Skip to content

[pull] master from php:master#22

Merged
pull[bot] merged 33 commits into
dolfly:masterfrom
php:master
Jul 1, 2025
Merged

[pull] master from php:master#22
pull[bot] merged 33 commits into
dolfly:masterfrom
php:master

Conversation

@pull

@pull pull Bot commented Jul 1, 2025

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.2)

Can you help keep this open source service alive? 💖 Please sponsor : )

bukka and others added 30 commits June 23, 2025 23:00
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
* PHP-8.3:
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
* PHP-8.4:
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
The first warning may trigger an error handler, destroying the operand
and its string. So we need to protect the string in that case.
Care was taken to avoid unnecessary refcounts and to avoid touching the
hot code path.

Closes GH-18951.
* PHP-8.4:
  Fix GH-18979: DOM\XMLDocument::createComment() triggers undefined behavior with null byte
* PHP-8.3:
  Fix OSS-Fuzz #427814456
* PHP-8.4:
  Fix OSS-Fuzz #427814456
* PHP-8.2:
  PHP-8.2 is now for PHP 8.2.30-dev
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames

# Conflicts:
#	Zend/zend.h
#	configure.ac
#	ext/pgsql/pgsql.c
#	main/php_version.h
* PHP-8.3:
  PHP-8.2 is now for PHP 8.2.30-dev
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
* PHP-8.4:
  PHP-8.2 is now for PHP 8.2.30-dev
  Update NEWS with entries for security fixes
  Fix GHSA-453j-q27h-5p8x
  Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
  Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
While there, fix Windows build by adding UriResolve.c to the sources.
ramsey and others added 3 commits July 1, 2025 15:22
Update based on my training with Pierrick
* dates should correspond to when releases are released, not tagged
* qa.php.net is no longer used
* bugs.php.net is no longer used
* multiple commits to web-php can be combined
@pull pull Bot locked and limited conversation to collaborators Jul 1, 2025
@pull pull Bot added the ⤵️ pull label Jul 1, 2025
@pull pull Bot merged commit 45c4650 into dolfly:master Jul 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants