Merge remote-tracking branch 'upstream/master' into feat/clang-windows-tailcall

Author: henderkes

NEWS

@@ -170,6 +170,8 @@ PHP                                                                        NEWS
     argument value is passed. (Girgias)
   . linkinfo() now raises a ValueError when the argument is an empty string.
     (Weilin Du)
+  . getenv() and putenv() now raises a ValueError when the first argument
+    contains null bytes. (Weilin Du)
 
 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream

UPGRADING

@@ -88,6 +88,8 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
   . array_change_key_case() now raises a ValueError when an invalid $case
     argument value is passed.
+  . getenv() and putenv() now raises a ValueError when the first argument
+    contains null bytes.
   . linkinfo() now raises a ValueError when the $path argument is empty.
   . pathinfo() now raises a ValueError when an invalid $flag
     argument value is passed.

ext/session/mod_user.c

@@ -214,6 +214,7 @@ PS_GC_FUNC(user)
 		/* Anything else is some kind of error */
 		*nrdels = -1; // Error
 	}
+	zval_ptr_dtor(&retval);
 	return *nrdels;
 }
 

ext/session/tests/user_session_module/gh_gc_retval_leak.phpt

@@ -0,0 +1,33 @@
+--TEST--
+session_gc(): user handler returning non-bool/non-int does not leak memory
+--INI--
+session.gc_probability=0
+session.save_handler=files
+--EXTENSIONS--
+session
+--FILE--
+<?php
+ob_start();
+
+// Procedural API has no return type enforcement, so gc can return a string
+// (reference-counted), which PS_GC_FUNC(user) previously did not free.
+session_set_save_handler(
+    function(string $path, string $name) { return true; },
+    function() { return true; },
+    function(string $id): string|false { return ""; },
+    function(string $id, string $data) { return true; },
+    function(string $id) { return true; },
+    function(int $max) { return str_repeat("x", random_int(100, 100)); }
+);
+
+session_start();
+$result = session_gc();
+var_dump($result);
+session_write_close();
+
+ob_end_flush();
+?>
+--EXPECTF--
+
+Deprecated: session_set_save_handler(): Providing individual callbacks instead of an object implementing SessionHandlerInterface is deprecated in %s on line %d
+bool(false)

ext/standard/basic_functions.c

@@ -696,7 +696,7 @@ PHP_FUNCTION(getenv)
 
 	ZEND_PARSE_PARAMETERS_START(0, 2)
 		Z_PARAM_OPTIONAL
-		Z_PARAM_STRING_OR_NULL(str, str_len)
+		Z_PARAM_PATH_OR_NULL(str, str_len)
 		Z_PARAM_BOOL(local_only)
 	ZEND_PARSE_PARAMETERS_END();
 
@@ -739,7 +739,7 @@ PHP_FUNCTION(putenv)
 #endif
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(setting, setting_len)
+		Z_PARAM_PATH(setting, setting_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (setting_len == 0 || setting[0] == '=') {

ext/standard/tests/general_functions/putenv_and_getenv_reject_null_bytes.phpt

@@ -0,0 +1,35 @@
+--TEST--
+getenv() and putenv() reject null bytes
+--FILE--
+<?php
+
+foreach ([false, true] as $local_only) {
+    try {
+        getenv("PHP_GETENV_NUL_TEST\0SUFFIX", $local_only);
+    } catch (ValueError $exception) {
+        echo $exception->getMessage() . "\n";
+    }
+}
+
+$var_name = 'PHP_PUTENV_NUL_TEST';
+
+foreach ([
+    $var_name . "\0SUFFIX=value",
+    $var_name . "=va\0lue",
+] as $assignment) {
+    try {
+        putenv($assignment);
+    } catch (ValueError $exception) {
+        echo $exception->getMessage() . "\n";
+    }
+}
+
+var_dump(getenv($var_name));
+
+?>
+--EXPECT--
+getenv(): Argument #1 ($name) must not contain any null bytes
+getenv(): Argument #1 ($name) must not contain any null bytes
+putenv(): Argument #1 ($assignment) must not contain any null bytes
+putenv(): Argument #1 ($assignment) must not contain any null bytes
+bool(false)