turkdevops · pull · Nov 12, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
diff --git a/Zend/tests/function_arguments/gh20435_2.phpt b/Zend/tests/function_arguments/gh20435_2.phpt
@@ -0,0 +1,38 @@
+--TEST--
+GH-20435: ZEND_CALL_HAS_EXTRA_NAMED_PARAMS & magic methods in debug_backtrace_get_args()
+--FILE--
+<?php
+
+class C {
+    public static function __callStatic($name, $args) {
+        echo (new Exception())->__toString(), "\n\n";
+    }
+    public function __call($name, $args) {
+        echo (new Exception())->__toString(), "\n\n";
+    }
+    public function __invoke(...$args) {
+        echo (new Exception())->__toString(), "\n";
+    }
+}
+
+$c = new C();
+$c->foo(bar: 'bar');
+C::foo(bar: 'bar');
+$c(bar: 'bar');
+
+?>
+--EXPECTF--
+Exception in %s:%d
+Stack trace:
+#0 %s(%d): C->__call('foo', Array)
+#1 {main}
+
+Exception in %s:%d
+Stack trace:
+#0 %s(%d): C::__callStatic('foo', Array)
+#1 {main}
+
+Exception in %s:%d
+Stack trace:
+#0 %s(%d): C->__invoke(bar: 'bar')
+#1 {main}
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
@@ -1715,6 +1715,18 @@ ZEND_FUNCTION(get_defined_constants)
 }
 /* }}} */
 
+static bool backtrace_is_arg_sensitive(const zend_execute_data *call, uint32_t offset)
+{
+	zend_attribute *attribute = zend_get_parameter_attribute_str(
+		call->func->common.attributes,
+		"sensitiveparameter",
+		sizeof("sensitiveparameter") - 1,
+		offset
+	);
+
+	return attribute != NULL;
+}
+
 static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /* {{{ */
 {
 	uint32_t num_args = ZEND_CALL_NUM_ARGS(call);
@@ -1738,14 +1750,7 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 						zend_string *arg_name = call->func->op_array.vars[i];
 						zval original_arg;
 						zval *arg = zend_hash_find_ex_ind(call->symbol_table, arg_name, 1);
-						zend_attribute *attribute = zend_get_parameter_attribute_str(
-							call->func->common.attributes,
-							"sensitiveparameter",
-							sizeof("sensitiveparameter") - 1,
-							i
-						);
-
-						bool is_sensitive = attribute != NULL;
+						bool is_sensitive = backtrace_is_arg_sensitive(call, i);
 
 						if (arg) {
 							ZVAL_DEREF(arg);
@@ -1756,8 +1761,7 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 
 						if (is_sensitive) {
 							zval redacted_arg;
-							object_init_ex(&redacted_arg, zend_ce_sensitive_parameter_value);
-							zend_call_known_function(Z_OBJCE_P(&redacted_arg)->constructor, Z_OBJ_P(&redacted_arg), Z_OBJCE_P(&redacted_arg), NULL, 1, &original_arg, NULL);
+							object_init_with_constructor(&redacted_arg, zend_ce_sensitive_parameter_value, 1, &original_arg, NULL);
 							ZEND_HASH_FILL_SET(&redacted_arg);
 						} else {
 							Z_TRY_ADDREF_P(&original_arg);
@@ -1770,13 +1774,7 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 				} else {
 					while (i < first_extra_arg) {
 						zval original_arg;
-						zend_attribute *attribute = zend_get_parameter_attribute_str(
-							call->func->common.attributes,
-							"sensitiveparameter",
-							sizeof("sensitiveparameter") - 1,
-							i
-						);
-						bool is_sensitive = attribute != NULL;
+						bool is_sensitive = backtrace_is_arg_sensitive(call, i);
 
