diff --git a/NEWS b/NEWS index 993bdda130cd9..986783ce042d3 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,11 @@ PHP NEWS . Fixed bug GH-20051 (apache2 shutdowns when restart is requested during preloading). (Arnaud, welcomycozyhom) +- Phar: + . Support reference values in Phar::mungServer(). (nielsdos) + . Invalid values now throw in Phar::mungServer() instead of being silently + ignored. (nielsdos) + - Standard: . Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). (alexandre-daubois) diff --git a/UPGRADING b/UPGRADING index b9095380ed538..4b166bb5af463 100644 --- a/UPGRADING +++ b/UPGRADING @@ -19,6 +19,10 @@ PHP 8.6 UPGRADE NOTES 1. Backward Incompatible Changes ======================================== +- Phar: + . Invalid values now throw in Phar::mungServer() instead of being silently + ignored. + ======================================== 2. New Features ======================================== @@ -44,6 +48,9 @@ PHP 8.6 UPGRADE NOTES 5. Changed Functions ======================================== +- Phar: + . Phar::mungServer() now supports reference values. + ======================================== 6. New Functions ======================================== diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c index d360163ab5e5f..3619eaef12a5f 100644 --- a/ext/dom/php_dom.c +++ b/ext/dom/php_dom.c @@ -488,6 +488,7 @@ static void dom_unset_property(zend_object *object, zend_string *member, void ** zend_std_unset_property(object, member, cache_slot); } +/* This custom handler is necessary to avoid a recursive construction of the entire subtree. */ static HashTable* dom_get_debug_info_helper(zend_object *object, int *is_temp) /* {{{ */ { dom_object *obj = php_dom_obj_from_obj(object); @@ -498,6 +499,11 @@ static HashTable* dom_get_debug_info_helper(zend_object *object, int *is_temp) / dom_prop_handler *entry; zend_string *object_str; + /* As we have a custom implementation, we must manually check for overrides. */ + if (object->ce->__debugInfo) { + return zend_std_get_debug_info(object, is_temp); + } + *is_temp = 1; std_props = zend_std_get_properties(object); diff --git a/ext/dom/tests/gh16317.phpt b/ext/dom/tests/gh16317.phpt new file mode 100644 index 0000000000000..870c337716f01 --- /dev/null +++ b/ext/dom/tests/gh16317.phpt @@ -0,0 +1,20 @@ +--TEST-- +GH-16317 (DOM classes do not allow __debugInfo() overrides to work) +--FILE-- + 'y']; + } +} + +var_dump(new Demo()); + +?> +--EXPECT-- +object(Demo)#1 (1) { + ["x"]=> + string(1) "y" +} diff --git a/ext/opcache/jit/tls/zend_jit_tls_darwin.c b/ext/opcache/jit/tls/zend_jit_tls_darwin.c index 47a2f01a5a0ae..ee8a572e04a05 100644 --- a/ext/opcache/jit/tls/zend_jit_tls_darwin.c +++ b/ext/opcache/jit/tls/zend_jit_tls_darwin.c @@ -23,9 +23,36 @@ #include #include +#include TSRMLS_CACHE_EXTERN(); +/* Thunk format used since dydl 1284 (approx. MacOS 15) + * https://github.com/apple-oss-distributions/dyld/blob/9307719dd8dc9b385daa412b03cfceb897b2b398/libdyld/ThreadLocalVariables.h#L146 */ +#if defined(__x86_64__) || defined(__aarch64__) +struct TLV_Thunkv2 +{ + void* func; + uint32_t key; + uint32_t offset; +}; +#else +struct TLV_Thunkv2 +{ + void* func; + uint16_t key; + uint16_t offset; +}; +#endif + +/* Thunk format used in earlier versions */ +struct TLV_Thunkv1 +{ + void* func; + size_t key; + size_t offset; +}; + zend_result zend_jit_resolve_tsrm_ls_cache_offsets( size_t *tcb_offset, size_t *module_index, @@ -37,12 +64,25 @@ zend_result zend_jit_resolve_tsrm_ls_cache_offsets( } #if defined(__x86_64__) - size_t *ti; + struct TLV_Thunkv2 *thunk; __asm__ __volatile__( "leaq __tsrm_ls_cache(%%rip),%0" - : "=r" (ti)); - *module_offset = ti[2]; - *module_index = ti[1] * 8; + : "=r" (thunk)); + + /* Detect dyld 1284: With dyld 1284, thunk->func will be _tlv_get_addr. + * Unfortunately this symbol is private, but we can find it + * as _tlv_bootstrap+8: https://github.com/apple-oss-distributions/dyld/blob/9307719dd8dc9b385daa412b03cfceb897b2b398/libdyld/threadLocalHelpers.s#L54 + * In earlier versions, thunk->func will be tlv_get_addr, which is not + * _tlv_bootstrap+8. + */ + if (thunk->func == (void*)((char*)_tlv_bootstrap + 8)) { + *module_offset = thunk->offset; + *module_index = (size_t)thunk->key * 8; + } else { + struct TLV_Thunkv1 *thunkv1 = (struct TLV_Thunkv1*) thunk; + *module_offset = thunkv1->offset; + *module_index = thunkv1->key * 8; + } return SUCCESS; #endif diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c index c5aa292200e86..f23907ae7623a 100644 --- a/ext/phar/dirstream.c +++ b/ext/phar/dirstream.c @@ -349,12 +349,12 @@ int phar_wrapper_mkdir(php_stream_wrapper *wrapper, const char *url_from, int mo { phar_entry_info entry, *e; phar_archive_data *phar = NULL; - char *error, *arch, *entry2; - size_t arch_len, entry_len; + char *error, *arch; + size_t arch_len; php_url *resource = NULL; /* pre-readonly check, we need to know if this is a data phar */ - if (FAILURE == phar_split_fname(url_from, strlen(url_from), &arch, &arch_len, &entry2, &entry_len, 2, 2)) { + if (FAILURE == phar_split_fname(url_from, strlen(url_from), &arch, &arch_len, NULL, NULL, 2, 2)) { php_stream_wrapper_log_error(wrapper, options, "phar error: cannot create directory \"%s\", no phar archive specified", url_from); return 0; } @@ -364,7 +364,6 @@ int phar_wrapper_mkdir(php_stream_wrapper *wrapper, const char *url_from, int mo } efree(arch); - efree(entry2); if (PHAR_G(readonly) && (!phar || !phar->is_data)) { php_stream_wrapper_log_error(wrapper, options, "phar error: cannot create directory \"%s\", write operations disabled", url_from); @@ -477,12 +476,12 @@ int phar_wrapper_rmdir(php_stream_wrapper *wrapper, const char *url, int options { phar_entry_info *entry; phar_archive_data *phar = NULL; - char *error, *arch, *entry2; - size_t arch_len, entry_len; + char *error, *arch; + size_t arch_len; php_url *resource = NULL; /* pre-readonly check, we need to know if this is a data phar */ - if (FAILURE == phar_split_fname(url, strlen(url), &arch, &arch_len, &entry2, &entry_len, 2, 2)) { + if (FAILURE == phar_split_fname(url, strlen(url), &arch, &arch_len, NULL, NULL, 2, 2)) { php_stream_wrapper_log_error(wrapper, options, "phar error: cannot remove directory \"%s\", no phar archive specified, or phar archive does not exist", url); return 0; } @@ -492,7 +491,6 @@ int phar_wrapper_rmdir(php_stream_wrapper *wrapper, const char *url, int options } efree(arch); - efree(entry2); if (PHAR_G(readonly) && (!phar || !phar->is_data)) { php_stream_wrapper_log_error(wrapper, options, "phar error: cannot rmdir directory \"%s\", write operations disabled", url); diff --git a/ext/phar/func_interceptors.c b/ext/phar/func_interceptors.c index 976ce0b5e955c..f7e553a45ce80 100644 --- a/ext/phar/func_interceptors.c +++ b/ext/phar/func_interceptors.c @@ -50,12 +50,11 @@ PHP_FUNCTION(phar_opendir) /* {{{ */ goto skip_phar; } - if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 2, 0)) { + if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 2, 0)) { php_stream_context *context = NULL; php_stream *stream; char *name; - efree(entry); entry = estrndup(filename, filename_len); /* fopen within phar, if :// is not in the url, then prepend phar:/// */ entry_len = filename_len; @@ -89,8 +88,8 @@ PHP_FUNCTION(phar_opendir) /* {{{ */ static zend_string* phar_get_name_for_relative_paths(zend_string *filename, bool using_include_path) { - char *arch, *entry; - size_t arch_len, entry_len; + char *arch; + size_t arch_len; zend_string *fname = zend_get_executed_filename_ex(); /* we are checking for existence of a file within the relative path. Chances are good that this is @@ -99,13 +98,10 @@ static zend_string* phar_get_name_for_relative_paths(zend_string *filename, bool return NULL; } - if (FAILURE == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 2, 0)) { + if (FAILURE == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 2, 0)) { return NULL; } - efree(entry); - entry = NULL; - entry_len = 0; /* fopen within phar, if :// is not in the url, then prepend phar:/// */ /* retrieving a file defaults to within the current directory, so use this if possible */ phar_archive_data *phar; @@ -122,8 +118,8 @@ static zend_string* phar_get_name_for_relative_paths(zend_string *filename, bool return NULL; } } else { - entry_len = ZSTR_LEN(filename); - entry = phar_fix_filepath(estrndup(ZSTR_VAL(filename), ZSTR_LEN(filename)), &entry_len, 1); + size_t entry_len = ZSTR_LEN(filename); + char *entry = phar_fix_filepath(estrndup(ZSTR_VAL(filename), ZSTR_LEN(filename)), &entry_len, 1); if (entry[0] == '/') { if (!zend_hash_str_exists(&(phar->manifest), entry + 1, entry_len - 1)) { /* this file is not in the phar, use the original path */ @@ -509,9 +505,7 @@ static void phar_file_stat(const char *filename, size_t filename_length, int typ phar = PHAR_G(last_phar); goto splitted; } - if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 2, 0)) { - - efree(entry); + if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 2, 0)) { entry = estrndup(filename, filename_length); /* fopen within phar, if :// is not in the url, then prepend phar:/// */ entry_len = filename_length; @@ -751,10 +745,9 @@ PHP_FUNCTION(phar_is_file) /* {{{ */ goto skip_phar; } - if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 2, 0)) { + if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 2, 0)) { phar_archive_data *phar; - efree(entry); entry = filename; /* fopen within phar, if :// is not in the url, then prepend phar:/// */ entry_len = filename_len; @@ -817,10 +810,9 @@ PHP_FUNCTION(phar_is_link) /* {{{ */ goto skip_phar; } - if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 2, 0)) { + if (SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 2, 0)) { phar_archive_data *phar; - efree(entry); entry = filename; /* fopen within phar, if :// is not in the url, then prepend phar:/// */ entry_len = filename_len; diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 5a5012adbf18e..d2c25dfbdb711 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -2298,16 +2298,18 @@ zend_result phar_split_fname(const char *filename, size_t filename_len, char **a *arch_len = ext_str - filename + ext_len; *arch = estrndup(filename, *arch_len); - if (ext_str[ext_len]) { - *entry_len = filename_len - *arch_len; - *entry = estrndup(ext_str+ext_len, *entry_len); -#ifdef PHP_WIN32 - phar_unixify_path_separators(*entry, *entry_len); -#endif - *entry = phar_fix_filepath(*entry, entry_len, 0); - } else { - *entry_len = 1; - *entry = estrndup("/", 1); + if (entry) { + if (ext_str[ext_len]) { + *entry_len = filename_len - *arch_len; + *entry = estrndup(ext_str+ext_len, *entry_len); + #ifdef PHP_WIN32 + phar_unixify_path_separators(*entry, *entry_len); + #endif + *entry = phar_fix_filepath(*entry, entry_len, 0); + } else { + *entry_len = 1; + *entry = estrndup("/", 1); + } } #ifdef PHP_WIN32 diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index de58c464cf3c6..2ea701743f9ff 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -412,8 +412,8 @@ static void phar_postprocess_ru_web(char *fname, size_t fname_len, char **entry, PHP_METHOD(Phar, running) { zend_string *fname; - char *arch, *entry; - size_t arch_len, entry_len; + char *arch; + size_t arch_len; bool retphar = true; if (zend_parse_parameters(ZEND_NUM_ARGS(), "|b", &retphar) == FAILURE) { @@ -427,9 +427,8 @@ PHP_METHOD(Phar, running) if ( zend_string_starts_with_literal_ci(fname, "phar://") - && SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 2, 0) + && SUCCESS == phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 