Many methods in SimpleXML reset the iterator when called. This has the
consequence that mixing these operations with loops can cause infinite
loops, or the loss of iteration data.
Some people may however rely on the resetting behaviour. To prevent
unintended breaks in stable branches, let's only apply the fix to master.
This reverts GH-12193, GH-12229, GG-12247 for stable branches while
keeping them on master, adding a note in UPGRADING as well.
* PHP-8.2:
Fix GH-12223: Entity reference produces infinite loop in var_dump/print_r
Fix GH-12192: SimpleXML infinite loop when getName() is called within foreach
Fix GH-12186: segfault copying/cloning a finalized HashContext
* PHP-8.1:
Fix GH-12223: Entity reference produces infinite loop in var_dump/print_r
Fix GH-12192: SimpleXML infinite loop when getName() is called within foreach
Fix GH-12186: segfault copying/cloning a finalized HashContext
This happens because getName() resets the iterator to the start because
it overwrites the iterator data.
We add a version of get_first_node that does not overwrite the iterator
data.
Closes GH-12193.
It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-test.
To add to the Windows trouble, libxml is statically linked in, ext/libxml can
only be built statically but ext/zend-test can be built both statically and
dynamically.
So the regression tests won't work in all possible configurations anyway on Windows.
All of this is no problem on Linux because it just uses dynamic linking
and pkg-config, without any magic.
Signed-off-by: Ben Ramsey <ramsey@php.net>
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.
Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.
Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().
* PHP-8.2:
Fix GH-10983: State-dependant segfault in ReflectionObject::getProperties
Fix GH-10990: mail() throws TypeError after iterating over $additional_headers array by reference
Fix GH-8841: php-cli core dump calling a badly formed function
This is a variant of GH-10200, but in a different place.
Basically, simplexml may create a properties table that's packed instead
of associative. But the macro that was used to loop over the properties
table assumed that it was always associative. Replace it by the macro
that figures it out automatically which one of the two it is.
For test: Co-authored-by: jnvsor
Closes GH-10984.
Multiple tests had to be changed to escape the arguments in shell
commands. Some tests are skipped because they behave differently with
spaces in the path versus without. One notable example of this is the
hashbang test which does not work because spaces in hashbangs paths are
not supported in Linux.
Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz>
The libxml based XML functions accepting a filename actually accept
URIs with possibly percent-encoded characters. Percent-encoded NUL
bytes lead to truncation, like non-encoded NUL bytes would. We catch
those, and let the functions fail with a respective warning.
