Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: php/php-src
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: php-8.3.18RC1
Choose a base ref
...
head repository: php/php-src
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: php-8.3.19
Choose a head ref
  • 12 commits
  • 31 files changed
  • 5 contributors

Commits on Mar 5, 2025

  1. Fix GHSA-GHSA-v8xr-gpvj-cx9g: http header folding 

    This adds HTTP header folding support for HTTP wrapper response
headers.

Reviewed-by: Tim Düsterhus <tim@tideways-gmbh.com>
    @bukka
    bukka committed Mar 5, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    bukka Jakub Zelenka
    GPG key ID: 1C0779DC5C0A9DE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    bf30a44 View commit details

  2. Fix GHSA-pcmh-g36c-qc44: http headers without colon 

    The header line must contain colon otherwise it is invalid and it needs
to fail.

Reviewed-by: Tim Düsterhus <tim@tideways-gmbh.com>
    @bukka
    bukka committed Mar 5, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    bukka Jakub Zelenka
    GPG key ID: 1C0779DC5C0A9DE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    455161c View commit details

  3. Fix GHSA-52jp-hrpf-2jff: http redirect location truncation 

    It converts the allocation of location to be on heap instead of stack
and errors if the location length is greater than 8086 bytes.
    @bukka
    bukka committed Mar 5, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    bukka Jakub Zelenka
    GPG key ID: 1C0779DC5C0A9DE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ae14a0b View commit details

  4. Fix GHSA-hgf5-96fm-v528: http user header check of crlf

    @bukka
    bukka committed Mar 5, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    bukka Jakub Zelenka
    GPG key ID: 1C0779DC5C0A9DE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    fac131f View commit details

  5. Fix GHSA-p3x9-6h7p-cgfc: libxml streams wrong content-type on redirect 

    libxml streams use wrong content-type header when requesting a
redirected resource.
    @TimWolla @bukka
    TimWolla authored and bukka committed Mar 5, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    bukka Jakub Zelenka
    GPG key ID: 1C0779DC5C0A9DE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    054ea51 View commit details

  6. Use-after-free for ??= due to incorrect live-range calculation 

    Fixes GHSA-rwp7-7vc6-8477
    @iluuu1994 @bukka
    iluuu1994 authored and bukka committed Mar 5, 2025

    Partially verified

    This commit is signed with the committer’s verified signature.
    bukka’s contribution has been verified via GPG key.
    We cannot verify signatures from co-authors, and some of the co-authors attributed to this commit require their commits to be signed.
    Copy the full SHA
    17cf7ca View commit details

  7. Fix GHSA-wg4p-4hqh-c3g9

    @nielsdos
    nielsdos committed Mar 5, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    nielsdos Niels Dossche
    GPG key ID: B8A8AD166DF0E2E5
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ebf5902 View commit details

Commits on Mar 7, 2025

  1. Update NEWS with entries for security fixes

    @bukka
    bukka committed Mar 7, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    bukka Jakub Zelenka
    GPG key ID: 1C0779DC5C0A9DE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    d45d9a8 View commit details

Commits on Mar 11, 2025

  1. Fix NEWS versions for posterity

    @ericmann
    ericmann committed Mar 11, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature.
    ericmann Eric Mann
    GPG key ID: BEC555E22A143553
    Verified
    Learn about vigilant mode
    Copy the full SHA
    c5e50bd View commit details

  2. Update versions for PHP 8.3.18

    @ericmann
    ericmann committed Mar 11, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature.
    ericmann Eric Mann
    GPG key ID: BEC555E22A143553
    Verified
    Learn about vigilant mode
    Copy the full SHA
    58c6519 View commit details

Commits on Mar 12, 2025

  1. Update versions for php 8.3.19

    @ericmann
    ericmann committed Mar 12, 2025

    Verified

    This commit was signed with the committer’s verified signature.
    ericmann Eric Mann
    GPG key ID: BEC555E22A143553
    Verified
    Learn about vigilant mode
    Copy the full SHA
    f44f0d6 View commit details

  2. Fix branch target in zend_jit_push_call_frame() 

    Introduced by accident in 3b4a58d.
Will request a cherry-pick.
    @nielsdos @ericmann
    nielsdos authored and ericmann committed Mar 12, 2025
    Loading
    Loading status checks…

