From ad60d7d248d01577a8e95a9296c04249e9dd04f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Fri, 12 Sep 2025 12:04:10 +0200
Subject: [PATCH 1/2] curl: Fix cloning of POST fields

---
 ext/curl/interface.c                          |  2 +-
 .../curl_copy_handle_variation3_clone.phpt    | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 ext/curl/tests/curl_copy_handle_variation3_clone.phpt

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index b3139422cffa5..79f53be14f3d7 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -468,7 +468,7 @@ static zend_object *curl_clone_obj(zend_object *object) {
 	clone_ch->cp = cp;
 	_php_setup_easy_copy_handlers(clone_ch, ch);
 
-	postfields = &clone_ch->postfields;
+	postfields = &ch->postfields;
 	if (Z_TYPE_P(postfields) != IS_UNDEF) {
 		if (build_mime_structure_from_hash(clone_ch, postfields) == FAILURE) {
 			zend_throw_exception(NULL, "Failed to clone CurlHandle", 0);
diff --git a/ext/curl/tests/curl_copy_handle_variation3_clone.phpt b/ext/curl/tests/curl_copy_handle_variation3_clone.phpt
new file mode 100644
index 0000000000000..7951cb0258111
--- /dev/null
+++ b/ext/curl/tests/curl_copy_handle_variation3_clone.phpt
@@ -0,0 +1,34 @@
+--TEST--
+clone() allows to post CURLFile multiple times
+--EXTENSIONS--
+curl
+--FILE--
+<?php
+include 'server.inc';
+$host = curl_cli_server_start();
+
+$ch1 = curl_init();
+curl_setopt($ch1, CURLOPT_SAFE_UPLOAD, 1);
+curl_setopt($ch1, CURLOPT_URL, "{$host}/get.php?test=file");
+curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1);
+
+$filename = __DIR__ . '/curl_copy_handle_variation3_clone.txt';
+file_put_contents($filename, "Test.");
+$file = curl_file_create($filename);
+$params = array('file' => $file);
+var_dump(curl_setopt($ch1, CURLOPT_POSTFIELDS, $params));
+
+$ch2 = clone($ch1);
+
+var_dump(curl_exec($ch1));
+
+var_dump(curl_exec($ch2));
+?>
+--EXPECTF--
+bool(true)
+string(%d) "curl_copy_handle_variation3_clone.txt|application/octet-stream|5"
+string(%d) "curl_copy_handle_variation3_clone.txt|application/octet-stream|5"
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/curl_copy_handle_variation3_clone.txt');
+?>

From d6594105361cda0a39ec6c296d1d44b9d0e8b6c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Fri, 12 Sep 2025 20:51:58 +0200
Subject: [PATCH 2/2] [skip ci] NEWS

---
 NEWS | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index 28b811682f2cd..8dde1a0cd87dd 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and
     exception are triggered). (nielsdos)
 
+- Curl:
+  . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead
+    of the curl_copy_handle() function to clone a CurlHandle.
+
 - Standard:
   . Fixed bug GH-12265 (Cloning an object breaks serialization recursion).
     (nielsdos)