From 3a3c50209167378c00d8482e71fb251f72b67eb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phan=20Kochen?= <git@stephank.nl>
Date: Sat, 22 May 2021 08:18:44 +0200
Subject: [PATCH 1/3] Fix tests failing as of libxml2 2.9.12

---
 ext/dom/tests/DOMDocument_loadXML_error1.phpt |  2 +-
 ext/dom/tests/DOMDocument_load_error1.phpt    |  2 +-
 ext/dom/tests/bug43364.phpt                   | 42 -------------------
 ext/dom/tests/bug80268.phpt                   | 24 -----------
 4 files changed, 2 insertions(+), 68 deletions(-)
 delete mode 100644 ext/dom/tests/bug43364.phpt
 delete mode 100644 ext/dom/tests/bug80268.phpt

diff --git a/ext/dom/tests/DOMDocument_loadXML_error1.phpt b/ext/dom/tests/DOMDocument_loadXML_error1.phpt
index 7ab878ae450c2..14d99e4ed9ad9 100644
--- a/ext/dom/tests/DOMDocument_loadXML_error1.phpt
+++ b/ext/dom/tests/DOMDocument_loadXML_error1.phpt
@@ -21,6 +21,6 @@ domdocumentloadxml_test_method.inc
 --EXPECTF--
 Warning: DOMDocument::load%r(XML){0,1}%r(): Opening and ending tag mismatch: title line 5 and book %s
 
-Warning: DOMDocument::load%r(XML){0,1}%r(): %rexpected '>'|Opening and ending tag mismatch: book line 5 and books%r %s
+Warning: DOMDocument::load%r(XML){0,1}%r(): %rexpected '>'|Opening and ending tag mismatch: book line (4|5) and books%r %s
 
 Warning: DOMDocument::load%r(XML){0,1}%r(): %rPremature end of data in tag books|EndTag: '<\/' not found in Entity, line: 13%r %s
diff --git a/ext/dom/tests/DOMDocument_load_error1.phpt b/ext/dom/tests/DOMDocument_load_error1.phpt
index ab1caccf73a8e..f736b0a0e81c6 100644
--- a/ext/dom/tests/DOMDocument_load_error1.phpt
+++ b/ext/dom/tests/DOMDocument_load_error1.phpt
@@ -21,6 +21,6 @@ domdocumentload_test_method.inc
 --EXPECTF--
 Warning: DOMDocument::load%r(XML){0,1}%r(): Opening and ending tag mismatch: title line 5 and book %s
 
-Warning: DOMDocument::load%r(XML){0,1}%r(): %rexpected '>'|Opening and ending tag mismatch: book line 5 and books%r %s
+Warning: DOMDocument::load%r(XML){0,1}%r(): %rexpected '>'|Opening and ending tag mismatch: book line (4|5) and books%r %s
 
 Warning: DOMDocument::load%r(XML){0,1}%r(): %rPremature end of data in tag books|EndTag: '<\/' not found%r %s
diff --git a/ext/dom/tests/bug43364.phpt b/ext/dom/tests/bug43364.phpt
deleted file mode 100644
index 68e030c20fc38..0000000000000
--- a/ext/dom/tests/bug43364.phpt
+++ /dev/null
@@ -1,42 +0,0 @@
---TEST--
-Bug #43364 (recursive xincludes don't remove internal xml nodes properly)
---EXTENSIONS--
-dom
---FILE--
-<?php
-function loopElements($nodes)
-{
-    $count = 0;
-    foreach($nodes as $node) {
-        if($node instanceof DOMElement) {
-            $count++;
-            if($node->childNodes->length > 0) {
-                $count += loopElements($node->childNodes);
-            }
-        }
-    }
-    return $count;
-}
-
-$xml = <<<DOC
-<?xml version="1.0" encoding="UTF-8"?>
-<root xmlns:xi="http://www.w3.org/2001/XInclude">
-    <a>
-        <a_child1>ac1</a_child1>
-        <a_child2>ac2</a_child2>
-    </a>
-    <b><xi:include xpointer="xpointer(/root/a)" /></b>
-    <c><xi:include xpointer="xpointer(/root/b)" /></c>
-</root>
-DOC;
-
-$doc = new DomDocument();
-$doc->loadXml($xml);
-$doc->xinclude();
-
-$count = loopElements(array($doc->documentElement));
-
-var_dump($count);
-?>
---EXPECT--
-int(13)
diff --git a/ext/dom/tests/bug80268.phpt b/ext/dom/tests/bug80268.phpt
deleted file mode 100644
index 313cf70a37e26..0000000000000
--- a/ext/dom/tests/bug80268.phpt
+++ /dev/null
@@ -1,24 +0,0 @@
---TEST--
-Bug #80268 (loadHTML() truncates at NUL bytes)
---EXTENSIONS--
-dom
---FILE--
-<?php
-$doc = new DOMDocument;
-$doc->loadHTML("<p>foo\0bar</p>");
-$html = $doc->saveHTML();
-var_dump(strpos($html, '<p>foo</p>') !== false);
-
-file_put_contents(__DIR__ . '/80268.html', "<p>foo\0bar</p>");
-$doc = new DOMDocument;
-$doc->loadHTMLFile(__DIR__ . '/80268.html');
-$html = $doc->saveHTML();
-var_dump(strpos($html, '<p>foo</p>') !== false);
-?>
---CLEAN--
-<?php
-unlink(__DIR__ . '/80268.html');
-?>
---EXPECT--
-bool(true)
-bool(true)

