Patch for php-7.2.1

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.2.1
 
+- SOAP:
+  . Fixed bug #80672 (Null Dereference in SoapClient). (CVE-2021-21702) (cmb, Stas)
+
 
 - Core:
   . Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26). (Laruence)
@@ -1572,6 +1575,10 @@ PHP                                                                        NEWS
   . Fixed invalid handle error with Implicit Result Sets. (Chris Jones)
   . Fixed bug #72524 (Binding null values triggers ORA-24816 error). (Chris Jones)
 
+- IMAP:
+  . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
+    mailbox parameter). (Stas)
+
 - ODBC:
   . Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).
     (Anatol)
@@ -1745,6 +1752,10 @@ PHP                                                                        NEWS
   . Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
     unserialize()). (Stas)
 
+- Phar:
+  . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
+    (Stas)
+
 - Soap:
   . Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP 
     headers). (duncan3dc)

UPGRADING

@@ -99,6 +99,13 @@ PHP 7.2 UPGRADE NOTES
     from PHP 7.1 on 64-bit machines. This change was necessary to resolve a
     modulo bias bug in the implementation.
 
+- IMAP:
+  Starting with 7.2.13, rsh/ssh logins are disabled by default. Use
+  imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
+  library does not filter mailbox names before passing them to rsh/ssh
+  command, thus passing untrusted data to this function with rsh/ssh enabled
+  is insecure.
+
 ========================================
 2. New Features
 ========================================

ext/bcmath/libbcmath/src/str2num.c

@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
   zero_int = FALSE;
   if ( (*ptr == '+') || (*ptr == '-'))  ptr++;  /* Sign */
   while (*ptr == '0') ptr++;			/* Skip leading zeros. */
-  while (isdigit((int)*ptr)) ptr++, digits++;	/* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, digits++;	/* digits */
   if (*ptr == '.') ptr++;			/* decimal point */
-  while (isdigit((int)*ptr)) ptr++, strscale++;	/* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++;	/* digits */
   if ((*ptr != '\0') || (digits+strscale == 0))
     {
       *num = bc_copy_num (BCG(_zero_));

ext/bcmath/tests/bug78878.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Bug #78878 (Buffer underflow in bc_shift_addsub)
+--SKIPIF--
+<?php
+if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
+?>
+--FILE--
+<?php
+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
+?>
+--EXPECT--
+bc math warning: non-zero scale in modulus
+0

ext/dom/domimplementation.c

@@ -114,6 +114,11 @@ PHP_METHOD(domimplementation, createDocumentType)
 		pch2 = (xmlChar *) systemid;
 	}
 
+	if (strstr(name, "%00")) {
+		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+		RETURN_FALSE;
+	}
+
 	uri = xmlParseURI(name);
 	if (uri != NULL && uri->opaque != NULL) {
 		localname = xmlStrdup((xmlChar *) uri->opaque);

