From 7f2022314358841c9f18e64d065c419cffa41eb8 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Tue, 10 Mar 2026 20:13:05 +0000
Subject: [PATCH 1/3] ext/soap: use zend_string_equals_literal() instead of
 strcmp() (#21405)

---
 ext/soap/php_encoding.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 648128d9cea6..5e3675f875bd 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2439,13 +2439,7 @@ static xmlNodePtr to_xml_array(encodeTypePtr type, zval *data, int style, xmlNod
 		if (style == SOAP_ENCODED) {
 			if (soap_version == SOAP_1_1) {
 				smart_str_0(&array_type);
-#if defined(__GNUC__) && __GNUC__ >= 11
-				ZEND_DIAGNOSTIC_IGNORED_START("-Wstringop-overread")
-#endif
-				bool is_xsd_any_type = strcmp(ZSTR_VAL(array_type.s),"xsd:anyType") == 0;
-#if defined(__GNUC__) && __GNUC__ >= 11
-				ZEND_DIAGNOSTIC_IGNORED_END
-#endif
+				bool is_xsd_any_type = zend_string_equals_literal(array_type.s, "xsd:anyType");
 				if (is_xsd_any_type) {
 					smart_str_free(&array_type);
 					smart_str_appendl(&array_type,"xsd:ur-type",sizeof("xsd:ur-type")-1);

From 1b61d555fb4703ce69791d74a4f0532b45942938 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 9 Mar 2026 22:03:31 +0000
Subject: [PATCH 2/3] ext/soap: Fix wrong cookie options offset calculation,
 using separator offset instead.

The cookie option parser uses a wrong offset to start scanning
attributes, causing cookie values containing substrings like
"path=" or "domain=" to be falsely matched as attributes.

close GH-21400
---
 NEWS                                          |  4 ++
 ext/soap/php_http.c                           | 10 +--
 .../bugs/cookie_parse_options_offset.phpt     | 61 +++++++++++++++++++
 3 files changed, 70 insertions(+), 5 deletions(-)
 create mode 100644 ext/soap/tests/bugs/cookie_parse_options_offset.phpt

diff --git a/NEWS b/NEWS
index 542447107fac..f4c0f534c36d 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with
     NULL arguments). (David Carlier)
 
+- SOAP:
+  . Fixed Set-Cookie parsing bug wrong offset while scanning attributes.
+    (David Carlier)
+
 - Standard:
   . Fixed bug GH-20906 (Assertion failure when messing up output buffers).
     (ndossche)
diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index 2db45fe49b10..0bec42afbc37 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -1010,23 +1010,23 @@ int make_http_soap_request(zval        *this_ptr,
 		char *sempos = strstr(cookie, ";");
 		if (eqpos != NULL && (sempos == NULL || sempos > eqpos)) {
 			smart_str name = {0};
-			int cookie_len;
 			zval zcookie;
+			size_t cookie_value_len;
 
 			if (sempos != NULL) {
-				cookie_len = sempos-(eqpos+1);
+				cookie_value_len = sempos-(eqpos+1);
 			} else {
-				cookie_len = strlen(cookie)-(eqpos-cookie)-1;
+				cookie_value_len = strlen(cookie)-(eqpos-cookie)-1;
 			}
 
 			smart_str_appendl(&name, cookie, eqpos - cookie);
 			smart_str_0(&name);
 
 			array_init(&zcookie);
-			add_index_stringl(&zcookie, 0, eqpos + 1, cookie_len);
+			add_index_stringl(&zcookie, 0, eqpos + 1, cookie_value_len);
 
 			if (sempos != NULL) {
-				char *options = cookie + cookie_len+1;
+				char *options = sempos + 1;
 				while (*options) {
 					while (*options == ' ') {options++;}
 					sempos = strstr(options, ";");
diff --git a/ext/soap/tests/bugs/cookie_parse_options_offset.phpt b/ext/soap/tests/bugs/cookie_parse_options_offset.phpt
new file mode 100644
index 000000000000..988af9d31959
--- /dev/null
+++ b/ext/soap/tests/bugs/cookie_parse_options_offset.phpt
@@ -0,0 +1,61 @@
+--TEST--
+SOAP Set-Cookie option parsing starts at wrong offset due to variable shadowing
+--EXTENSIONS--
+soap
+--SKIPIF--
+<?php
+if (!file_exists(__DIR__ . "/../../../../sapi/cli/tests/php_cli_server.inc")) {
+    echo "skip sapi/cli/tests/php_cli_server.inc required but not found";
+}
+?>
+--FILE--
+<?php
+
+include __DIR__ . "/../../../../sapi/cli/tests/php_cli_server.inc";
+
+$args = ["-d", "extension_dir=" . ini_get("extension_dir"), "-d", "extension=" . (substr(PHP_OS, 0, 3) == "WIN" ? "php_" : "") . "soap." . PHP_SHLIB_SUFFIX];
+if (php_ini_loaded_file()) {
+    $args[] = "-c";
+    $args[] = php_ini_loaded_file();
+}
+
+// A 10-char name makes the wrong offset land exactly on the value "path=/evil",
+// falsely matching it as a path attribute.
+$code = <<<'PHP'
+header("Content-Type: text/xml");
+header("Set-Cookie: sessionkey=path=/evil;domain=good.com");
+echo <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="test-uri">
+  <SOAP-ENV:Body>
+    <ns1:testResponse/>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+XML;
+PHP;
+
+php_cli_server_start($code, null, $args);
+
+$client = new SoapClient(null, [
+    'location' => 'http://' . PHP_CLI_SERVER_ADDRESS . '/test/endpoint',
+    'uri' => 'test-uri',
+    'trace' => true,
+]);
+
+try {
+    $client->__soapCall("test", []);
+} catch (SoapFault $e) {
+    // Response parsing may fault, cookies are still stored
+}
+
+$cookies = $client->__getCookies();
+
+// path should default to "/test" from the request URI, not "/evil" from the value.
+echo "value: " . $cookies['sessionkey'][0] . "\n";
+echo "path: " . $cookies['sessionkey'][1] . "\n";
+echo "domain: " . $cookies['sessionkey'][2] . "\n";
+?>
+--EXPECT--
+value: path=/evil
+path: /test
+domain: good.com

From c658d3c7876ed0269c6b9aef78ff37afa2496145 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Wed, 11 Mar 2026 01:51:53 +0000
Subject: [PATCH 3/3] ext/pgsql: use smart_str_append_double() instead of
 snprintf call (#21406)

---
 ext/pgsql/pgsql.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 8cd812eb084c..80cade4d7605 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -5617,7 +5617,6 @@ static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link,
 PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *table, zval *var_array, zend_ulong opt, zend_string **sql)
 {
 	zval *val, converted;
-	char buf[256];
 	char *tmp;
 	smart_str querystr = {0};
 	zend_result ret = FAILURE;
@@ -5700,7 +5699,7 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t
 				smart_str_append_long(&querystr, Z_LVAL_P(val));
 				break;
 			case IS_DOUBLE:
-				smart_str_appendl(&querystr, buf, snprintf(buf, sizeof(buf), "%F", Z_DVAL_P(val)));
+				smart_str_append_double(&querystr, Z_DVAL_P(val), 6, false);
 				break;
 			case IS_NULL:
 				smart_str_appendl(&querystr, "NULL", sizeof("NULL")-1);
@@ -5884,8 +5883,7 @@ static inline int build_assignment_string(PGconn *pg_link, smart_str *querystr,
 				smart_str_append_long(querystr, Z_LVAL_P(val));
 				break;
 			case IS_DOUBLE: {
-				char buf[256];
-				smart_str_appendl(querystr, buf, MIN(snprintf(buf, sizeof(buf), "%F", Z_DVAL_P(val)), sizeof(buf) - 1));
+				smart_str_append_double(querystr, Z_DVAL_P(val), 6, false);
 				}
 				break;
 			case IS_NULL: