Sanitize libxml2 globals before parsing

Fixes GHSA-3qrf-m4j2-pcrr.

To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains par

Sanitize libxml2 globals before parsing

Fixes GHSA-3qrf-m4j2-pcrr.

To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.

Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.

Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().

show more ...

Fix array overrun when appending slash to paths

Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to ap

Fix array overrun when appending slash to paths

Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to append
the slash. As the php_check_specific_open_basedir() simply uses the
strings to compare against each other, no new failures related to too
long paths are introduced.
We'll let the DOM and XML case handle a potentially too long path in the
library code.

show more ...

Fix bug #81521

The current error message is incorrect -- the problem here is not
that the property is invalid, but that these methods are unusable
prior to loading data, same as read

Fix bug #81521

The current error message is incorrect -- the problem here is not
that the property is invalid, but that these methods are unusable
prior to loading data, same as read().

show more ...

Fix #73246: XMLReader: encoding length not checked

libxml2 expects the passed encoding to be NUL terminated, so we reject
strings with NUL bytes right away.

Closes GH-6899.

Throw from XmlReader::expand() if DOM extension missing

Otherwise it is hard to uphold the arginfo contract for this
function -- we cannot simply mirror the zpp call, as the class
en

Throw from XmlReader::expand() if DOM extension missing

Otherwise it is hard to uphold the arginfo contract for this
function -- we cannot simply mirror the zpp call, as the class
entry it is based on does not exist.

show more ...

Promote warnings to exceptions in ext/xmlreader

Closes GH-6021

Remove proto comments from C files

Closes GH-5758

Fix [-Wundef] warning in XMLReader extension

Fix UNKNOWN default values in ext/xml

Generate function entries from stubs for a couple of extensions

Migrates ext/standard, ext/tidy, ext/tokenizer,
ext/xml, ext/xml_reader, and ext/xml_writer. Closes GH-5381.

Use RETURN_THROWS() during ZPP in most of the extensions

Except for some bigger ones: reflection, sodium, spl

Allow to call XMLReader::open() and ::XML() statically

The implementation of `XMLReader::open()` and `XMLReader::XML()` still
supports calling the methods statically and non-statically.

Allow to call XMLReader::open() and ::XML() statically

The implementation of `XMLReader::open()` and `XMLReader::XML()` still
supports calling the methods statically and non-statically. However,
as of PHP 8.0.0, calling these methods statically is not allowed,
because they are not declared as static methods. Since we consider it
to be cleaner to call these methods statically, but had deprecated to
call them statically, we properly support both variants.

We implement support for static and non-static calls by overloading, so
that non-static calls have access to the `$this` pointer.

show more ...

Remove mention of PHP major version in Copyright headers

Closes GH-4732.

Add ext/xmlreader stubs

Add missing zend_parse_paramters_none()

Cheaper checks for exceptions thrown from __toString()

Allow exceptions in __toString()

RFC: https://wiki.php.net/rfc/tostring_exceptions

And convert some object to string conversion related recoverable
fatal errors into Error excep

Allow exceptions in __toString()

RFC: https://wiki.php.net/rfc/tostring_exceptions

And convert some object to string conversion related recoverable
fatal errors into Error exceptions.

Improve exception safety of internal code performing string
conversions.

show more ...

Refactor zend_object_handlers API to pass zend_object* and zend_string* insted of zval(s).

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly used by Vim and Emacs editors
yet with recent changes the once working definitions don't work
anymore in Vim without custom plugins or additional configuration.
Neither are these settings synced across the PHP code base.

A simpler and better approach is EditorConfig and fixing code
using some code style fixing tools in the future instead.

This patch also removes the so called modelines for Vim. Modelines
allow Vim editor specifically to set some editor configuration such as
syntax highlighting, indentation style and tab width to be set in the
first line or the last 5 lines per file basis. Since the php test
files have syntax highlighting already set in most editors properly and
EditorConfig takes care of the indentation settings, this patch removes
these as well for the Vim 6.0 and newer versions.

With the removal of local variables for certain editors such as
Emacs and Vim, the footer is also probably not needed anymore when
creating extensions using ext_skel.php script.

Additionally, Vim modelines for setting php syntax and some editor
settings has been removed from some *.phpt files. All these are
mostly not relevant for phpt files neither work properly in the
middle of the file.

show more ...

Remove yearly range from copyright notice

Remove year range from copyright notice

Remove static calls to non-static methods

Implement typed properties

RFC: https://wiki.php.net/rfc/typed_properties_v2

This is a squash of PR #3734, which is a squash of PR #3313.

Co-authored-by: Bob Weinand <bobwe

Implement typed properties

RFC: https://wiki.php.net/rfc/typed_properties_v2

This is a squash of PR #3734, which is a squash of PR #3313.

Co-authored-by: Bob Weinand <bobwei9@hotmail.com>
Co-authored-by: Joe Watkins <krakjoe@php.net>
Co-authored-by: Dmitry Stogov <dmitry@zend.com>

show more ...

Use ZEND_THIS macro to hide implementation details in extensions code.

Eliminate useless $this related checks