ext/dom/domimplementation.c.orig

@@ -0,0 +1,274 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) 1997-2017 The PHP Group                                |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Christian Stocker <chregu@php.net>                          |
+   |          Rob Richards <rrichards@php.net>                            |
+   +----------------------------------------------------------------------+
+*/
+
+/* $Id$ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "php.h"
+#if HAVE_LIBXML && HAVE_DOM
+#include "php_dom.h"
+
+/* {{{ arginfo */
+ZEND_BEGIN_ARG_INFO_EX(arginfo_dom_implementation_get_feature, 0, 0, 2)
+	ZEND_ARG_INFO(0, feature)
+	ZEND_ARG_INFO(0, version)
+ZEND_END_ARG_INFO();
+
+ZEND_BEGIN_ARG_INFO_EX(arginfo_dom_implementation_has_feature, 0, 0, 0)
+ZEND_END_ARG_INFO();
+
+ZEND_BEGIN_ARG_INFO_EX(arginfo_dom_implementation_create_documenttype, 0, 0, 3)
+	ZEND_ARG_INFO(0, qualifiedName)
+	ZEND_ARG_INFO(0, publicId)
+	ZEND_ARG_INFO(0, systemId)
+ZEND_END_ARG_INFO();
+
+ZEND_BEGIN_ARG_INFO_EX(arginfo_dom_implementation_create_document, 0, 0, 3)
+	ZEND_ARG_INFO(0, namespaceURI)
+	ZEND_ARG_INFO(0, qualifiedName)
+	ZEND_ARG_OBJ_INFO(0, docType, DOMDocumentType, 0)
+ZEND_END_ARG_INFO();
+/* }}} */
+
+/*
+* class DOMImplementation
+*
+* URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#ID-102161490
+* Since:
+*/
+
+const zend_function_entry php_dom_domimplementation_class_functions[] = {
+	PHP_ME(domimplementation, getFeature, arginfo_dom_implementation_get_feature, ZEND_ACC_PUBLIC|ZEND_ACC_ALLOW_STATIC)
+	PHP_ME(domimplementation, hasFeature, arginfo_dom_implementation_has_feature, ZEND_ACC_PUBLIC|ZEND_ACC_ALLOW_STATIC)
+	PHP_ME(domimplementation, createDocumentType, arginfo_dom_implementation_create_documenttype, ZEND_ACC_PUBLIC|ZEND_ACC_ALLOW_STATIC)
+	PHP_ME(domimplementation, createDocument, arginfo_dom_implementation_create_document, ZEND_ACC_PUBLIC|ZEND_ACC_ALLOW_STATIC)
+	PHP_FE_END
+};
+
+/* {{{ proto boolean dom_domimplementation_has_feature(string feature, string version);
+URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#ID-5CED94D7
+Since:
+*/
+PHP_METHOD(domimplementation, hasFeature)
+{
+	size_t feature_len, version_len;
+	char *feature, *version;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &feature, &feature_len, &version, &version_len) == FAILURE) {
+		return;
+	}
+
+	if (dom_has_feature(feature, version)) {
+		RETURN_TRUE;
+	} else {
+		RETURN_FALSE;
+	}
+}
+/* }}} end dom_domimplementation_has_feature */
+
+/* {{{ proto DOMDocumentType dom_domimplementation_create_document_type(string qualifiedName, string publicId, string systemId);
+URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#Level-2-Core-DOM-createDocType
+Since: DOM Level 2
+*/
+PHP_METHOD(domimplementation, createDocumentType)
+{
+	xmlDtd *doctype;
+	int ret;
+	size_t name_len = 0, publicid_len = 0, systemid_len = 0;
+	char *name = NULL, *publicid = NULL, *systemid = NULL;
+	xmlChar *pch1 = NULL, *pch2 = NULL, *localname = NULL;
+	xmlURIPtr uri;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|sss", &name, &name_len, &publicid, &publicid_len, &systemid, &systemid_len) == FAILURE) {
+		return;
+	}
+
+	if (name_len == 0) {
+		php_error_docref(NULL, E_WARNING, "qualifiedName is required");
+		RETURN_FALSE;
+	}
+
+	if (publicid_len > 0) {
+		pch1 = (xmlChar *) publicid;
+	}
+	if (systemid_len > 0) {
+		pch2 = (xmlChar *) systemid;
+	}
+
+	uri = xmlParseURI(name);
+	if (uri != NULL && uri->opaque != NULL) {
+		localname = xmlStrdup((xmlChar *) uri->opaque);
+		if (xmlStrchr(localname, (xmlChar) ':') != NULL) {
+			php_dom_throw_error(NAMESPACE_ERR, 1);
+			xmlFreeURI(uri);
+			xmlFree(localname);
+			RETURN_FALSE;
+		}
+	} else {
+		localname = xmlStrdup((xmlChar *) name);
+	}
+
+	/* TODO: Test that localname has no invalid chars
+	php_dom_throw_error(INVALID_CHARACTER_ERR,);
+	*/
+
+	if (uri) {
+		xmlFreeURI(uri);
+	}
+
+	doctype = xmlCreateIntSubset(NULL, localname, pch1, pch2);
+	xmlFree(localname);