 						if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
 							zval *arg = p;
@@ -1788,8 +1786,7 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 
 						if (is_sensitive) {
 							zval redacted_arg;
-							object_init_ex(&redacted_arg, zend_ce_sensitive_parameter_value);
-							zend_call_known_function(Z_OBJCE_P(&redacted_arg)->constructor, Z_OBJ_P(&redacted_arg), Z_OBJCE_P(&redacted_arg), NULL, 1, &original_arg, NULL);
+							object_init_with_constructor(&redacted_arg, zend_ce_sensitive_parameter_value, 1, &original_arg, NULL);
 							ZEND_HASH_FILL_SET(&redacted_arg);
 						} else {
 							Z_TRY_ADDREF_P(&original_arg);
@@ -1809,13 +1806,7 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 				bool is_sensitive = 0;
 
 				if (i < call->func->common.num_args || call->func->common.fn_flags & ZEND_ACC_VARIADIC) {
-					zend_attribute *attribute = zend_get_parameter_attribute_str(
-						call->func->common.attributes,
-						"sensitiveparameter",
-						sizeof("sensitiveparameter") - 1,
-						MIN(i, call->func->common.num_args)
-					);
-					is_sensitive = attribute != NULL;
+					is_sensitive = backtrace_is_arg_sensitive(call, MIN(i, call->func->common.num_args));
 				}
 
 				if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
@@ -1828,8 +1819,7 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 
 				if (is_sensitive) {
 					zval redacted_arg;
-					object_init_ex(&redacted_arg, zend_ce_sensitive_parameter_value);
-					zend_call_known_function(Z_OBJCE_P(&redacted_arg)->constructor, Z_OBJ_P(&redacted_arg), Z_OBJCE_P(&redacted_arg), NULL, 1, &original_arg, NULL);
+					object_init_with_constructor(&redacted_arg, zend_ce_sensitive_parameter_value, 1, &original_arg, NULL);
 					ZEND_HASH_FILL_SET(&redacted_arg);
 				} else {
 					Z_TRY_ADDREF_P(&original_arg);
@@ -1846,27 +1836,22 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 		ZVAL_EMPTY_ARRAY(arg_array);
 	}
 
-	if (ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS) {
+	if ((ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)
+	 /* __call and __callStatic are non-variadic, potentially with
+	  * HAS_EXTRA_NAMED_PARAMS set. Don't add extra args, as they're already
+	  * contained in the 2nd param. */
+	 && (call->func->common.fn_flags & ZEND_ACC_VARIADIC)) {
 		zend_string *name;
 		zval *arg;
 
-		ZEND_ASSERT(call->func->common.fn_flags & ZEND_ACC_VARIADIC);
-
-		zend_attribute *attribute = zend_get_parameter_attribute_str(
-			call->func->common.attributes,
-			"sensitiveparameter",
-			sizeof("sensitiveparameter") - 1,
-			call->func->common.num_args
-		);
-		bool is_sensitive = attribute != NULL;
+		bool is_sensitive = backtrace_is_arg_sensitive(call, call->func->common.num_args);
 
 		SEPARATE_ARRAY(arg_array);
 		ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(call->extra_named_params, name, arg) {
 			ZVAL_DEREF(arg);
 			if (is_sensitive) {
 				zval redacted_arg;
-				object_init_ex(&redacted_arg, zend_ce_sensitive_parameter_value);
-				zend_call_method_with_1_params(Z_OBJ_P(&redacted_arg), zend_ce_sensitive_parameter_value, &zend_ce_sensitive_parameter_value->constructor, "__construct", NULL, arg);
+				object_init_with_constructor(&redacted_arg, zend_ce_sensitive_parameter_value, 1, arg, NULL);
 				zend_hash_add_new(Z_ARRVAL_P(arg_array), name, &redacted_arg);
 			} else {
 				Z_TRY_ADDREF_P(arg);

diff --git a/ext/xml/compat.c b/ext/xml/compat.c
@@ -37,36 +37,35 @@ qualify_namespace(XML_Parser parser, const xmlChar *name, const xmlChar *URI)
 	}
 }
 