    Verified

    This commit was signed with the committer’s verified signature.
    ericmann Eric Mann
    GPG key ID: BEC555E22A143553
    Verified
    Learn about vigilant mode
    Copy the full SHA
    fdeadcd View commit details
Showing with 1,357 additions and 219 deletions.
  1. +20 −5 NEWS
  2. +26 −0 Zend/tests/ghsa-rwp7-7vc6-8477_001.phpt
  3. +24 −0 Zend/tests/ghsa-rwp7-7vc6-8477_002.phpt
  4. +22 −0 Zend/tests/ghsa-rwp7-7vc6-8477_003.phpt
  5. +1 −1 Zend/zend.h
  6. +8 −0 Zend/zend_opcode.c
  7. +1 −1 configure.ac
  8. +60 −0 ext/dom/tests/ghsa-p3x9-6h7p-cgfc_001.phpt
  9. +60 −0 ext/dom/tests/ghsa-p3x9-6h7p-cgfc_002.phpt
  10. +60 −0 ext/dom/tests/ghsa-p3x9-6h7p-cgfc_003.phpt
  11. +43 −32 ext/libxml/libxml.c
  12. +1 −1 ext/opcache/jit/zend_jit_arm64.dasc
  13. +312 −129 ext/standard/http_fopen_wrapper.c
  14. +13 −9 ext/standard/tests/http/bug47021.phpt
  15. +1 −3 ext/standard/tests/http/bug75535.phpt
  16. +58 −0 ext/standard/tests/http/ghsa-52jp-hrpf-2jff-001.phpt
  17. +55 −0 ext/standard/tests/http/ghsa-52jp-hrpf-2jff-002.phpt
  18. +65 −0 ext/standard/tests/http/ghsa-hgf5-96fm-v528-001.phpt
  19. +62 −0 ext/standard/tests/http/ghsa-hgf5-96fm-v528-002.phpt
  20. +64 −0 ext/standard/tests/http/ghsa-hgf5-96fm-v528-003.phpt
  21. +51 −0 ext/standard/tests/http/ghsa-pcmh-g36c-qc44-001.phpt
  22. +51 −0 ext/standard/tests/http/ghsa-pcmh-g36c-qc44-002.phpt
  23. +49 −0 ext/standard/tests/http/ghsa-v8xr-gpvj-cx9g-001.phpt
  24. +51 −0 ext/standard/tests/http/ghsa-v8xr-gpvj-cx9g-002.phpt
  25. +49 −0 ext/standard/tests/http/ghsa-v8xr-gpvj-cx9g-003.phpt
  26. +48 −0 ext/standard/tests/http/ghsa-v8xr-gpvj-cx9g-004.phpt
  27. +48 −0 ext/standard/tests/http/ghsa-v8xr-gpvj-cx9g-005.phpt
  28. +0 −30 ext/standard/tests/http/http_response_header_05.phpt
  29. +42 −0 ext/xml/tests/toffset_bounds.phpt
  30. +8 −4 ext/xml/xml.c
  31. +4 −4 main/php_version.h
25 changes: 20 additions & 5 deletions NEWS
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.3.18
13 Mar 2025, PHP 8.3.19

- BCMath:
. Fixed bug GH-17398 (bcmul memory leak). (SakiTakamachi)
@@ -15,6 +15,8 @@ PHP NEWS
`__callStatic` is allowed). (timwolla)
. Fixed bug GH-17797 (zend_test_compile_string crash on invalid
script path). (David Carlier)
. Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown
causes Use-After-Free). (CVE-2024-11235) (ilutov)

- DOM:
. Fixed bug GH-17847 (xinclude destroys live node). (nielsdos)
@@ -34,6 +36,11 @@ PHP NEWS
. Fixed bug GH-17704 (ldap_search fails when $attributes contains a
non-packed array with numerical keys). (nielsdos, 7u83)

- LibXML:
. Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
. Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header
when requesting a redirected resource). (CVE-2025-1219) (timwolla)

- MBString:
. Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables).
(cmb)
@@ -69,6 +76,14 @@ PHP NEWS
- Streams:
. Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)
. Fix memory leak on overflow in _php_stream_scandir(). (nielsdos)
. Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit
basic auth header). (CVE-2025-1736) (Jakub Zelenka)
. Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location
to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
. Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers
without colon). (CVE-2025-1734) (Jakub Zelenka)
. Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not
handle folded headers). (CVE-2025-1217) (Jakub Zelenka)

- Windows:
. Fixed phpize for Windows 11 (24H2). (bwoebi)
@@ -157,7 +172,7 @@ PHP NEWS
. Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).
(nielsdos)