+
+	if (doctype == NULL) {
+		php_error_docref(NULL, E_WARNING, "Unable to create DocumentType");
+		RETURN_FALSE;
+	}
+
+	DOM_RET_OBJ((xmlNodePtr) doctype, &ret, NULL);
+}
+/* }}} end dom_domimplementation_create_document_type */
+
+/* {{{ proto DOMDocument dom_domimplementation_create_document(string namespaceURI, string qualifiedName, DOMDocumentType doctype);
+URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#Level-2-Core-DOM-createDocument
+Since: DOM Level 2
+*/
+PHP_METHOD(domimplementation, createDocument)
+{
+	zval *node = NULL;
+	xmlDoc *docp;
+	xmlNode *nodep;
+	xmlDtdPtr doctype = NULL;
+	xmlNsPtr nsptr = NULL;
+	int ret, errorcode = 0;
+	size_t uri_len = 0, name_len = 0;
+	char *uri = NULL, *name = NULL;
+	char *prefix = NULL, *localname = NULL;
+	dom_object *doctobj;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|ssO", &uri, &uri_len, &name, &name_len, &node, dom_documenttype_class_entry) == FAILURE) {
+		return;
+	}
+
+	if (node != NULL) {
+		DOM_GET_OBJ(doctype, node, xmlDtdPtr, doctobj);
+		if (doctype->type == XML_DOCUMENT_TYPE_NODE) {
+			php_error_docref(NULL, E_WARNING, "Invalid DocumentType object");
+			RETURN_FALSE;
+		}
+		if (doctype->doc != NULL) {
+			php_dom_throw_error(WRONG_DOCUMENT_ERR, 1);
+			RETURN_FALSE;
+		}
+	} else {
+		doctobj = NULL;
+	}
+
+	if (name_len > 0) {
+		errorcode = dom_check_qname(name, &localname, &prefix, 1, name_len);
+		if (errorcode == 0 && uri_len > 0
+			&& ((nsptr = xmlNewNs(NULL, (xmlChar *) uri, (xmlChar *) prefix)) == NULL)
+		) {
+			errorcode = NAMESPACE_ERR;
+		}
+	}
+
+	if (prefix != NULL) {
+		xmlFree(prefix);
+	}
+
+	if (errorcode != 0) {
+		if (localname != NULL) {
+			xmlFree(localname);
+		}
+		php_dom_throw_error(errorcode, 1);
+		RETURN_FALSE;
+	}
+
+	/* currently letting libxml2 set the version string */
+	docp = xmlNewDoc(NULL);
+	if (!docp) {
+		if (localname != NULL) {
+			xmlFree(localname);
+		}
+		RETURN_FALSE;
+	}
+
+	if (doctype != NULL) {
+		docp->intSubset = doctype;
+		doctype->parent = docp;
+		doctype->doc = docp;
+		docp->children = (xmlNodePtr) doctype;
+		docp->last = (xmlNodePtr) doctype;
+	}
+
+	if (localname != NULL) {
+		nodep = xmlNewDocNode(docp, nsptr, (xmlChar *) localname, NULL);
+		if (!nodep) {
+			if (doctype != NULL) {
+				docp->intSubset = NULL;
+				doctype->parent = NULL;
+				doctype->doc = NULL;
+				docp->children = NULL;
+				docp->last = NULL;
+			}
+			xmlFreeDoc(docp);
+			xmlFree(localname);
+			/* Need some type of error here */
+			php_error_docref(NULL, E_WARNING, "Unexpected Error");
+			RETURN_FALSE;
+		}
+
+		nodep->nsDef = nsptr;
+
+		xmlDocSetRootElement(docp, nodep);
+		xmlFree(localname);
+	}
+
+	DOM_RET_OBJ((xmlNodePtr) docp, &ret, NULL);
+
+	if (doctobj != NULL) {
+		doctobj->document = ((dom_object *)((php_libxml_node_ptr *)docp->_private)->_private)->document;
+		php_libxml_increment_doc_ref((php_libxml_node_object *)doctobj, docp);
+	}
+}
+/* }}} end dom_domimplementation_create_document */
+
+/* {{{ proto DOMNode dom_domimplementation_get_feature(string feature, string version);
+URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#DOMImplementation3-getFeature
+Since: DOM Level 3
+*/
+PHP_METHOD(domimplementation, getFeature)
+{
+ DOM_NOT_IMPLEMENTED();
+}
+/* }}} end dom_domimplementation_get_feature */
+
+#endif
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: noet sw=4 ts=4 fdm=marker
+ * vim<600: noet sw=4 ts=4
+ */

ext/dom/tests/bug79971_2.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Bug #79971 (special character is breaking the path in xml function)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip dom extension not available');
+?>
+--FILE--
+<?php
+$imp = new DOMImplementation;
+if (PHP_OS_FAMILY === 'Windows') {
+    $path = '/' . str_replace('\\', '/', __DIR__);
+} else {
+    $path = __DIR__;
+}
+$uri = "file://$path/bug79971_2.xml";
+var_dump($imp->createDocumentType("$uri%00foo"));
+?>
+--EXPECTF--
+Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d
+bool(false)