Keep this up to date in all non-security-only branches, because the node.js
runtime for older versions might get deprecated in the future and fixing this
for all branches at once is easier.
see 45e60e585e
Unfortunately, these jobs routinely fail to boot correctly. In this case,
they'll stall and block CI for 6 hours until they finally fail. Add a limit to
make them fail earlier.
Unconditionally execute assignment of EXIT_CODE. Otherwise, the variable bleeds
into the next iteration. Also add newline before ::endgroup::. ASAN does not add
a trailing newline.
We are adding extra (non-phpt) test suites in [1] and [2]. In order to
avoid touching CI files too often (which are maintained in 8.1 and merged in
upper branches), we add a single entry point to call the extra tests. The entry
point can be updated in branches without synchronizing all the way from 8.1.
CI files still need to be touched to install dependencies of these tests,
but this should be manageable as these do not change often and are the same
in every branch.
Closes GH-19242.
[1] https://github.com/php/php-src/pull/16987
[2] https://github.com/php/php-src/pull/18939
Apple Silicon has stricter rules about rwx mmap regions. They need to be created
using the MAP_JIT flag. However, the MAP_JIT seems to be incompatible with
MAP_SHARED. ZTS requires MAP_SHARED so that some threads may execute code from a
page while another writes/appends to it. We did not find another solution, other
than completely disabling JIT for Apple Silicon + ZTS.
See discussion in https://github.com/php/php-src/pull/13351.
Co-authored-by: Peter Kokot <peterkokot@gmail.com>
Fixes GH-13400
Closes GH-13396
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
These tests attempt to test that no memory is leaked for stream calls. However,
it is incorrect to assume the memory will not increase for other reasons, e.g.
when growing resource buffers, for the output buffer, etc. This was discovered
through 9cacc57350 with USE_TRACKED_ALLOC=1, but
this can also fail with USE_ZEND_ALLOC=1 when increasing loop iterations.
