Merge remote-tracking branch 'php/master'

Author: danog

Zend/tests/gh16799.phpt

@@ -0,0 +1,21 @@
+--TEST--
+GH-16799 (Assertion failure at Zend/zend_vm_execute.h)
+--FILE--
+<?php
+set_error_handler(function($_, $m) { throw new Exception($m); });
+class Test {
+    static function test() {
+        call_user_func("static::ok");
+    }
+    static function ok() {
+    }
+}
+Test::test();
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Use of "static" in callables is deprecated in %s:%d
+Stack trace:
+#0 %s(%d): {closure:%s:%d}(8192, 'Use of "static"...', %s, %d)
+#1 %s(%d): Test::test()
+#2 {main}
+  thrown in %s on line %d

Zend/zend_vm_def.h

@@ -3918,6 +3918,16 @@ ZEND_VM_HANDLER(118, ZEND_INIT_USER_CALL, CONST, CONST|TMPVAR|CV, NUM)
 	function_name = GET_OP2_ZVAL_PTR(BP_VAR_R);
 	if (zend_is_callable_ex(function_name, NULL, 0, NULL, &fcc, &error)) {
 		ZEND_ASSERT(!error);
+
+		/* Deprecation can be emitted from zend_is_callable_ex(), which can
+		 * invoke a user error handler and throw an exception.
+		 * For the CONST and CV case we reuse the same exception block below
+		 * to make sure we don't increase VM size too much. */
+		if (!(OP2_TYPE & (IS_TMP_VAR|IS_VAR)) && UNEXPECTED(EG(exception))) {
+			FREE_OP2();
+			HANDLE_EXCEPTION();
+		}
+
 		func = fcc.function_handler;
 		object_or_called_scope = fcc.called_scope;
 		if (func->common.fn_flags & ZEND_ACC_CLOSURE) {

Zend/zend_vm_execute.h

@@ -1936,7 +1936,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 			zend_string *str = zval_get_tmp_string(zvalue, &tmp_str);
 #if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */
 			if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) &&
-				(PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) {
+				(PG(open_basedir) && *PG(open_basedir))
+					&& (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL
+					 || php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) {
+					zend_tmp_string_release(tmp_str);
 					php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set");
 					return FAILURE;
 			}

ext/curl/interface.c

@@ -0,0 +1,31 @@
+--TEST--
+GH-16802 (open_basedir bypass using curl extension)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x075500) {
+    die("skip: blob options not supported for curl < 7.85.0");
+}
+?>
+--INI--
+open_basedir=/nowhere
+--FILE--
+<?php
+$ch = curl_init("file:///etc/passwd");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "ftp,all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,ftp");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,file,ftp");
+var_dump(curl_exec($ch));
+?>
+--EXPECTF--
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+bool(false)

ext/curl/tests/gh16802.phpt

@@ -24,10 +24,10 @@ foreach ($tzs as $tz => $regions) {
   }
 }
 ?>
---EXPECT--
+--EXPECTF--
 ** Gnomeregan
 bool(false)
-Error: unknown windows timezone: U_ILLEGAL_ARGUMENT_ERROR
+Error: %snknown windows timezone: U_ILLEGAL_ARGUMENT_ERROR
 ** India Standard Time
 string(13) "Asia/Calcutta"
 ** Pacific Standard Time

ext/intl/tests/timezone_IDforWindowsID_basic_icu76_1.phpt

@@ -4,10 +4,9 @@ ARG_WITH("libxml", "LibXML support", "yes");
 
 if (PHP_LIBXML == "yes") {
 	if (CHECK_LIB("libxml2_a_dll.lib;libxml2_a.lib", "libxml") &&
-			CHECK_LIB("libiconv_a.lib;iconv_a.lib;libiconv.lib;iconv.lib", "libxml") &&
+			((PHP_ICONV != "no" && !PHP_ICONV_SHARED) || CHECK_LIB("libiconv_a.lib;iconv_a.lib;libiconv.lib;iconv.lib", "libxml")) &&
 			CHECK_HEADER_ADD_INCLUDE("libxml/parser.h", "CFLAGS_LIBXML", PHP_PHP_BUILD + "\\include\\libxml2") &&
-			CHECK_HEADER_ADD_INCLUDE("libxml/tree.h", "CFLAGS_LIBXML", PHP_PHP_BUILD + "\\include\\libxml2") &&
-			ADD_EXTENSION_DEP('libxml', 'iconv')) {
+			CHECK_HEADER_ADD_INCLUDE("libxml/tree.h", "CFLAGS_LIBXML", PHP_PHP_BUILD + "\\include\\libxml2")) {
 
 		if (GREP_HEADER("libxml/xmlversion.h", "#define\\s+LIBXML_VERSION\\s+(\\d+)", PHP_PHP_BUILD + "\\include\\libxml2") &&
 				+RegExp.$1 >= 20904) {

ext/libxml/config.w32

@@ -181,7 +181,7 @@ PHP_FUNCTION(readline_info)
 		add_assoc_long(return_value,"attempted_completion_over",rl_attempted_completion_over);
 	} else {
 		if (zend_string_equals_literal_ci(what,"line_buffer")) {
-			oldstr = rl_line_buffer;
+			oldstr = strdup(rl_line_buffer ? rl_line_buffer : "");
 			if (value) {
 				if (!try_convert_to_string(value)) {
 					RETURN_THROWS();
@@ -191,7 +191,8 @@ PHP_FUNCTION(readline_info)
 					rl_line_buffer = malloc(Z_STRLEN_P(value) + 1);
 				} else if (strlen(oldstr) < Z_STRLEN_P(value)) {
 					rl_extend_line_buffer(Z_STRLEN_P(value) + 1);
-					oldstr = rl_line_buffer;
+					free(oldstr);
+					oldstr = strdup(rl_line_buffer ? rl_line_buffer : "");
 				}
 				memcpy(rl_line_buffer, Z_STRVAL_P(value), Z_STRLEN_P(value) + 1);
 #else
@@ -208,6 +209,7 @@ PHP_FUNCTION(readline_info)
 #endif
 			}
 			RETVAL_STRING(SAFE_STRING(oldstr));
+			free(oldstr);
 		} else if (zend_string_equals_literal_ci(what, "point")) {
 			RETVAL_LONG(rl_point);
 #ifndef PHP_WIN32

ext/readline/readline.c

@@ -0,0 +1,15 @@
+--TEST--
+GH-16812 readline_info(): UAF
+--EXTENSIONS--
+readline
+--SKIPIF--
+<?php
+if (getenv('SKIP_REPEAT')) die("skip readline has global state");
+?>
+--FILE--
+<?php
+readline_write_history(NULL);
+var_dump(readline_info('line_buffer', 'test'));
+?>
+--EXPECT--
+string(0) ""