Fix GHSA-www2-q4fc-65wf

ndossche · ndossche · commit 56cbadf4689d · 2025-12-14T19:40:16.000+01:00
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -555,7 +555,7 @@ PHP_FUNCTION(inet_pton)
 	char buffer[17];
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(address, address_len)
+		Z_PARAM_PATH(address, address_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	memset(buffer, 0, sizeof(buffer));
@@ -592,7 +592,7 @@ PHP_FUNCTION(ip2long)
 #endif
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(addr, addr_len)
+		Z_PARAM_PATH(addr, addr_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 #ifdef HAVE_INET_PTON
@@ -2190,8 +2190,8 @@ PHP_FUNCTION(getservbyname)
 	struct servent *serv;
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
-		Z_PARAM_STR(name)
-		Z_PARAM_STRING(proto, proto_len)
+		Z_PARAM_PATH_STR(name)
+		Z_PARAM_PATH(proto, proto_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 
@@ -2234,7 +2234,7 @@ PHP_FUNCTION(getservbyport)
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
 		Z_PARAM_LONG(port)
-		Z_PARAM_STRING(proto, proto_len)
+		Z_PARAM_PATH(proto, proto_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	serv = getservbyport(htons((unsigned short) port), proto);
@@ -2261,7 +2261,7 @@ PHP_FUNCTION(getprotobyname)
 	struct protoent *ent;
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(name, name_len)
+		Z_PARAM_PATH(name, name_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	ent = getprotobyname(name);
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
@@ -379,7 +379,7 @@ PHP_FUNCTION(dns_check_record)
 #endif
 
 	ZEND_PARSE_PARAMETERS_START(1, 2)
-		Z_PARAM_STRING(hostname, hostname_len)
+		Z_PARAM_PATH(hostname, hostname_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_STR(rectype)
 	ZEND_PARSE_PARAMETERS_END();
@@ -826,7 +826,7 @@ PHP_FUNCTION(dns_get_record)
 	bool raw = 0;
 
 	ZEND_PARSE_PARAMETERS_START(1, 5)
-		Z_PARAM_STRING(hostname, hostname_len)
+		Z_PARAM_PATH(hostname, hostname_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_LONG(type_param)
 		Z_PARAM_ZVAL(authns)
@@ -1064,7 +1064,7 @@ PHP_FUNCTION(dns_get_mx)
 #endif
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
-		Z_PARAM_STRING(hostname, hostname_len)
+		Z_PARAM_PATH(hostname, hostname_len)
 		Z_PARAM_ZVAL(mx_list)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_ZVAL(weight_list)
diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c
@@ -48,7 +48,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */
 	DNS_STATUS      status;                 /* Return value of DnsQuery_A() function */
 	PDNS_RECORD     pResult, pRec;          /* Pointer to DNS_RECORD structure */
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) {
 		RETURN_THROWS();
 	}
 
@@ -102,7 +102,7 @@ PHP_FUNCTION(dns_check_record)
 	DNS_STATUS      status;                 /* Return value of DnsQuery_A() function */
 	PDNS_RECORD     pResult;          /* Pointer to DNS_RECORD structure */
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|S", &hostname, &hostname_len, &rectype) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|S", &hostname, &hostname_len, &rectype) == FAILURE) {
 		RETURN_THROWS();
 	}
 
@@ -354,7 +354,7 @@ PHP_FUNCTION(dns_get_record)
 	int type, type_to_fetch, first_query = 1, store_results = 1;
 	bool raw = 0;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b",
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b",
 			&hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) {
 		RETURN_THROWS();
 	}
diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt
@@ -0,0 +1,62 @@
+--TEST--
+GHSA-www2-q4fc-65wf
+--DESCRIPTION--
+This is a ZPP test but *keep* this as it is security-sensitive!
+--FILE--
+<?php
+try {
+    dns_check_record("\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    dns_get_mx("\0", $out);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    dns_get_record("\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    getprotobyname("\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    getservbyname("\0", "tcp");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    getservbyname("x", "tcp\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    getservbyport(0, "tcp\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    inet_pton("\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    ip2long("\0");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+dns_check_record(): Argument #1 ($hostname) must not contain any null bytes
+dns_get_mx(): Argument #1 ($hostname) must not contain any null bytes
+dns_get_record(): Argument #1 ($hostname) must not contain any null bytes
+getprotobyname(): Argument #1 ($protocol) must not contain any null bytes
+getservbyname(): Argument #1 ($service) must not contain any null bytes
+getservbyname(): Argument #2 ($protocol) must not contain any null bytes
+getservbyport(): Argument #2 ($protocol) must not contain any null bytes
+inet_pton(): Argument #1 ($ip) must not contain any null bytes
+ip2long(): Argument #1 ($ip) must not contain any null bytes
