| #
c283c3ab |
| 15-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Sanitize libxml2 globals before parsing
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains par
Sanitize libxml2 globals before parsing
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.
Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.
Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().
show more ...
|
| #
ec10b28d |
| 27-Jan-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix array overrun when appending slash to paths
Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to ap
Fix array overrun when appending slash to paths
Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to append
the slash. As the php_check_specific_open_basedir() simply uses the
strings to compare against each other, no new failures related to too
long paths are introduced.
We'll let the DOM and XML case handle a potentially too long path in the
library code.
show more ...
|
| #
ab92ffee |
| 09-Feb-2021 |
Nikita Popov |
Make getElementsByTagNameNS $namespace nullable
According to the DOM specification, this argument is supposed to
be nullable.
|
|
Revision tags: php-8.0.0, php-7.3.25, php-7.4.13, php-8.0.0RC5, php-7.4.13RC1, php-8.0.0RC4, php-7.3.25RC1, php-7.4.12, php-8.0.0RC3, php-7.3.24 |
|
| #
6d2bc725 |
| 23-Oct-2020 |
Christoph M. Becker |
Fix #80268: loadHTML() truncates at NUL bytes
libxml2 has no particular issues parsing HTML strings with NUL bytes;
these just cause truncation of the current text content, but parsing
Fix #80268: loadHTML() truncates at NUL bytes
libxml2 has no particular issues parsing HTML strings with NUL bytes;
these just cause truncation of the current text content, but parsing
continues generally. Since `::loadHTMLFile()` already supports NUL
bytes, `::loadHTML()` should as well.
Note that this is different from XML, which does not allow any NUL
bytes.
Closes GH-6368.
show more ...
|
|
Revision tags: php-8.0.0RC2, php-7.4.12RC1, php-7.3.24RC1, php-7.2.34, php-8.0.0rc1, php-7.4.11, php-7.3.23 |
|
| #
f3c58a5e |
| 25-Sep-2020 |
Dik Takken |
Make handling of NULL bytes in file paths more consistent (WIP)
Not all extensions consistently throw exceptions when the user passes
a path name containing null bytes. Also, some extens
Make handling of NULL bytes in file paths more consistent (WIP)
Not all extensions consistently throw exceptions when the user passes
a path name containing null bytes. Also, some extensions would throw
a ValueError while others would throw a TypeError. Error messages
also varied.
Now a ValueError is thrown after all failed path checks, at least for
as far as these occur in functions that are exposed to userland.
Closes GH-6216.
show more ...
|
| #
72e8719e |
| 23-Sep-2020 |
Máté Kocsis |
Fix a few ZEND_UNREACHABLE() calls
|
|
Revision tags: php-8.0.0beta4, php-7.4.11RC1, php-7.3.23RC1, php-8.0.0beta3, php-7.4.10, php-7.3.22, php-8.0.0beta2, php-7.3.22RC1, php-7.4.10RC1, php-8.0.0beta1, php-7.4.9, php-7.2.33, php-7.3.21, php-8.0.0alpha3, php-7.4.9RC1, php-7.3.21RC1, php-7.4.8, php-7.2.32, php-8.0.0alpha2, php-7.3.20, php-8.0.0alpha1, php-7.4.8RC1, php-7.3.20RC1, php-7.4.7, php-7.3.19, php-7.4.7RC1, php-7.3.19RC1, php-7.4.6, php-7.2.31, php-7.4.6RC1, php-7.3.18RC1 |
|
| #
8fef83dd |
| 19-Apr-2020 |
George Peter Banyard |
Promote warnings to error in DOM extension
Closes GH-5418
|
| #
d30cd7d7 |
| 26-May-2020 |
Máté Kocsis |
Review the usage of apostrophes in error messages
Closes GH-5590
|
| #
2b5de6f8 |