2, 0) ) { - efree(entry); if (retphar) { RETVAL_STRINGL(ZSTR_VAL(fname), arch_len + 7); efree(arch); @@ -485,8 +484,7 @@ PHP_METHOD(Phar, mount) } #endif - if (fname_len > 7 && !memcmp(fname, "phar://", 7) && SUCCESS == phar_split_fname(fname, fname_len, &arch, &arch_len, &entry, &entry_len, 2, 0)) { - efree(entry); + if (fname_len > 7 && !memcmp(fname, "phar://", 7) && SUCCESS == phar_split_fname(fname, fname_len, &arch, &arch_len, NULL, NULL, 2, 0)) { entry = NULL; if (path_len > 7 && !memcmp(path, "phar://", 7)) { @@ -905,7 +903,7 @@ PHP_METHOD(Phar, mungServer) phar_request_initialize(); ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(mungvalues), data) { - + ZVAL_DEREF(data); if (Z_TYPE_P(data) != IS_STRING) { zend_throw_exception_ex(phar_ce_PharException, 0, "Non-string value passed to Phar::mungServer(), expecting an array of any of these strings: PHP_SELF, REQUEST_URI, SCRIPT_FILENAME, SCRIPT_NAME"); RETURN_THROWS(); @@ -919,8 +917,10 @@ PHP_METHOD(Phar, mungServer) PHAR_G(phar_SERVER_mung_list) |= PHAR_MUNG_SCRIPT_NAME; } else if (zend_string_equals_literal(Z_STR_P(data), "SCRIPT_FILENAME")) { PHAR_G(phar_SERVER_mung_list) |= PHAR_MUNG_SCRIPT_FILENAME; + } else { + zend_throw_exception_ex(phar_ce_PharException, 0, "Invalid value passed to Phar::mungServer(), expecting an array of any of these strings: PHP_SELF, REQUEST_URI, SCRIPT_FILENAME, SCRIPT_NAME"); + RETURN_THROWS(); } - // TODO Warning for invalid value? } ZEND_HASH_FOREACH_END(); } /* }}} */ @@ -1300,9 +1300,9 @@ PHP_METHOD(Phar, getSupportedCompression) /* {{{ Completely remove a phar archive from memory and disk */ PHP_METHOD(Phar, unlinkArchive) { - char *fname, *error, *arch, *entry; + char *fname, *error, *arch; size_t fname_len; - size_t arch_len, entry_len; + size_t arch_len; phar_archive_data *phar; if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) { @@ -1329,16 +1329,14 @@ PHP_METHOD(Phar, unlinkArchive) if ( zend_file_name && zend_string_starts_with_literal_ci(zend_file_name, "phar://") - && SUCCESS == phar_split_fname(ZSTR_VAL(zend_file_name), ZSTR_LEN(zend_file_name), &arch, &arch_len, &entry, &entry_len, 2, 0) + && SUCCESS == phar_split_fname(ZSTR_VAL(zend_file_name), ZSTR_LEN(zend_file_name), &arch, &arch_len, NULL, NULL, 2, 0) ) { if (arch_len == fname_len && !memcmp(arch, fname, arch_len)) { zend_throw_exception_ex(phar_ce_PharException, 0, "phar archive \"%s\" cannot be unlinked from within itself", fname); efree(arch); - efree(entry); RETURN_THROWS(); } efree(arch); - efree(entry); } if (phar->is_persistent) { @@ -1785,6 +1783,10 @@ PHP_METHOD(Phar, buildFromDirectory) pass.ret = return_value; pass.fp = php_stream_fopen_tmpfile(); if (pass.fp == NULL) { + zval_ptr_dtor(&iteriter); + if (apply_reg) { + zval_ptr_dtor(®exiter); + } zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" unable to create temporary file", phar_obj->archive->fname); RETURN_THROWS(); } diff --git a/ext/phar/tests/invalid_string_phar_mungserver.phpt b/ext/phar/tests/invalid_string_phar_mungserver.phpt new file mode 100644 index 0000000000000..46de113f6c087 --- /dev/null +++ b/ext/phar/tests/invalid_string_phar_mungserver.phpt @@ -0,0 +1,15 @@ +--TEST-- +Passing invalid string to Phar::mungServer() +--FILE-- +getMessage(), "\n"; +} + +?