Fix in-place modification of filename in php_message_handler_for_zend

php_strip_url_passwd modifies url in-place. We cannot assume from
php_message_handler_for_zend that data is a tempor

Fix in-place modification of filename in php_message_handler_for_zend

php_strip_url_passwd modifies url in-place. We cannot assume from
php_message_handler_for_zend that data is a temporary, modifiable string.

Fixes oss-fuzz #64209
Closes GH-12733

show more ...

Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c

The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers.
It's possible that

Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c

The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers.
It's possible that the thread disappears without us knowing, and then another thread
gets spawned some time later with the same ID as the disappeared thread.
Note that since it's a new thread the TSRM key pointer and cached pointer will be NULL.

The Apache request handler `php_handler()` will try to fetch some fields from the SAPI globals.
It uses a lazy thread resource allocation by calling `ts_resource(0);`.
This allocates a thread resource and sets up the TSRM pointers if they haven't been set up yet.

At least, that's what's supposed to happen. But since we are in a situation where the thread ID
still has the resources of the *old* thread associated in the hashtable,
the loop in `ts_resource_ex` will find that thread resource and assume the thread has been setup
already. But this is not the case since this thread is actually a new thread, just reusing the ID
of the old one, without any relation whatsoever to the old thread.
Because of this assumption, the TSRM pointers will not be setup, leading to a
NULL pointer dereference when trying to access the SAPI globals.

We can easily detect this scenario: if we're in the fallback path, and the pointer is NULL,
and we're looking for our own thread resource, we know we're actually reusing a thread ID.
In that case, we'll free up the old thread resources gracefully (gracefully because
there might still be resources open like database connection which need to be
shut down cleanly). After freeing the resources, we'll create the new resources for
this thread as if the stale resources never existed in the first place.
From that point forward, it is as if that situation never occurred.
The fact that this situation happens isn't that bad because a child process containing
threads will eventually be respawned anyway by the SAPI, so the stale thread resources
won't remain forever.

Note that we can't simply assign our own TSRM pointers to the existing
thread resource for our ID, since it was actually from a different thread
(just with the same ID!). Furthermore, the dynamically loaded extensions
have their own pointer, which is only set when their constructor is
called, so we'd have to call their constructor anyway...
I also tried to call the dtor and then the ctor again for those resources
on the pre-existing thread resource to reuse storage, but that didn't work properly
because other code doesn't expect something like that to happen, which breaks assumptions,
and this in turn caused Valgrind to (rightfully) complain about memory bugs.

Note 2: I also had to fix a bug in the core globals destruction because it
always assumed that the thread destroying them was the owning thread,
which on TSRM shutdown isn't always the case. A similar bug was fixed
recently with the JIT globals.

Closes GH-10863.

show more ...

Introduce max_multipart_body_parts INI

This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed.

Fix bug #77780: "Headers already sent" when previous connection was aborted

This change primarily splits SAPI deactivation to module and destroy
parts. The reason is that currently some

Fix bug #77780: "Headers already sent" when previous connection was aborted

This change primarily splits SAPI deactivation to module and destroy
parts. The reason is that currently some SAPIs might bail out
on deactivation. One of those SAPI is PHP-FPM that can bail out on
request end if for example the connection is closed by the client
(web sever). The problem is that in such case the resources are not
freed and some values reset. The most visible impact can have not
resetting the PG(headers_sent) which can cause erorrs in the next
request. One such issue is described in #77780 bug which this fixes
and is also cover by a test in this commit. It seems reasonable
to separate deactivation and destroying of the resource which means
that the bail out will not impact it.

show more ...

Fix GH-8923: error_log on Windows can hold the file write lock

On Windows, closing a file which is locked may not immediately remove
the lock. The `LockFileEx()` documentation states:

Fix GH-8923: error_log on Windows can hold the file write lock

On Windows, closing a file which is locked may not immediately remove
the lock. The `LockFileEx()` documentation states:

| Therefore, it is recommended that your process explicitly unlock all
| files it has locked when it terminates.

We comply, and also use the macro `LOCK_EX` instead of the magic number
`2`.

Closes GH-8925.

show more ...

Deprecate zend_atol() / add zend_ini_parse_quantity() (#7951)

Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi()

zend_atol() and zend_atoi() don't just do number p

Deprecate zend_atol() / add zend_ini_parse_quantity() (#7951)

Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi()

zend_atol() and zend_atoi() don't just do number parsing.
They also check for a 'K', 'M', or 'G' at the end of the string,
and multiply the parsed value out accordingly.

Unfortunately, they ignore any other non-numerics between the
numeric component and the last character in the string.
This means that numbers such as the following are both valid
and non-intuitive in their final output.

* "123KMG" is interpreted as "123G" -> 132070244352
* "123G " is interpreted as "123 " -> 123
* "123GB" is interpreted as "123B" -> 123
* "123 I like tacos." is also interpreted as "123." -> 123

Currently, in php-src these functions are used only for parsing ini values.

In this change we deprecate zend_atol(), zend_atoi(), and introduce a new
function with the same behavior, but with the ability to report invalid inputs
to the caller. The function's name also makes the behavior less unexpected:
zend_ini_parse_quantity().