+static void start_element_emit_default(XML_Parser parser)
+{
+	if (parser->h_default) {
+		/* Grammar does not allow embedded '<' and '>' in elements, so we can seek to the start and end positions.
+		 * Since the parser in the current mode mode is non-progressive, it contains the entire input. */
+		const xmlChar *cur = parser->parser->input->cur;
+		const xmlChar *end = cur;
+		for (const xmlChar *base = parser->parser->input->base; cur > base && *cur != '<'; cur--);
+		if (*end == '/') {
+			/* BC:   Keep split between start & end element.
+			 * TODO: In the future this could be aligned with expat and only emit a start event, or vice versa.
+			 *       See gh20439_2.phpt */
+			xmlChar *tmp = BAD_CAST estrndup((const char *) cur, end - cur + 1);
+			tmp[end - cur] = '>';
+			parser->h_default(parser->user, tmp, end - cur + 1);
+			efree(tmp);
+		} else {
+			parser->h_default(parser->user, cur, end - cur + 1);
+		}
+	}
+}
+
 static void
 start_element_handler(void *user, const xmlChar *name, const xmlChar **attributes)
 {
 	XML_Parser  parser = (XML_Parser) user;
 
 	if (parser->h_start_element == NULL) {
-		if (parser->h_default) {
-			int attno = 0;
-			smart_string qualified_name = {0};
-
-			smart_string_appendc(&qualified_name, '<');
-			smart_string_appends(&qualified_name, (const char *) name);
-
-			if (attributes) {
-				while (attributes[attno] != NULL) {
-					const char *att_name = (const char *) attributes[attno++];
-					const char *att_value = (const char *) attributes[attno++];
-
-					smart_string_appendc(&qualified_name, ' ');
-					smart_string_appends(&qualified_name, att_name);
-					smart_string_appends(&qualified_name, "=\"");
-					smart_string_appends(&qualified_name, att_value);
-					smart_string_appendc(&qualified_name, '"');
-				}
-			}
-			smart_string_appendc(&qualified_name, '>');
-			smart_string_0(&qualified_name);
-			parser->h_default(parser->user, (const XML_Char *) qualified_name.c, qualified_name.len);
-			smart_string_free(&qualified_name);
-		}
+		start_element_emit_default(parser);
 		return;
 	}
 
@@ -92,59 +91,7 @@ start_element_handler_ns(void *user, const xmlChar *name, const xmlChar *prefix,
 	}
 
 	if (parser->h_start_element == NULL) {
-	 	if (parser->h_default) {
-			smart_string qualified_name = {0};
-			smart_string_appendc(&qualified_name, '<');
-			if (prefix) {
-				smart_string_appends(&qualified_name, (const char *) prefix);
-				smart_string_appendc(&qualified_name, ':');
-			}
-			smart_string_appends(&qualified_name, (const char *) name);
-
-			if (namespaces) {
-				int i, j;
-				for (i = 0,j = 0;j < nb_namespaces;j++) {
-					const char *ns_prefix = (const char *) namespaces[i++];
-					const char *ns_url = (const char *) namespaces[i++];
-
-					if (ns_prefix) {
-						smart_string_appends(&qualified_name, " xmlns:");
-						smart_string_appends(&qualified_name, ns_prefix);
-						smart_string_appends(&qualified_name, "=\"");
-					} else {
-						smart_string_appends(&qualified_name, " xmlns=\"");
-					}
-
-					smart_string_appends(&qualified_name, ns_url);
-					smart_string_appendc(&qualified_name, '"');
-				}
-			}
-
-			if (attributes) {
-				for (i = 0; i < nb_attributes; i += 1) {
-					const char *att_name = (const char *) attributes[y++];
-					const char *att_prefix = (const char *)attributes[y++];
-					y++;
-					const char *att_value = (const char *)attributes[y++];
-					const char *att_valueend = (const char *)attributes[y++];
-
-					smart_string_appendc(&qualified_name, ' ');
-					if (att_prefix) {
-						smart_string_appends(&qualified_name, att_prefix);
-						smart_string_appendc(&qualified_name, ':');
-					}
-					smart_string_appends(&qualified_name, att_name);
-					smart_string_appends(&qualified_name, "=\"");
-
-					smart_string_appendl(&qualified_name, att_value, att_valueend - att_value);
-					smart_string_appendc(&qualified_name, '"');
-				}
-
-			}
-			smart_string_appendc(&qualified_name, '>');
-			parser->h_default(parser->user, (const XML_Char *) qualified_name.c, qualified_name.len);
-			smart_string_free(&qualified_name);
-		}
+		start_element_emit_default(parser);
 		return;
 	}
 	qualified_name = qualify_namespace(parser, name, URI);

