STRLEN_P(header), buf, sizeof(buf)-1, sizeof(buf)-1)) {
381+
char needle[] = "charset=";
382+
char *haystack = estrndup(Z_STRVAL_P(header), Z_STRLEN_P(header));
383+
char *encoding = php_stristr(haystack, needle, Z_STRLEN_P(header), sizeof("charset=")-1);
384+
385+
if (encoding) {
386+
char *end;
387+
388+
encoding += sizeof("charset=")-1;
389+
if (*encoding == '"') {
390+
encoding++;
391+
}
392+
end = strchr(encoding, ';');
393+
if (end == NULL) {
394+
end = encoding + strlen(encoding);
395+
}
396+
end--; /* end == encoding-1 isn't a buffer underrun */
397+
while (*end == ' ' || *end == '\t') {
398+
end--;
399+
}
400+
if (*end == '"') {
401+
end--;
402+
}
403+
if (encoding >= end) continue;
404+
*(end+1) = '\0';
405+
enc = xmlParseCharEncoding(encoding);
406+
if (enc <= XML_CHAR_ENCODING_NONE) {
407+
enc = XML_CHAR_ENCODING_NONE;
408+
}
398409
}
410+
efree(haystack);
411+
break; /* found content-type */
399412
}
400-
efree(haystack);
401-
break; /* found content-type */
402413
}
403414
} ZEND_HASH_FOREACH_END();
404415
}

0 commit comments

Comments
 (0)