Merge branch 'php:master' into master

Author: edorian

.github/actions/setup-windows/action.yml

@@ -16,5 +16,6 @@ runs:
     - name: Setup PostgreSQL
       shell: pwsh
       run: |
-        Set-Service -Name "postgresql-x64-14" -StartupType manual -Status Running
+        $postgresService = if ($env:PHP_BUILD_CRT -eq "vs18") { "postgresql-x64-17" } else { "postgresql-x64-14" }
+        Set-Service -Name $postgresService -StartupType manual -Status Running
         pwsh -Command { $env:PGPASSWORD="root"; & "$env:PGBIN\psql" -U postgres -c "ALTER USER postgres WITH PASSWORD 'Password12!';" }

.github/matrix.php

@@ -153,9 +153,11 @@ function select_jobs($repository, $trigger, $nightly, $labels, $php_version, $re
             }
         }
         $jobs['WINDOWS']['matrix'] = ['include' => $matrix];
-        $jobs['WINDOWS']['config'] = version_compare($php_version, '8.4', '>=')
-            ? ['vs_crt_version' => 'vs17']
-            : ['vs_crt_version' => 'vs16'];
+        $jobs['WINDOWS']['config'] = match (true) {
+            version_compare($php_version, '8.6', '>=') => ['vs_crt_version' => 'vs18', 'runs_on' => 'windows-2025-vs2026'],
+            version_compare($php_version, '8.4', '>=') => ['vs_crt_version' => 'vs17', 'runs_on' => 'windows-2022'],
+            default => ['vs_crt_version' => 'vs16', 'runs_on' => 'windows-2022'],
+        };
     }
     if ($all_jobs || !$no_jobs || $test_freebsd) {
         $jobs['FREEBSD']['matrix'] = $all_variations && version_compare($php_version, '8.3', '>=')

.github/scripts/windows/find-vs-toolset.bat

@@ -3,14 +3,15 @@
 setlocal enabledelayedexpansion
 
 if "%~1"=="" (
-  echo ERROR: Usage: %~nx0 [vc14^|vc15^|vs16^|vs17]
+  echo ERROR: Usage: %~nx0 [vc14^|vc15^|vs16^|vs17^|vs18]
   exit /b 1
 )
 
 set "toolsets_vc14=14.0"
 set "toolsets_vc15="
 set "toolsets_vs16="
 set "toolsets_vs17="
+set "toolsets_vs18="
 
 
 for /f "usebackq tokens=*" %%I in (`vswhere.exe -latest -find "VC\Tools\MSVC"`) do set "MSVCDIR=%%I"
@@ -30,8 +31,10 @@ for /f "delims=" %%D in ('dir /b /ad "%MSVCDIR%"') do (
         set "toolsets_vc15=%%D"
       ) else if !min! LEQ 29 (
         set "toolsets_vs16=%%D"
-      ) else (
+      ) else if !min! LEQ 49 (
         set "toolsets_vs17=%%D"
+      ) else (
+        set "toolsets_vs18=%%D"
       )
     )
   )

.github/workflows/test-suite.yml

@@ -941,12 +941,12 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(inputs.branch).jobs.WINDOWS.matrix }}
     name: "WINDOWS_${{ matrix.x64 && 'X64' || 'X86' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}${{ matrix.asan && '_ASAN' || ''}}${{ matrix.clang && '_CLANG' || ''}}"
-    runs-on: windows-2022
+    runs-on: ${{ fromJson(inputs.branch).jobs.WINDOWS.config.runs_on }}
     env:
       PHP_BUILD_CACHE_BASE_DIR: C:\build-cache
       PHP_BUILD_OBJ_DIR: C:\obj
       PHP_BUILD_CACHE_SDK_DIR: C:\build-cache\sdk
-      PHP_BUILD_SDK_BRANCH: php-sdk-2.5.0
+      PHP_BUILD_SDK_BRANCH: php-sdk-2.7.1
       PHP_BUILD_CRT: ${{ fromJson(inputs.branch).jobs.WINDOWS.config.vs_crt_version }}
       PLATFORM: ${{ matrix.x64 && 'x64' || 'x86' }}
       THREAD_SAFE: "${{ matrix.zts && '1' || '0' }}"

SECURITY.md

@@ -11,6 +11,29 @@ Vulnerability reports remain private until published. When published, you will
 be credited as a contributor, and your contribution will reflect the MITRE
 Credit System.
 
+# Classification
+
+Issues commonly reported that are _not_ considered security issues include (but
+are not limited to):
+
+- Invocation of specially crafted, malicious code intended to cause memory
+  violations. This commonly includes malicious error handlers, destructors or
+  `__toString()` functions. PHP does not offer sandboxing, and the execution of
+  untrusted code is always considered unsafe. Such issues are bugs, but not
+  security issues. They may still be reported, though please avoid reporting
+  the known issues.
+
+- Passing malicious arguments to functions clearly not intended to receive
+  unsanitized values, e.g. `mysqli_query()`. `escapeshellarg()` on the other
+  hand should clearly be hardened against unsafe inputs.
+
+- The use of legacy APIs or settings known to be insecure, particularly those
+  documented as such, or those with a secure alternative.
+
+- The use of FFI.
+
+- `open_basedir` or `disable_functions` bypasses.
+
 # Vulnerability Policy
 
