Fix #79971: special character is breaking the path in xml function

The libxml based XML functions accepting a filename actually accept URIs with possibly percent-encoded characters. Percent-encoded NUL bytes lead to truncation, like non-encoded NUL bytes would. We catch those, and let the functions fail with a respective warning.
2025-08-15 21:48:51 +02:00 · 2020-09-01 10:04:28 +02:00 · 2020-09-01 10:04:28 +02:00 · f15f8fc573
commit f15f8fc573
parent 88f99c9c1d
5 changed files with 63 additions and 0 deletions
--- a/ext/dom/domimplementation.c
+++ b/ext/dom/domimplementation.c
@ -112,6 +112,11 @@ PHP_METHOD(domimplementation, createDocumentType)
 		pch2 = (xmlChar *) systemid;
 	}

+	if (strstr(name, "%00")) {
+		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+		RETURN_FALSE;
+	}
+
 	uri = xmlParseURI(name);
 	if (uri != NULL && uri->opaque != NULL) {
 		localname = xmlStrdup((xmlChar *) uri->opaque);
--- a/ext/dom/tests/bug79971_2.phpt
+++ b/ext/dom/tests/bug79971_2.phpt
@ -0,0 +1,20 @@
+--TEST--
+Bug #79971 (special character is breaking the path in xml function)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip dom extension not available');
+?>
+--FILE--
+<?php
+$imp = new DOMImplementation;
+if (PHP_OS_FAMILY === 'Windows') {
+    $path = '/' . str_replace('\\', '/', __DIR__);
+} else {
+    $path = __DIR__;
+}
+$uri = "file://$path/bug79971_2.xml";
+var_dump($imp->createDocumentType("$uri%00foo"));
+?>
+--EXPECTF--
+Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d
+bool(false)
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@ -306,6 +306,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char
 	int isescaped=0;
 	xmlURI *uri;

+	if (strstr(filename, "%00")) {
+		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+		return NULL;
+	}

 	uri = xmlParseURI(filename);
 	if (uri && (uri->scheme == NULL ||
@ -437,6 +441,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	if (URI == NULL)
 		return(NULL);

+	if (strstr(URI, "%00")) {
+		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+		return NULL;
+	}
+
 	puri = xmlParseURI(URI);
 	if (puri != NULL) {
 		if (puri->scheme != NULL)
--- a/ext/simplexml/tests/bug79971_1.phpt
+++ b/ext/simplexml/tests/bug79971_1.phpt
@ -0,0 +1,27 @@
+--TEST--
+Bug #79971 (special character is breaking the path in xml function)
+--SKIPIF--
+<?php
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+?>
+--FILE--
+<?php
+if (PHP_OS_FAMILY === 'Windows') {
+    $path = '/' . str_replace('\\', '/', __DIR__);
+} else {
+    $path = __DIR__;
+}
+$uri = "file://$path/bug79971_1.xml";
+var_dump(simplexml_load_file("$uri%00foo"));
+
+$sxe = simplexml_load_file($uri);
+var_dump($sxe->asXML("$uri.out%00foo"));
+?>
+--EXPECTF--
+Warning: simplexml_load_file(): URI must not contain percent-encoded NUL bytes in %s on line %d
+
+Warning: simplexml_load_file(): I/O warning : failed to load external entity "%s/bug79971_1.xml%00foo" in %s on line %d
+bool(false)
+
+Warning: SimpleXMLElement::asXML(): URI must not contain percent-encoded NUL bytes in %s on line %d
+bool(false)
--- a/ext/simplexml/tests/bug79971_1.xml
+++ b/ext/simplexml/tests/bug79971_1.xml
@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<root></root>