Apache only generates REDIRECT_STATUS, so explicitly check for that
if the server name is Apache, don't allow other variable names.
Furthermore, redirect.so and Netscape no longer exist, so
remove those entries as we can't check their server name anymore.
We now also check for the configuration override *first* such that it
always take precedence. This would allow for a mitigation path if
something like this happens in the future.
It's no use trying to work around whatever the operating system and Apache
do because we'll be fighting that until eternity.
Change the skip_getopt condition such that when we're running in
CGI or FastCGI mode we always skip the argument parsing.
This is a BC break, but this seems to be the only way to get rid of this
class of issues.
multipart/form-data boundaries larger than the read buffer result in erroneous
parsing, which violates data integrity.
Limit boundary size, as allowed by RFC 1521:
Encapsulation boundaries [...] must be no longer than 70 characters, not
counting the two leading hyphens.
We correctly parse payloads with boundaries of length up to
FILLUNIT-strlen("\r\n--") bytes, so allow this for BC.
libxml2 2.13 has different formatting behaviour: it outputs `<faultcode/>`
instead of `<faultcode></faultcode>`, and similarly for `env:Value`.
Normalize the output.
Closes GH-15801.
column_long and index_long might not be set, but are still used as arguments.
They are not actually used if column_str is set, but it's better to initialize
them anyway, if only to make MemorySanitizer happy.
Show the correct parameter names and numbers - the errors are caused by the
second parameter being empty or having null bytes, not the first.
close GH-15755
There is now a workaround in `system_with_timeout()` to avoid issues
with quotes and spaces in the filenames of the executable by using
`start`[1]. However, calling `start` will not propagate the process
status of the actual process. Thus, calling `proc_get_status()`
is pretty meaningless, and especially Microsoft errors cannot be
detected (typically, access violations etc.), and as such no "Termsig"
message is output.
We fix this by executing `exit` after the started command has finished.
[1] <a6d7d5234b/run-tests.php (L1157-L1162)>
Closes GH-15378.
This test only fails when `NAME_MAX` is defined, which is never the
case on Windows, so we let the test pass there. This could be extended
to other environments where `NAME_MAX` is not defined.
We're reasonably sure that appending the NUL is not an OOB write, since
the memory stream implementation uses `zend_string` APIs instead of
fiddling with the buffer.
We don't add a regression test because that would require to set up
something in the zend_test extension, and regressions are supposed
to be caught by external consumers of this API, such as mailparse.
Closes GH-15648.
There's implicit truncation casts from zend_long to int which cause
issues because checks are done against the zend_longs. Since the
iterator infrastructure uses zend_longs, just convert everything to
zend_long.
Closes GH-15669.
