Make (DOM)XPath::quote only accept strings without NULL bytes (#13960)

* Make (DOM)XPath::quote only accept strings without NULL bytes The reason is that libxml will cut off on a NULL byte, and so strings containing NULL bytes may not be necessarily safe even when coming out of quoting. * Add test Co-authored-by: divinity76 <divinity76@gmail.com> --------- Co-authored-by: divinity76 <divinity76@gmail.com>
2026-03-24 00:02:20 +01:00 · 2024-04-14 21:16:07 +02:00
parent 8ce9f2e2b0
commit a136117eaa
2 changed files with 18 additions and 1 deletions
--- a/ext/dom/tests/gh13960.phpt
+++ b/ext/dom/tests/gh13960.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-13960 (NULL bytes in XPath query)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$domd = new DOMDocument();
+@$domd->loadHTML("<foo>tes\x00t</foo>");
+$xp = new DOMXPath($domd);
+try {
+    $xp->query("//foo[contains(text(), " . $xp->quote("tes\x00t") . ")]");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+DOMXPath::quote(): Argument #1 ($str) must not contain any null bytes
--- a/ext/dom/xpath.c
+++ b/ext/dom/xpath.c
@@ -473,7 +473,7 @@ PHP_METHOD(DOMXPath, registerPhpFunctionNS)
 PHP_METHOD(DOMXPath, quote) {
 	const char *input;
 	size_t input_len;
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &input, &input_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &input, &input_len) == FAILURE) {
 		RETURN_THROWS();
 	}
 	if (memchr(input, '\'', input_len) == NULL) {