> +--EXPECT-- +Invalid value passed to Phar::mungServer(), expecting an array of any of these strings: PHP_SELF, REQUEST_URI, SCRIPT_FILENAME, SCRIPT_NAME diff --git a/ext/phar/util.c b/ext/phar/util.c index aa30515eff6a0..26a11d99a9c14 100644 --- a/ext/phar/util.c +++ b/ext/phar/util.c @@ -267,8 +267,8 @@ zend_result phar_mount_entry(phar_archive_data *phar, char *filename, size_t fil zend_string *phar_find_in_include_path(zend_string *filename, phar_archive_data **pphar) /* {{{ */ { zend_string *ret; - char *path, *arch, *entry, *test; - size_t arch_len, entry_len; + char *path, *arch, *test; + size_t arch_len; phar_archive_data *phar; if (pphar) { @@ -301,12 +301,10 @@ zend_string *phar_find_in_include_path(zend_string *filename, phar_archive_data goto splitted; } - if (!is_file_a_phar_wrapper || SUCCESS != phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, &entry, &entry_len, 1, 0)) { + if (!is_file_a_phar_wrapper || SUCCESS != phar_split_fname(ZSTR_VAL(fname), ZSTR_LEN(fname), &arch, &arch_len, NULL, NULL, 1, 0)) { return NULL; } - efree(entry); - if (*ZSTR_VAL(filename) == '.') { size_t try_len; @@ -347,7 +345,7 @@ zend_string *phar_find_in_include_path(zend_string *filename, phar_archive_data if (ret && zend_string_starts_with_literal_ci(ret, "phar://")) { /* found phar:// */ - if (SUCCESS != phar_split_fname(ZSTR_VAL(ret), ZSTR_LEN(ret), &arch, &arch_len, &entry, &entry_len, 1, 0)) { + if (SUCCESS != phar_split_fname(ZSTR_VAL(ret), ZSTR_LEN(ret), &arch, &arch_len, NULL, NULL, 1, 0)) { return ret; } @@ -358,7 +356,6 @@ zend_string *phar_find_in_include_path(zend_string *filename, phar_archive_data } efree(arch); - efree(entry); } return ret; diff --git a/ext/phar/zip.c b/ext/phar/zip.c index 4cb907f903700..0783b5f4e2c95 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -346,6 +346,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia entry.fp_type = PHAR_FP; entry.is_persistent = mydata->is_persistent; #define PHAR_ZIP_FAIL(errmsg) \ + efree(actual_alias); \ zend_hash_destroy(&mydata->manifest); \ HT_INVALIDATE(&mydata->manifest); \ zend_hash_destroy(&mydata->mounted_dirs); \ @@ -645,7 +646,6 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia } if (!entry.uncompressed_filesize) { - efree(actual_alias); php_stream_filter_remove(filter, 1); zend_string_release_ex(entry.filename, entry.is_persistent); PHAR_ZIP_FAIL("unable to read in alias, truncated"); @@ -679,7 +679,6 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia } if (!entry.uncompressed_filesize) { - efree(actual_alias); php_stream_filter_remove(filter, 1); zend_string_release_ex(entry.filename, entry.is_persistent); PHAR_ZIP_FAIL("unable to read in alias, truncated"); @@ -703,7 +702,6 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia } if (!entry.uncompressed_filesize) { - efree(actual_alias); zend_string_release_ex(entry.filename, entry.is_persistent); PHAR_ZIP_FAIL("unable to read in alias, truncated"); } diff --git a/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt new file mode 100644 index 0000000000000..6a24a0137526c --- /dev/null +++ b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt @@ -0,0 +1,14 @@ +--TEST-- +Shm corruption with coercion in options of unserialize() +--FILE-- + [new MyStringable]]); +?> +--EXPECTF-- +Warning: unserialize(): Error at offset 0 of 2 bytes in %s on line %d diff --git a/ext/standard/var.c b/ext/standard/var.c index 4df86f49434a0..a1ef60410a338 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -1415,19 +1415,20 @@ PHPAPI void php_unserialize_with_options(zval *return_value, const char *buf, co function_name, zend_zval_value_name(entry)); goto cleanup; } - zend_string *name = zval_try_get_string(entry); + zend_string *tmp_str; + zend_string *name = zval_try_get_tmp_string(entry, &tmp_str); if (UNEXPECTED(name == NULL)) { goto cleanup; } if (UNEXPECTED(!zend_is_valid_class_name(name))) { zend_value_error("%s(): Option \"allowed_classes\" must be an array of class names, \"%s\" given", function_name, ZSTR_VAL(name)); - zend_string_release_ex(name, false); + zend_tmp_string_release(tmp_str); goto cleanup; } zend_string *lcname = zend_string_tolower(name); zend_hash_add_empty_element(class_hash, lcname); - zend_string_release_ex(name, false); zend_string_release_ex(lcname, false); + zend_tmp_string_release(tmp_str); } ZEND_HASH_FOREACH_END(); } php_var_unserialize_set_allowed_classes(var_hash, class_hash);