wudi · pull · Sep 9, 2025 · Sep 6, 2025 · Sep 6, 2025 · Sep 9, 2025
diff --git a/NEWS b/NEWS
@@ -2,6 +2,13 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.0RC1
 
+- Core:
+  . Fixed bug GH-19765 (object_properties_load() bypasses readonly property
+    checks). (timwolla)
+
+- URI:
+  . Fixed bug GH-19780 (InvalidUrlException should check $errors argument).
+    (nielsdos)
 
 11 Sep 2025, PHP 8.5.0beta3
 

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -1769,6 +1769,14 @@ ZEND_API void object_properties_load(zend_object *object, HashTable *properties)
 				property_info &&
 				(property_info->flags & ZEND_ACC_STATIC) == 0) {
 				zval *slot = OBJ_PROP(object, property_info->offset);
+				if (UNEXPECTED((property_info->flags & ZEND_ACC_READONLY) && !Z_ISUNDEF_P(slot))) {
+					if (Z_PROP_FLAG_P(slot) & IS_PROP_REINITABLE) {
+						Z_PROP_FLAG_P(slot) &= ~IS_PROP_REINITABLE;
+					} else {
+						zend_readonly_property_modification_error(property_info);
+						return;
+					}
+				}
 				zval_ptr_dtor(slot);
 				ZVAL_COPY_VALUE(slot, prop);
 				zval_add_ref(slot);

diff --git a/ext/random/tests/03_randomizer/gh_19765_unserialize.phpt b/ext/random/tests/03_randomizer/gh_19765_unserialize.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-19765: object_properties_load() bypasses readonly property checks
+--FILE--
+<?php
+
+use Random\Engine\Mt19937;
+use Random\Engine\PcgOneseq128XslRr64;
+use Random\Randomizer;
+
+try {
+    $r = new Randomizer(new Mt19937());
+    $r->__unserialize([['engine' => new PcgOneseq128XslRr64()]]);
+} catch (Exception $error) {
+    echo $error->getMessage() . "\n";
+}
+var_dump($r->engine::class);
+
+?>
+--EXPECT--
+Invalid serialization data for Random\Randomizer object
+string(21) "Random\Engine\Mt19937"
diff --git a/ext/random/tests/03_randomizer/gh_9186_unserialize.phpt b/ext/random/tests/03_randomizer/gh_9186_unserialize.phpt
@@ -1,5 +1,5 @@
 --TEST--
-Fix GH-9186 @strict-properties can be bypassed using unserialization
+GH-9186: @strict-properties can be bypassed using unserialization
 --FILE--
 <?php
 

diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
@@ -338,7 +338,7 @@ static bool in_domain(const zend_string *host, const zend_string *domain)
 
 int make_http_soap_request(
 	zval *this_ptr, zend_string *buf, zend_string *location, char *soapaction,
-	int soap_version, const zend_string *uri_parser_class, zval *return_value
+	int soap_version, zend_string *uri_parser_class, zval *return_value
 ) {
 	zend_string *request;
 	smart_str soap_headers = {0};

diff --git a/ext/soap/php_http.h b/ext/soap/php_http.h
@@ -21,7 +21,7 @@
 
 int make_http_soap_request(
 	zval *this_ptr, zend_string *buf, zend_string *location, char *soapaction,
-	int soap_version, const zend_string *uri_parser_class, zval *return_value
+	int soap_version, zend_string *uri_parser_class, zval *return_value
 );
 
 int proxy_authentication(zval* this_ptr, smart_str* soap_headers);

diff --git a/ext/uri/php_uri.c b/ext/uri/php_uri.c
@@ -50,11 +50,6 @@ static const zend_module_dep uri_deps[] = {
 
 static zend_array uri_parsers;
 
-static const uri_parser_t *uri_parser_by_name(const char *uri_parser_name, size_t uri_parser_name_len)
-{
-	return zend_hash_str_find_ptr(&uri_parsers, uri_parser_name, uri_parser_name_len);
-}
-
 static HashTable *uri_get_debug_properties(zend_object *object)
 {
 	uri_internal_t *internal_uri = uri_internal_from_obj(object);
@@ -105,13 +100,13 @@ static HashTable *uri_get_debug_properties(zend_object *object)
 	return result;
 }
 
-PHPAPI const uri_parser_t *php_uri_get_parser(const zend_string *uri_parser_name)
+PHPAPI const uri_parser_t *php_uri_get_parser(zend_string *uri_parser_name)
 {
 	if (uri_parser_name == NULL) {
-		return uri_parser_by_name(PHP_URI_PARSER_PHP_PARSE_URL, sizeof(PHP_URI_PARSER_PHP_PARSE_URL) - 1);
+		return zend_hash_str_find_ptr(&uri_parsers, PHP_URI_PARSER_PHP_PARSE_URL, sizeof(PHP_URI_PARSER_PHP_PARSE_URL) - 1);
 	}
 
-	return uri_parser_by_name(ZSTR_VAL(uri_parser_name), ZSTR_LEN(uri_parser_name));
+	return zend_hash_find_ptr(&uri_parsers, uri_parser_name);
 }
 
 ZEND_ATTRIBUTE_NONNULL PHPAPI uri_internal_t *php_uri_parse(const uri_parser_t *uri_parser, const char *uri_str, size_t uri_str_len, bool silent)
@@ -396,6 +391,27 @@ static void create_rfc3986_uri(INTERNAL_FUNCTION_PARAMETERS, bool is_constructor
 	php_uri_instantiate_uri(INTERNAL_FUNCTION_PARAM_PASSTHRU, uri_str, base_url_object, is_constructor, is_constructor, NULL);
 }
 
+static bool is_list_of_whatwg_validation_errors(const HashTable *array)
+{
+	if (!zend_array_is_list(array)) {
+		return false;
+	}
+
+	ZEND_HASH_FOREACH_VAL(array, zval *val) {
+		/* Do not allow references as they may change types after checking. */
+
+		if (Z_TYPE_P(val) != IS_OBJECT) {
+			return false;
+		}
+
+		if (!instanceof_function(Z_OBJCE_P(val), uri_whatwg_url_validation_error_ce)) {
+			return false;
+		}
+	} ZEND_HASH_FOREACH_END();
+
+	return true;
+}
+
 PHP_METHOD(Uri_Rfc3986_Uri, parse)
 {
 	create_rfc3986_uri(INTERNAL_FUNCTION_PARAM_PASSTHRU, false);
@@ -430,6 +446,11 @@ PHP_METHOD(Uri_WhatWg_InvalidUrlException, __construct)
 		ZVAL_EMPTY_ARRAY(&tmp);
 		zend_update_property(uri_whatwg_invalid_url_exception_ce, Z_OBJ_P(ZEND_THIS), ZEND_STRL("errors"), &tmp);
 	} else {
+		if (!is_list_of_whatwg_validation_errors(Z_ARR_P(errors))) {
+			zend_argument_value_error(2, "must be a list of %s", ZSTR_VAL(uri_whatwg_url_validation_error_ce->name));
+			RETURN_THROWS();
+		}
+
 		zend_update_property(uri_whatwg_invalid_url_exception_ce, Z_OBJ_P(ZEND_THIS), ZEND_STRL("errors"), errors);
 	}
 	if (EG(exception)) {

diff --git a/ext/uri/php_uri.h b/ext/uri/php_uri.h
@@ -47,7 +47,7 @@ PHPAPI zend_result php_uri_parser_register(const uri_parser_t *uri_parser);
  * @param uri_parser_name The URI parser name
  * @return The URI parser
  */
-PHPAPI const uri_parser_t *php_uri_get_parser(const zend_string *uri_parser_name);
+PHPAPI const uri_parser_t *php_uri_get_parser(zend_string *uri_parser_name);
 
 ZEND_ATTRIBUTE_NONNULL PHPAPI uri_internal_t *php_uri_parse(const uri_parser_t *uri_parser, const char *uri_str, size_t uri_str_len, bool silent);
 

diff --git a/ext/uri/tests/gh19780.phpt b/ext/uri/tests/gh19780.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-19780 (InvalidUrlException should check $errors argument)
+--EXTENSIONS--
+uri
+--FILE--
+<?php
+
+use Uri\WhatWg\InvalidUrlException;
+use Uri\WhatWg\UrlValidationError;
+use Uri\WhatWg\UrlValidationErrorType;
+
+try {
+    new InvalidUrlException('message', ['foo']);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    new InvalidUrlException('message', [
+        1 => new UrlValidationError('context', UrlValidationErrorType::HostMissing, true)
+    ]);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Uri\WhatWg\InvalidUrlException::__construct(): Argument #2 ($errors) must be a list of Uri\WhatWg\UrlValidationError
+Uri\WhatWg\InvalidUrlException::__construct(): Argument #2 ($errors) must be a list of Uri\WhatWg\UrlValidationError
diff --git a/ext/uri/uri_parser_rfc3986.c b/ext/uri/uri_parser_rfc3986.c
@@ -130,12 +130,17 @@ static zend_result php_uri_parser_rfc3986_scheme_write(struct uri_internal_t *in
 		result = uriSetSchemeMmA(uriparser_uri, Z_STRVAL_P(value), Z_STRVAL_P(value) + Z_STRLEN_P(value), mm);
 	}
 
-	if (result != URI_SUCCESS) {
-		zend_throw_exception(uri_invalid_uri_exception_ce, "The specified scheme is malformed", 0);
-		return FAILURE;
+	switch (result) {
+		case URI_SUCCESS:
+			return SUCCESS;
+		case URI_ERROR_SYNTAX:
+			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified scheme is malformed", 0);
+			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the scheme", 0);
+			return FAILURE;
 	}
-
-	return SUCCESS;
 }
 
 ZEND_ATTRIBUTE_NONNULL zend_result php_uri_parser_rfc3986_userinfo_read(const uri_internal_t *internal_uri, uri_component_read_mode_t read_mode, zval *retval)
@@ -168,9 +173,13 @@ zend_result php_uri_parser_rfc3986_userinfo_write(struct uri_internal_t *interna
 		case URI_ERROR_SETUSERINFO_HOST_NOT_SET:
 			zend_throw_exception(uri_invalid_uri_exception_ce, "Cannot set a userinfo without having a host", 0);
 			return FAILURE;
-		default:
+		case URI_ERROR_SYNTAX:
 			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified userinfo is malformed", 0);
 			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the userinfo", 0);
+			return FAILURE;
 	}
 }
 
@@ -259,9 +268,13 @@ static zend_result php_uri_parser_rfc3986_host_write(struct uri_internal_t *inte
 		case URI_ERROR_SETHOST_USERINFO_SET:
 			zend_throw_exception(uri_invalid_uri_exception_ce, "Cannot remove the host from a URI that has a userinfo", 0);
 			return FAILURE;
-		default:
+		case URI_ERROR_SYNTAX:
 			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified host is malformed", 0);
 			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the host", 0);
+			return FAILURE;
 	}
 }
 
@@ -315,9 +328,13 @@ static zend_result php_uri_parser_rfc3986_port_write(struct uri_internal_t *inte
 		case URI_ERROR_SETPORT_HOST_NOT_SET:
 			zend_throw_exception(uri_invalid_uri_exception_ce, "Cannot set a port without having a host", 0);
 			return FAILURE;
-		default:
+		case URI_ERROR_SYNTAX:
 			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified port is malformed", 0);
 			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the port", 0);
+			return FAILURE;
 	}
 }
 
@@ -360,12 +377,17 @@ static zend_result php_uri_parser_rfc3986_path_write(struct uri_internal_t *inte
 		result = uriSetPathMmA(uriparser_uri, Z_STRVAL_P(value), Z_STRVAL_P(value) + Z_STRLEN_P(value), mm);
 	}
 