02 Jan 2025, PHP 8.3.16RC1
02 Jan 2025, PHP 8.3.16

- Core:
. Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). (ilutov)
@@ -356,7 +371,7 @@ PHP NEWS
- Windows:
. Fixed bug GH-16849 (Error dialog causes process to hang). (cmb)

07 Nov 2024, PHP 8.3.14RC1
07 Nov 2024, PHP 8.3.14

- CLI:
. Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server
@@ -1109,7 +1124,7 @@ PHP NEWS
- Treewide:
. Fix gcc-14 Wcalloc-transposed-args warnings. (Cristian Rodríguez)

28 Mar 2024, PHP 8.3.5RC1
28 Mar 2024, PHP 8.3.5

- Core:
. Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when
@@ -1378,7 +1393,7 @@ PHP NEWS
. Fixed bug GH-12980 (tidynode.props.attribute is missing
"Boolean Attributes" and empty attributes). (nielsdos)

07 Dec 2023, PHP 8.3.1RC1
07 Dec 2023, PHP 8.3.1

- Core:
. Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within
26 changes: 26 additions & 0 deletions Zend/tests/ghsa-rwp7-7vc6-8477_001.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
--TEST--
GHSA-rwp7-7vc6-8477: Use-after-free for ??= due to incorrect live-range calculation
--FILE--
<?php

class Foo {
public function foo() {
return $this;
}

public function __set($name, $value) {
throw new Exception('Hello');
}
}

$foo = new Foo();

try {
$foo->foo()->baz ??= 1;
} catch (Exception $e) {
echo $e->getMessage();
}

?>
--EXPECT--
Hello
24 changes: 24 additions & 0 deletions Zend/tests/ghsa-rwp7-7vc6-8477_002.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
--TEST--
GHSA-rwp7-7vc6-8477: Use-after-free for ??= due to incorrect live-range calculation
--FILE--
<?php

class Foo {
public int $prop;

public function foo() {
return $this;
}
}

$foo = new Foo();

try {
$foo->foo()->prop ??= 'foo';
} catch (Error $e) {
echo $e->getMessage();
}

?>
--EXPECT--
Cannot assign string to property Foo::$prop of type int
22 changes: 22 additions & 0 deletions Zend/tests/ghsa-rwp7-7vc6-8477_003.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
--TEST--
GHSA-rwp7-7vc6-8477: Use-after-free for ??= due to incorrect live-range calculation
--FILE--
<?php

class Foo {
public int $prop;
}

function newFoo() {
return new Foo();
}

try {
newFoo()->prop ??= 'foo';
} catch (Error $e) {
echo $e->getMessage();
}

?>
--EXPECT--
Cannot assign string to property Foo::$prop of type int
2 changes: 1 addition & 1 deletion Zend/zend.h
View file
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@
#ifndef ZEND_H
#define ZEND_H

#define ZEND_VERSION "4.3.18-dev"
#define ZEND_VERSION "4.3.19"

#define ZEND_ENGINE_3

8 changes: 8 additions & 0 deletions Zend/zend_opcode.c
View file
Original file line number Diff line number Diff line change
@@ -922,6 +922,14 @@ static void zend_calc_live_ranges(
opnum--;
opline--;

/* SEPARATE always redeclares its op1. For the purposes of live-ranges,
* its declaration is irrelevant. Don't terminate the current live-range
* to avoid breaking special handling of COPY_TMP. */
if (opline->opcode == ZEND_SEPARATE) {
ZEND_ASSERT(opline->op1.var == opline->result.var);
continue;
}

if ((opline->result_type & (IS_TMP_VAR|IS_VAR)) && !is_fake_def(opline)) {
uint32_t var_num = EX_VAR_TO_NUM(opline->result.var) - var_offset;
/* Defs without uses can occur for two reasons: Either because the result is
2 changes: 1 addition & 1 deletion configure.ac
View file
Original file line number Diff line number Diff line change
@@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice.
dnl ----------------------------------------------------------------------------

