Merge branch 'PHP-8.5'

* PHP-8.5:
  Update NEWS for recent bug fixes
  ext/phar: Fix memory leak in phar_verify_signature() when md_ctx is invalid
  phar: propagate phar_stream_flush return value from phar_stream_close
  phar: call phar_entry_delref before goto finish in phar_add_file error paths
  phar: free is_temp_dir entry before rejecting .phar/* paths in offsetGet
  phar: fix NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent
  phar: restore is_link handler in phar_intercept_functions_shutdown

Author: Girgias

ext/phar/func_interceptors.c

@@ -893,6 +893,7 @@ void phar_intercept_functions_shutdown(void)
 	PHAR_RELEASE(fopen);
 	PHAR_RELEASE(file_get_contents);
 	PHAR_RELEASE(is_file);
+	PHAR_RELEASE(is_link);
 	PHAR_RELEASE(is_dir);
 	PHAR_RELEASE(opendir);
 	PHAR_RELEASE(file_exists);

ext/phar/phar_object.c

@@ -639,6 +639,9 @@ PHP_METHOD(Phar, webPhar)
 
 		} else {
 			char *testit = sapi_getenv("SCRIPT_NAME", sizeof("SCRIPT_NAME")-1);
+			if (!testit) {
+				goto finish;
+			}
 			if (!(pt = strstr(testit, basename))) {
 				efree(testit);
 				goto finish;
@@ -3513,6 +3516,11 @@ PHP_METHOD(Phar, offsetGet)
 	if (!(entry = phar_get_entry_info_dir(phar_obj->archive, ZSTR_VAL(file_name), ZSTR_LEN(file_name), 1, &error, false))) {
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Entry %s does not exist%s%s", ZSTR_VAL(file_name), error?", ":"", error?error:"");
 	} else {
+		if (entry->is_temp_dir) {
+			zend_string_efree(entry->filename);
+			efree(entry);
+		}
+
 		if (zend_string_equals_literal(file_name, ".phar/stub.php")) {
 			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Cannot get stub \".phar/stub.php\" directly in phar \"%s\", use getStub", phar_obj->archive->fname);
 			RETURN_THROWS();
@@ -3528,11 +3536,6 @@ PHP_METHOD(Phar, offsetGet)
 			RETURN_THROWS();
 		}
 
-		if (entry->is_temp_dir) {
-			zend_string_efree(entry->filename);
-			efree(entry);
-		}
-
 		zend_string *sfname = strpprintf(0, "phar://%s/%s", phar_obj->archive->fname, ZSTR_VAL(file_name));
 		zval zfname;
 		ZVAL_NEW_STR(&zfname, sfname);
@@ -3603,11 +3606,13 @@ static void phar_add_file(phar_archive_data **pphar, zend_string *file_name, con
 				size_t written_len = php_stream_write(data->fp, ZSTR_VAL(content), ZSTR_LEN(content));
 				if (written_len != contents_len) {
 					zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Entry %s could not be written to", filename);
+					phar_entry_delref(data);
 					goto finish;
 				}
 			} else {
 				if (!(php_stream_from_zval_no_verify(contents_file, zresource))) {
 					zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Entry %s could not be written to", filename);
+					phar_entry_delref(data);
 					goto finish;
 				}
 				php_stream_copy_to_stream_ex(contents_file, data->fp, PHP_STREAM_COPY_ALL, &contents_len);

ext/phar/stream.c

@@ -351,11 +351,11 @@ static php_stream * phar_wrapper_open_url(php_stream_wrapper *wrapper, const cha
 static int phar_stream_close(php_stream *stream, int close_handle) /* {{{ */
 {
 	/* for some reasons phar needs to be flushed even if there is no write going on */
-	phar_stream_flush(stream);
+	int ret = phar_stream_flush(stream);
 
 	phar_entry_delref((phar_entry_data *)stream->abstract);
 
-	return 0;
+	return ret;
 }
 /* }}} */
 

ext/phar/tests/gh21797.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-21797: Phar::webPhar() NULL dereference when SCRIPT_NAME absent from SAPI environment
+--CGI--
+--EXTENSIONS--
+phar
+--INI--
+phar.readonly=0
+phar.require_hash=0
+variables_order=EGPC
+register_argc_argv=0
+cgi.fix_pathinfo=0
+--ENV--
+REQUEST_METHOD=GET
+PATH_INFO=/gh21797.phar
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+$phar = new Phar($fname);
+$phar->addFromString('index.php', '<?php echo "ok\n"; ?>');
+$phar->setStub('<?php
+Phar::webPhar();
+echo "no crash\n";
+__HALT_COMPILER(); ?>');
+unset($phar);
+include $fname;
+?>
+--CLEAN--
+<?php @unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar'); ?>
+--EXPECT--
+no crash