Co-authored-by: Sara Golemon <pollita@php.net>

show more ...

Minor refactoring of main/main.c and TSRM (#8608)

Don't initialise pointers to zend_stat_t

Initialise zend_stat_t to fix MSAN build

Refacto php_module_startup() (#8303)

It only ever uses at most 1 additional modules

Fix potential use after free in php_binary_init()

Closes GH-8791.

Fix unregistering ini entries of dynamically loaded extension (#8435)

Fixes GH-8185

Fix GH-8310: Registry settings are no longer recognized

`zend_file_handle->filename` is a `zend_string*` pointer now, so we
must not cast to `char*` but rather pass the underlying `char*

Fix GH-8310: Registry settings are no longer recognized

`zend_file_handle->filename` is a `zend_string*` pointer now, so we
must not cast to `char*` but rather pass the underlying `char*`.

Closes GH-8313.

show more ...

Fix GH-8082: Prevent leaking memory on observed transient run_time_caches

This is achieved by tracking the observers on the run_time_cache (with a fixed amount of slots, 2 for each observer)

Fix GH-8082: Prevent leaking memory on observed transient run_time_caches

This is achieved by tracking the observers on the run_time_cache (with a fixed amount of slots, 2 for each observer).
That way round, if the run_time_cache is freed all associated observer data is as well.

This approach has been chosen, as to avoid any ABI or API breakage.
Future versions may for example choose to provide a hookable API for run_time_cache freeing or similar.

show more ...

Fix bug #81598: Use C.UTF-8 as LC_CTYPE locale by default

Unfortunately, libedit is locale based and does not accept UTF-8
input when the C locale is used. This patch switches the defaul

Fix bug #81598: Use C.UTF-8 as LC_CTYPE locale by default

Unfortunately, libedit is locale based and does not accept UTF-8
input when the C locale is used. This patch switches the default
locale to C.UTF-8 instead (if it is available). This makes libedit
work and I believe it shouldn't affect behavior of single-byte
locale-dependent functions that PHP otherwise uses.

Closes GH-7635.

show more ...

Fix bug #81591: ignore_repeated_errors broken

We should suppress the error if the message is the same, not if
it's different. Apparently we had no test coverage for these
options.

Fix #81518: Header injection via default_mimetype / default_charset

We forbid setting these INI options to values containing NUL bytes, CR
or LF.

Closes GH-7574.

Use ASCII lower case for misc case folding

Use ASCII case conversion instead of locale-dependent case conversion in
the following places:

* grapheme_stripos() and grapheme_strri

Use ASCII lower case for misc case folding

Use ASCII case conversion instead of locale-dependent case conversion in
the following places:

* grapheme_stripos() and grapheme_strripos() in the "fast" path
* ldap_get_entries()
* oci_pconnect() for case folding of parameters when constructing a key
into the connection or session pool
* SoapClient: case folding of function names
* get_meta_tags(): case conversion of property names
* http stream wrapper: header names
* phpinfo(): anchor names
* php_verror(): docref URLs
* rfc1867.c: Content-Type boundary parameter name
* streams.c: stream protocol names

Using locale-dependent case folding for these cases is either
unnecessary or actively incorrect. These functions could have
misbehaved when used with certain locales (e.g. Turkish).

Closes GH-7511.

show more ...

Don't enable rc_debug mode if module startup fails

Return value from ZEND_ATOL

Instead of assigning it as part of the macro itself, which makes
usage quite awkward.

Fix bug #80728: Don't reset the timeout on ini deactivate

When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for

Fix bug #80728: Don't reset the timeout on ini deactivate

When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for the
timeout change, which will unset then reset the timeout. However,
this is done even if the script is done executing, and say, the CGI
or CLI web server process is idle.

This is probably incorrect, but isn't a problem on most platforms,
because PHP uses a timer that only ticks when the process is active
(that is, executing code). Since when it's idle, it's blocking on
listen/read, it won't tick because nothing executes. However, on
platforms where only the real-time timer is supported, (Cygwin/PASE)
it ticks regardless of if PHP is even executing. This means that the
idle processes are subject to timeouts from the INI reset on script
end.

This makes it so the timer is never set if the state is deactivating.
Testing with the CLI web server indicates the timer no longer
spuriously activates under PASE.

Closes GH-6683.

show more ...

Fixed some spaces used instead of tabs

Fixed bug #81104

When the memory limit is restored during shutdown, we may still
be using a lot of memory. Ignore the failure at that point and
set it again after the MM is shut down

Fixed bug #81104

When the memory limit is restored during shutdown, we may still
be using a lot of memory. Ignore the failure at that point and
set it again after the MM is shut down, at which point memory
usage should be at its lowest point.

show more ...

Fix output buffer discard on memory limit

Move this code directly into the error handler, and check the
heap->overflow flag. Discarding output here allows us to print
the normal memo

Fix output buffer discard on memory limit

Move this code directly into the error handler, and check the
heap->overflow flag. Discarding output here allows us to print
the normal memory limit message to standard output. Otherwise
nothing would be printed unless a different log medium was used,
which makes for a suboptimal debugging experience.

show more ...

Remove zend_set_memory_limit_ex() API

This was added temporarily for the PHP-8.0 branch to avoid an
ABI break.