ext/standard: Throw a ValueError when the parameter includes NUL bytes in putenv and getenv (php#21817)

LamentXU123 · web-flow · commit 701d8a66d327 · 2026-04-21T13:37:59.000+01:00
diff --git a/NEWS b/NEWS
@@ -170,6 +170,8 @@ PHP                                                                        NEWS
     argument value is passed. (Girgias)
   . linkinfo() now raises a ValueError when the argument is an empty string.
     (Weilin Du)
+  . getenv() and putenv() now raises a ValueError when the first argument
+    contains null bytes. (Weilin Du)
 
 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
diff --git a/UPGRADING b/UPGRADING
@@ -88,6 +88,8 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
   . array_change_key_case() now raises a ValueError when an invalid $case
     argument value is passed.
+  . getenv() and putenv() now raises a ValueError when the first argument
+    contains null bytes.
   . linkinfo() now raises a ValueError when the $path argument is empty.
   . pathinfo() now raises a ValueError when an invalid $flag
     argument value is passed.
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -696,7 +696,7 @@ PHP_FUNCTION(getenv)
 
 	ZEND_PARSE_PARAMETERS_START(0, 2)
 		Z_PARAM_OPTIONAL
-		Z_PARAM_STRING_OR_NULL(str, str_len)
+		Z_PARAM_PATH_OR_NULL(str, str_len)
 		Z_PARAM_BOOL(local_only)
 	ZEND_PARSE_PARAMETERS_END();
 
@@ -739,7 +739,7 @@ PHP_FUNCTION(putenv)
 #endif
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(setting, setting_len)
+		Z_PARAM_PATH(setting, setting_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (setting_len == 0 || setting[0] == '=') {
diff --git a/ext/standard/tests/general_functions/putenv_and_getenv_reject_null_bytes.phpt b/ext/standard/tests/general_functions/putenv_and_getenv_reject_null_bytes.phpt
@@ -0,0 +1,35 @@
+--TEST--
+getenv() and putenv() reject null bytes
+--FILE--
+<?php
+
+foreach ([false, true] as $local_only) {
+    try {
+        getenv("PHP_GETENV_NUL_TEST\0SUFFIX", $local_only);
+    } catch (ValueError $exception) {
+        echo $exception->getMessage() . "\n";
+    }
+}
+
+$var_name = 'PHP_PUTENV_NUL_TEST';
+
+foreach ([
+    $var_name . "\0SUFFIX=value",
+    $var_name . "=va\0lue",
+] as $assignment) {
+    try {
+        putenv($assignment);
+    } catch (ValueError $exception) {
+        echo $exception->getMessage() . "\n";
+    }
+}
+
+var_dump(getenv($var_name));
+
+?>
+--EXPECT--
+getenv(): Argument #1 ($name) must not contain any null bytes
+getenv(): Argument #1 ($name) must not contain any null bytes
+putenv(): Argument #1 ($assignment) must not contain any null bytes
+putenv(): Argument #1 ($assignment) must not contain any null bytes
+bool(false)