ext/phar/tests/gh21798-add-file-delref.phpt

@@ -0,0 +1,29 @@
+--TEST--
+GH-21798: phar_add_file must call phar_entry_delref on write error paths
+--EXTENSIONS--
+phar
+--INI--
+phar.readonly=0
+phar.require_hash=0
+--FILE--
+<?php
+// Regression baseline: verify addFile and addFromString succeed and
+// phar_entry_delref is not skipped on the happy path.
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+
+$phar = new Phar($fname);
+$phar->addFromString('hello.txt', 'hello world');
+$phar->addFromString('empty.txt', '');
+unset($phar);
+
+$phar = new Phar($fname);
+echo $phar['hello.txt']->getContent() . "\n";
+echo ($phar->offsetExists('empty.txt') ? 'empty exists' : 'missing') . "\n";
+echo "no crash\n";
+?>
+--CLEAN--
+<?php @unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar'); ?>
+--EXPECT--
+hello world
+empty exists
+no crash

ext/phar/tests/gh21798-offsetget-temp-entry.phpt

@@ -0,0 +1,39 @@
+--TEST--
+GH-21798: Phar::offsetGet() must free is_temp_dir entry before rejecting .phar/* paths
+--EXTENSIONS--
+phar
+--INI--
+phar.readonly=0
+phar.require_hash=0
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+$phar = new Phar($fname);
+$phar->addFromString('index.php', '<?php echo "ok"; ?>');
+unset($phar);
+
+$phar = new Phar($fname);
+try {
+    $phar->offsetGet('.phar/stub.php');
+} catch (BadMethodCallException $e) {
+    echo $e->getMessage() . "\n";
+}
+try {
+    $phar->offsetGet('.phar/alias.txt');
+} catch (BadMethodCallException $e) {
+    echo $e->getMessage() . "\n";
+}
+try {
+    $phar->offsetGet('.phar/internal');
+} catch (BadMethodCallException $e) {
+    echo $e->getMessage() . "\n";
+}
+echo "no crash\n";
+?>
+--CLEAN--
+<?php @unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar'); ?>
+--EXPECT--
+Entry .phar/stub.php does not exist
+Entry .phar/alias.txt does not exist
+Entry .phar/internal does not exist
+no crash

ext/phar/tests/gh21799-stream-close-flush.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-21799: phar_stream_close propagates phar_stream_flush return value
+--EXTENSIONS--
+phar
+--INI--
+phar.readonly=0
+phar.require_hash=0
+--FILE--
+<?php
+// Regression baseline: fclose() on a phar file handle succeeds on the
+// normal code path. phar_stream_close now returns the phar_stream_flush
+// result instead of always returning 0.
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+
+$phar = new Phar($fname);
+$phar->addFromString('hello.txt', 'hello');
+unset($phar);
+
+$fp = fopen('phar://' . $fname . '/hello.txt', 'rb');
+$content = fread($fp, 1024);
+$result = fclose($fp);
+
+echo $content . "\n";
+var_dump($result);
+echo "no crash\n";
+?>
+--CLEAN--
+<?php @unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar'); ?>
+--EXPECT--
+hello
+bool(true)
+no crash

ext/phar/tests/phar-is-link-intercept.phpt

@@ -0,0 +1,29 @@
+--TEST--
+phar: is_link() intercept correctly delegates for non-symlink phar entries
+--EXTENSIONS--
+phar
+--INI--
+phar.readonly=0
+phar.require_hash=0
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+$phar = new Phar($fname);
+$phar->addFromString('file.txt', 'hello');
+$phar->setStub('<?php
+Phar::interceptFileFuncs();
+echo "regular entry (not a symlink): ";
+var_dump(is_link("file.txt"));
+echo "missing entry: ";
+var_dump(is_link("nonexistent.txt"));
+echo "absolute phar:// path (bypasses intercept): ";
+var_dump(is_link("phar://" . __FILE__ . "/file.txt"));
+__HALT_COMPILER(); ?>');
+include $fname;
+?>
+--CLEAN--
+<?php @unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar'); ?>
+--EXPECT--
+regular entry (not a symlink): bool(false)
+missing entry: bool(false)
+absolute phar:// path (bypasses intercept): bool(false)

ext/phar/util.c

@@ -1576,6 +1576,7 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 				if (md_ctx) {
 					EVP_MD_CTX_destroy(md_ctx);
 				}
+				EVP_PKEY_free(key);
 				if (error) {
 					*error = estrdup("openssl signature could not be verified");
 				}