-	if (result != URI_SUCCESS) {
-		zend_throw_exception(uri_invalid_uri_exception_ce, "The specified path is malformed", 0);
-		return FAILURE;
+	switch (result) {
+		case URI_SUCCESS:
+			return SUCCESS;
+		case URI_ERROR_SYNTAX:
+			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified path is malformed", 0);
+			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the path", 0);
+			return FAILURE;
 	}
-
-	return SUCCESS;
 }
 
 ZEND_ATTRIBUTE_NONNULL static zend_result php_uri_parser_rfc3986_query_read(const uri_internal_t *internal_uri, uri_component_read_mode_t read_mode, zval *retval)
@@ -392,12 +414,17 @@ static zend_result php_uri_parser_rfc3986_query_write(struct uri_internal_t *int
 		result = uriSetQueryMmA(uriparser_uri, Z_STRVAL_P(value), Z_STRVAL_P(value) + Z_STRLEN_P(value), mm);
 	}
 
-	if (result != URI_SUCCESS) {
-		zend_throw_exception(uri_invalid_uri_exception_ce, "The specified query is malformed", 0);
-		return FAILURE;
+	switch (result) {
+		case URI_SUCCESS:
+			return SUCCESS;
+		case URI_ERROR_SYNTAX:
+			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified query is malformed", 0);
+			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the query", 0);
+			return FAILURE;
 	}
-
-	return SUCCESS;
 }
 
 ZEND_ATTRIBUTE_NONNULL static zend_result php_uri_parser_rfc3986_fragment_read(const uri_internal_t *internal_uri, uri_component_read_mode_t read_mode, zval *retval)
@@ -424,12 +451,17 @@ static zend_result php_uri_parser_rfc3986_fragment_write(struct uri_internal_t *
 		result = uriSetFragmentMmA(uriparser_uri, Z_STRVAL_P(value), Z_STRVAL_P(value) + Z_STRLEN_P(value), mm);
 	}
 
-	if (result != URI_SUCCESS) {
-		zend_throw_exception(uri_invalid_uri_exception_ce, "The specified fragment is malformed", 0);
-		return FAILURE;
+	switch (result) {
+		case URI_SUCCESS:
+			return SUCCESS;
+		case URI_ERROR_SYNTAX:
+			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified fragment is malformed", 0);
+			return FAILURE;
+		default:
+			/* This should be unreachable in practice. */
+			zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to update the fragment", 0);
+			return FAILURE;
 	}
-
-	return SUCCESS;
 }
 
 static php_uri_parser_rfc3986_uris *uriparser_create_uris(void)
@@ -445,9 +477,18 @@ php_uri_parser_rfc3986_uris *php_uri_parser_rfc3986_parse_ex(const char *uri_str
 	UriUriA uri = {0};
 
 	/* Parse the URI. */
-	if (uriParseSingleUriExMmA(&uri, uri_str, uri_str + uri_str_len, NULL, mm) != URI_SUCCESS) {
+	int result = uriParseSingleUriExMmA(&uri, uri_str, uri_str + uri_str_len, NULL, mm);
+	if (result != URI_SUCCESS) {
 		if (!silent) {
-			zend_throw_exception(uri_invalid_uri_exception_ce, "The specified URI is malformed", 0);
+			switch (result) {
+				case URI_ERROR_SYNTAX:
+					zend_throw_exception(uri_invalid_uri_exception_ce, "The specified URI is malformed", 0);
+					break;
+				default:
+					/* This should be unreachable in practice. */
+					zend_throw_exception(uri_invalid_uri_exception_ce, "Failed to parse the specified URI", 0);
+					break;
+			}
 		}
 
 		goto fail;

diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c
@@ -635,8 +635,8 @@ static inline int isPipe( int fd )
 {
     char        achPeer[128];
     socklen_t   len = 128;
-    if ((getpeername(fd, (struct sockaddr *)achPeer, &len) != 0 )
-        && (errno == ENOTCONN || errno == ENOTSOCK))
+    if (( getpeername( fd, (struct sockaddr *)achPeer, &len ) != 0 )&&
+        ( errno == ENOTCONN ))
         return 0;
     else
         return 1;