AC_PREREQ([2.68])
AC_INIT([PHP],[8.3.18-dev],[https://github.com/php/php-src/issues],[php],[https://www.php.net])
AC_INIT([PHP],[8.3.19],[https://github.com/php/php-src/issues],[php],[https://www.php.net])
AC_CONFIG_SRCDIR([main/php_version.h])
AC_CONFIG_AUX_DIR([build])
AC_PRESERVE_HELP_ORDER
60 changes: 60 additions & 0 deletions ext/dom/tests/ghsa-p3x9-6h7p-cgfc_001.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
--TEST--
GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Basic)
--EXTENSIONS--
dom
--SKIPIF--
<?php
if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
http_server_skipif();
?>
--FILE--
<?php
require "./ext/standard/tests/http/server.inc";

function genResponses($server) {
$uri = 'http://' . stream_socket_get_name($server, false);
yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
$xml = <<<'EOT'
<!doctype html>
<html>
<head>
<title>GHSA-p3x9-6h7p-cgfc</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
</head>
<body>
<h1>GHSA-p3x9-6h7p-cgfc</h1>
</body>
</html>
EOT;
// Intentionally using non-standard casing for content-type to verify it is matched not case sensitively.
yield "data://text/plain,HTTP/1.1 200 OK\r\nconteNt-tyPe: text/html; charset=utf-8\r\n\r\n{$xml}";
}

['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
$document = new \DOMDocument();
$document->loadHTMLFile($uri);

$h1 = $document->getElementsByTagName('h1');
var_dump($h1->length);
var_dump($document->saveHTML());
http_server_kill($pid);
?>
--EXPECT--
int(1)
string(266) "<!DOCTYPE html>
<html>
<head>
<title>GHSA-p3x9-6h7p-cgfc</title>

<meta charset="utf-8">
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
</head>

<body>
<h1>GHSA-p3x9-6h7p-cgfc</h1>
</body>
</html>
"
60 changes: 60 additions & 0 deletions ext/dom/tests/ghsa-p3x9-6h7p-cgfc_002.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
--TEST--
GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Missing content-type)
--EXTENSIONS--
dom
--SKIPIF--
<?php
if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
http_server_skipif();
?>
--FILE--
<?php
require "./ext/standard/tests/http/server.inc";

function genResponses($server) {
$uri = 'http://' . stream_socket_get_name($server, false);
yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
$xml = <<<'EOT'
<!doctype html>
<html>
<head>
<title>GHSA-p3x9-6h7p-cgfc</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
</head>
<body>
<h1>GHSA-p3x9-6h7p-cgfc</h1>
</body>
</html>
EOT;
// Missing content-type in actual response.
yield "data://text/plain,HTTP/1.1 200 OK\r\n\r\n{$xml}";
}

['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
$document = new \DOMDocument();
$document->loadHTMLFile($uri);

$h1 = $document->getElementsByTagName('h1');
var_dump($h1->length);
var_dump($document->saveHTML());
http_server_kill($pid);
?>
--EXPECT--
int(1)
string(266) "<!DOCTYPE html>
<html>
<head>
<title>GHSA-p3x9-6h7p-cgfc</title>

<meta charset="utf-8">
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
</head>

<body>
<h1>GHSA-p3x9-6h7p-cgfc</h1>
</body>
</html>
"
60 changes: 60 additions & 0 deletions ext/dom/tests/ghsa-p3x9-6h7p-cgfc_003.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
--TEST--
GHSA-p3x9-6h7p-cgfc: libxml streams use wrong `content-type` header when requesting a redirected resource (Reason with colon)
--EXTENSIONS--
dom
--SKIPIF--
<?php
if (@!include "./ext/standard/tests/http/server.inc") die('skip server.inc not available');
http_server_skipif();
?>
--FILE--
<?php
require "./ext/standard/tests/http/server.inc";

function genResponses($server) {
$uri = 'http://' . stream_socket_get_name($server, false);
yield "data://text/plain,HTTP/1.1 302 Moved Temporarily\r\nLocation: $uri/document.xml\r\nContent-Type: text/html;charset=utf-16\r\n\r\n";
$xml = <<<'EOT'
<!doctype html>
<html>
<head>
<title>GHSA-p3x9-6h7p-cgfc</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
</head>
<body>
<h1>GHSA-p3x9-6h7p-cgfc</h1>
</body>
</html>
EOT;
// Missing content-type in actual response.
yield "data://text/plain,HTTP/1.1 200 OK: This is fine\r\n\r\n{$xml}";
}

['pid' => $pid, 'uri' => $uri] = http_server('genResponses', $output);
$document = new \DOMDocument();
$document->loadHTMLFile($uri);

$h1 = $document->getElementsByTagName('h1');
var_dump($h1->length);
var_dump($document->saveHTML());
http_server_kill($pid);
?>
--EXPECT--
int(1)
string(266) "<!DOCTYPE html>
<html>
<head>
<title>GHSA-p3x9-6h7p-cgfc</title>

<meta charset="utf-8">
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
</head>

<body>
<h1>GHSA-p3x9-6h7p-cgfc</h1>
</body>
</html>
"
Loading