 Our full policy is described at

Zend/Optimizer/zend_optimizer.c

@@ -943,7 +943,7 @@ zend_function *zend_optimizer_get_called_func(
 				if (ce) {
 					zend_string *func_name = Z_STR_P(CRT_CONSTANT(opline->op2) + 1);
 					zend_function *fbc = zend_hash_find_ptr(&ce->function_table, func_name);
-					if (fbc) {
+					if (fbc && !(fbc->common.fn_flags & ZEND_ACC_ABSTRACT)) {
 						bool is_public = (fbc->common.fn_flags & ZEND_ACC_PUBLIC) != 0;
 						bool same_scope = fbc->common.scope == op_array->scope;
 						if (is_public || same_scope) {

Zend/zend_vm.h

@@ -40,7 +40,7 @@ void zend_vm_init(void);
 void zend_vm_dtor(void);
 
 #if ZEND_VM_KIND == ZEND_VM_KIND_TAILCALL
-const struct _zend_op *zend_vm_handle_interrupt(struct _zend_execute_data *execute_data, const struct _zend_op *opline);
+const struct _zend_op *ZEND_FASTCALL zend_vm_handle_interrupt(struct _zend_execute_data *execute_data, const struct _zend_op *opline);
 #endif
 
 END_EXTERN_C()

ext/com_dotnet/tests/variants.phpt

@@ -43,7 +43,7 @@ foreach ($values as $t => $val) {
 
 echo "OK!";
 ?>
---EXPECT--
+--EXPECTF--
 --
 add: 84
 cat: 4242
@@ -142,8 +142,8 @@ mul: 0
 and: 0
 div:
 	variant_div(42, )
-	exception Division by zero
-	code 80020012
+	exception %s
+	code 800200%x
 
 eqv: -43
 idiv:
@@ -258,8 +258,8 @@ mul: 0
 and: 0
 div:
 	variant_div(3.5, )
-	exception Division by zero
-	code 80020012
+	exception %s
+	code 800200%x
 
 eqv: -5
 idiv:

ext/curl/config.w32

@@ -12,11 +12,18 @@ if (PHP_CURL != "no") {
 		SETUP_ZLIB_LIB("curl", PHP_CURL) &&
 		(CHECK_LIB("normaliz.lib", "curl", PHP_CURL) &&
 		 CHECK_LIB("libssh2.lib", "curl", PHP_CURL) &&
-		 CHECK_LIB("nghttp2.lib", "curl", PHP_CURL) &&
-		 CHECK_LIB("brotlidec.lib", "curl", PHP_CURL) &&
-		 CHECK_LIB("brotlicommon.lib", "curl", PHP_CURL) &&
-		 CHECK_LIB("libzstd.lib", "curl", PHP_CURL))
+		 CHECK_LIB("nghttp2.lib", "curl", PHP_CURL))
 		) {
+		if (!(CHECK_HEADER_ADD_INCLUDE("brotli/decode.h", "CFLAGS_CURL") &&
+			CHECK_LIB("brotlidec.lib;brotlidec-static.lib", "curl", PHP_CURL) &&
+			CHECK_LIB("brotlicommon.lib;brotlicommon-static.lib", "curl", PHP_CURL)
+		)) {
+			WARNING("brotli in curl not enabled; libraries or headers not found");
+		}
+		if (!(CHECK_LIB("libzstd.lib;libzstd_a.lib", "curl", PHP_CURL)
+		)) {
+			WARNING("zstd in curl not enabled; library not found");
+		}
 		EXTENSION("curl", "interface.c multi.c share.c curl_file.c");
 		AC_DEFINE('HAVE_CURL', 1, "Define to 1 if the PHP extension 'curl' is available.");
 		ADD_FLAG("CFLAGS_CURL", "/D PHP_CURL_EXPORTS=1");

ext/intl/calendar/calendar_methods.cpp

@@ -373,7 +373,7 @@ static void _php_intlcal_before_after(
 
 	when_co = Z_INTL_CALENDAR_P(when_object);
 	if (when_co->ucal == NULL) {
-		zend_argument_error(NULL, 2, "is uninitialized");
+		zend_argument_error(NULL, hasThis() ? 1 : 2, "is uninitialized");
 		RETURN_THROWS();
 	}
 
@@ -796,7 +796,7 @@ U_CFUNC PHP_FUNCTION(intlcal_is_equivalent_to)
 
 	other_co = Z_INTL_CALENDAR_P(other_object);
 	if (other_co->ucal == NULL) {
-		zend_argument_error(NULL, 2, "is uninitialized");
+		zend_argument_error(NULL, hasThis() ? 1 : 2, "is uninitialized");
 		RETURN_THROWS();
 	}
 
@@ -933,7 +933,7 @@ U_CFUNC PHP_FUNCTION(intlcal_equals)
 	CALENDAR_METHOD_FETCH_OBJECT;
 	other_co = Z_INTL_CALENDAR_P(other_object);
 	if (other_co->ucal == NULL) {
-		zend_argument_error(NULL, 2, "is uninitialized");
+		zend_argument_error(NULL, hasThis() ? 1 : 2, "is uninitialized");
 		RETURN_THROWS();
 	}