Skip to content

[pull] master from php:master #849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Jul 1, 2025
Merged

[pull] master from php:master #849

merged 25 commits into from
Jul 1, 2025

Conversation

@pull
Copy link

@pull pull bot commented Jul 1, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.2)

Can you help keep this open source service alive? 💖 Please sponsor : )

bukka and others added 25 commits July 1, 2025 23:01
@bukka @SakiTakamachi
Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
5ef0dc7 
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
@bukka @SakiTakamachi
Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
66bd809 
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
@Lekssays @ndossche @SakiTakamachi
Fix GHSA-453j-q27h-5p8x
a179e39 
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <[email protected]>
@iluuu1994
Fix missing HAVE_JIT guard
c57ec92 
Closes GH-18993
@iluuu1994
Merge branch 'PHP-8.4'
49d94cc 
* PHP-8.4:
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
@iluuu1994
Merge branch 'PHP-8.4'
927aeca 
* PHP-8.4:
  Fix missing HAVE_JIT guard
@bukka @ericmann
Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
cf0c397 
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
@bukka @ericmann
Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
545d153 
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
@Lekssays @ndossche @ericmann
Fix GHSA-453j-q27h-5p8x
dd06065 
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <[email protected]>
@bukka @ericmann
Update NEWS with entries for security fixes
fc49d33
@ericmann
Merge branch 'PHP-8.3' into PHP-8.4
7f5d491 
* PHP-8.3:
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
@ericmann
Merge branch 'PHP-8.4'
50e1b23 
* PHP-8.4:
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
@bukka @saundefined
Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
27e67cc 
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
@bukka @saundefined
Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
a2cdff5 
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
@Lekssays @ndossche @saundefined
Fix GHSA-453j-q27h-5p8x
0298837 
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <[email protected]>
@bukka @saundefined
Update NEWS with entries for security fixes
165e516
@saundefined
PHP-8.2 is now for PHP 8.2.30-dev
3d8cc22
@ndossche
Fix OSS-Fuzz #427814456
9174984 
The first warning may trigger an error handler, destroying the operand
and its string. So we need to protect the string in that case.
Care was taken to avoid unnecessary refcounts and to avoid touching the
hot code path.

Closes GH-18951.
@ndossche
Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined beh…
1d5089e 
…avior with null byte

Closes GH-18983.
@ndossche
Merge branch 'PHP-8.4'
30662e4 
* PHP-8.4:
  Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined behavior with null byte
@ndossche
Merge branch 'PHP-8.3' into PHP-8.4
5d590a1 
* PHP-8.3:
  Fix OSS-Fuzz #427814456
@ndossche
Merge branch 'PHP-8.4'
d706dc1 
* PHP-8.4:
  Fix OSS-Fuzz #427814456
@saundefined
Merge branch 'PHP-8.2' into PHP-8.3
b576ad4 
* PHP-8.2:
  PHP-8.2 is now for PHP 8.2.30-dev
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames

# Conflicts:
#	Zend/zend.h
#	configure.ac
#	ext/pgsql/pgsql.c
#	main/php_version.h
@saundefined
Merge branch 'PHP-8.3' into PHP-8.4
7a3c0d3 
* PHP-8.3:
  PHP-8.2 is now for PHP 8.2.30-dev
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
@saundefined
Merge branch 'PHP-8.4'
f71271d 
* PHP-8.4:
  PHP-8.2 is now for PHP 8.2.30-dev
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
@pull pull bot locked and limited conversation to collaborators Jul 1, 2025
@pull pull bot added the ⤵️ pull label Jul 1, 2025
@pull pull bot merged commit f71271d into wudi:master Jul 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bukka @Lekssays @iluuu1994 @ericmann @saundefined @ndossche