| 01-Jul-2020 |
Max Semenik |
Remove proto comments from C files
Closes GH-5758
|
| #
c9bc7dd1 |
| 25-Jun-2020 |
Nikita Popov |
Don't throw warning if exception thrown during dom validation
|
| #
706d4f35 |
| 06-Jun-2020 |
George Peter Banyard |
Fix invalid usage of zend_bool in DOM extension
|
| #
62b1d2cb |
| 12-May-2020 |
George Peter Banyard |
Fix [-Wundef] warning in DOM extension
|
| #
6111d64c |
| 16-Apr-2020 |
Máté Kocsis |
Improve a last couple of argument error messages
Closes GH-5404
|
|
Revision tags: php-7.2.30, php-7.4.5, php-7.3.17 |
|
| #
dfd0acf0 |
| 11-Apr-2020 |
Máté Kocsis |
Generate method entries for ext/dom
Closes GH-5374
|
|
Revision tags: php-7.4.5RC1, php-7.3.17RC1 |
|
| #
305b17e8 |
| 29-Mar-2020 |
Máté Kocsis |
Do not include the same stub multiple times
Closes GH-5322
|
|
Revision tags: php-7.3.18, php-7.4.4, php-7.2.29, php-7.3.16, php-7.4.4RC1, php-7.3.16RC1 |
|
| #
5acd86df |
| 28-Feb-2020 |
Benjamin Eberlei |
[RFC] Implement new DOM Living Standard APIs in ext/dom
|
|
Revision tags: php-7.4.3, php-7.2.28 |
|
| #
4804dc2b |
| 17-Feb-2020 |
Christoph M. Becker |
Rename php_dom_create_interator() to php_dom_create_iterator()
Thus fixing an obvious typo.
|
| #
cec8b24c |
| 13-Feb-2020 |
Christoph M. Becker |
Fix #77569: Write Acess Violation in DomImplementation
We must not assume that the zval IS_STRING.
|
|
Revision tags: php-7.3.15RC1, php-7.4.3RC1, php-7.3.15, php-7.2.27, php-7.4.2, php-7.3.14, php-7.3.14RC1, php-7.4.2RC1 |
|
| #
349a2864 |
| 01-Jan-2020 |
Máté Kocsis |
Use RETURN_THROWS() after zend_throw_error()
|
| #
2f7309b1 |
| 30-Dec-2019 |
Máté Kocsis |
Use RETURN_THROWS() during ZPP in the date, dba and dom extensions
|
|
Revision tags: php-7.4.1, php-7.2.26, php-7.3.13, php-7.4.1RC1, php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6 |
|
| #
f905a819 |
| 09-Nov-2019 |
Benjamin Eberlei |
ext/dom: Replace usages of PHP_FUNCTION and aliases with PHP_METHOD.
|
| #
4253ca48 |
| 08-Nov-2019 |
Benjamin Eberlei |
Convert ext/dom to use arginfo stub.
|
|
Revision tags: php-7.3.12RC1, php-7.2.25RC1 |
|
| #
4008704f |
| 01-Nov-2019 |
Christoph M. Becker |
zend_parse_parameters_throw() is obsolete
Since `zend_parse_parameters()` throws now, there is no reason to
explicitly call `zend_parse_parameters_throw()` anymore, and since both
ha
zend_parse_parameters_throw() is obsolete
Since `zend_parse_parameters()` throws now, there is no reason to
explicitly call `zend_parse_parameters_throw()` anymore, and since both
have actually the same implementation, we redefine the latter as macro.
show more ...
|
| #
504f7ffd |
| 29-Oct-2019 |
Nikita Popov |
Small ext/dom cleanups
|
|
Revision tags: php-7.4.0RC5, php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4, php-7.3.11RC1, php-7.2.24RC1 |
|
| #
f085bddb |
| 07-Oct-2019 |
Nikita Popov |
Fix number of required arguments in arginfo
* pack() only requires one argument
* stream_context_set_option() only requires two arguments
* ReflectionMethod::getClosure() accepts no
Fix number of required arguments in arginfo
* pack() only requires one argument
* stream_context_set_option() only requires two arguments
* ReflectionMethod::getClosure() accepts no args for static methods
* DOMDocument::createProcessingInstruction() only requires one arg
* DOMImplementation::createDocument() only requires two arguments
* DOMDocument::importNode() only requires one arg
* mysql_get_client_version() doesn't accept any args,
despite what the docs say...
show more ...
|