diff --git a/ext/xml/tests/gh20439_1.phpt b/ext/xml/tests/gh20439_1.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback)
+--EXTENSIONS--
+xml
+--FILE--
+<?php
+
+$x = xml_parser_create_ns('utf-8');
+xml_set_default_handler($x, function( $_parser, $data ) { var_dump($data); });
+
+$input = "<!-- xxx --><foo   attr1='\"&lt;&quot;&#9;&#x0A;&#x0D;&#13;𐍅' attr2=\"&quot;&lt;\"></foo>";
+$inputs = str_split($input);
+
+// Test chunked parser wrt non-progressive parser
+foreach ($inputs as $input) {
+	xml_parse($x, $input, false);
+}
+xml_parse($x, "", true);
+
+?>
+--EXPECT--
+string(12) "<!-- xxx -->"
+string(71) "<foo   attr1='"&lt;&quot;&#9;&#x0A;&#x0D;&#13;𐍅' attr2="&quot;&lt;">"
+string(6) "</foo>"
diff --git a/ext/xml/tests/gh20439_2.phpt b/ext/xml/tests/gh20439_2.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback) - closing solidus variant
+--EXTENSIONS--
+xml
+--SKIPIF--
+<?php
+require __DIR__ . '/libxml_expat_skipif.inc';
+skipif(want_expat: false);
+?>
+--FILE--
+<?php
+
+$x = xml_parser_create_ns('utf-8');
+xml_set_default_handler($x, function( $_parser, $data ) { var_dump($data); });
+
+$input = "<ns:test xmlns:ns='urn:x'   />";
+xml_parse($x, $input, true);
+
+?>
+--EXPECT--
+string(29) "<ns:test xmlns:ns='urn:x'   >"
+string(10) "</ns:test>"
diff --git a/main/output.c b/main/output.c
@@ -956,7 +956,6 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 		if (handler->flags & PHP_OUTPUT_HANDLER_USER) {
 			zval ob_args[2];
 			zval retval;
-			ZVAL_UNDEF(&retval);
 
 			/* ob_data */
 			ZVAL_STRINGL(&ob_args[0], handler->buffer.data, handler->buffer.used);
@@ -969,36 +968,20 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 			handler->func.user->fci.retval = &retval;
 
 			if (SUCCESS == zend_call_function(&handler->func.user->fci, &handler->func.user->fcc) && Z_TYPE(retval) != IS_UNDEF) {
-				if (Z_TYPE(retval) != IS_STRING || handler->flags & PHP_OUTPUT_HANDLER_PRODUCED_OUTPUT) {
+				if (handler->flags & PHP_OUTPUT_HANDLER_PRODUCED_OUTPUT) {
 					// Make sure that we don't get lost in the current output buffer
 					// by disabling it
 					handler->flags |= PHP_OUTPUT_HANDLER_DISABLED;
-					// Make sure we keep a reference to the handler name in
-					// case
-					// * The handler produced output *and* returned a non-string
-					// * The first deprecation message causes the handler to
-					// be removed
-					zend_string *handler_name = handler->name;
-					zend_string_addref(handler_name);
 					if (handler->flags & PHP_OUTPUT_HANDLER_PRODUCED_OUTPUT) {
 						// The handler might not always produce output
 						handler->flags &= ~PHP_OUTPUT_HANDLER_PRODUCED_OUTPUT;
 						php_error_docref(
 							NULL,
 							E_DEPRECATED,
 							"Producing output from user output handler %s is deprecated",
-							ZSTR_VAL(handler_name)
-						);
-					}
-					if (Z_TYPE(retval) != IS_STRING) {
-						php_error_docref(
-							NULL,
-							E_DEPRECATED,
-							"Returning a non-string result from user output handler %s is deprecated",
-							ZSTR_VAL(handler_name)
+							ZSTR_VAL(handler->name)
 						);
 					}
-					zend_string_release(handler_name);
 
 					// Check if the handler is still in the list of handlers to
 					// determine if the PHP_OUTPUT_HANDLER_DISABLED flag can