From fa1965be4d05ceec0f41e7d94891ab4bd99e72f6 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 26 May 2021 09:56:46 +0200
Subject: [PATCH 2/3] Restore tests

---
 ext/dom/tests/bug43364.phpt | 42 +++++++++++++++++++++++++++++++++++++
 ext/dom/tests/bug80268.phpt | 24 +++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 ext/dom/tests/bug43364.phpt
 create mode 100644 ext/dom/tests/bug80268.phpt

diff --git a/ext/dom/tests/bug43364.phpt b/ext/dom/tests/bug43364.phpt
new file mode 100644
index 0000000000000..68e030c20fc38
--- /dev/null
+++ b/ext/dom/tests/bug43364.phpt
@@ -0,0 +1,42 @@
+--TEST--
+Bug #43364 (recursive xincludes don't remove internal xml nodes properly)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+function loopElements($nodes)
+{
+    $count = 0;
+    foreach($nodes as $node) {
+        if($node instanceof DOMElement) {
+            $count++;
+            if($node->childNodes->length > 0) {
+                $count += loopElements($node->childNodes);
+            }
+        }
+    }
+    return $count;
+}
+
+$xml = <<<DOC
+<?xml version="1.0" encoding="UTF-8"?>
+<root xmlns:xi="http://www.w3.org/2001/XInclude">
+    <a>
+        <a_child1>ac1</a_child1>
+        <a_child2>ac2</a_child2>
+    </a>
+    <b><xi:include xpointer="xpointer(/root/a)" /></b>
+    <c><xi:include xpointer="xpointer(/root/b)" /></c>
+</root>
+DOC;
+
+$doc = new DomDocument();
+$doc->loadXml($xml);
+$doc->xinclude();
+
+$count = loopElements(array($doc->documentElement));
+
+var_dump($count);
+?>
+--EXPECT--
+int(13)
diff --git a/ext/dom/tests/bug80268.phpt b/ext/dom/tests/bug80268.phpt
new file mode 100644
index 0000000000000..313cf70a37e26
--- /dev/null
+++ b/ext/dom/tests/bug80268.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #80268 (loadHTML() truncates at NUL bytes)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadHTML("<p>foo\0bar</p>");
+$html = $doc->saveHTML();
+var_dump(strpos($html, '<p>foo</p>') !== false);
+
+file_put_contents(__DIR__ . '/80268.html', "<p>foo\0bar</p>");
+$doc = new DOMDocument;
+$doc->loadHTMLFile(__DIR__ . '/80268.html');
+$html = $doc->saveHTML();
+var_dump(strpos($html, '<p>foo</p>') !== false);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . '/80268.html');
+?>
+--EXPECT--
+bool(true)
+bool(true)

From 8333e25aa8fb52e0411fd5788f30b02cd493e656 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 26 May 2021 10:00:37 +0200
Subject: [PATCH 3/3] Adjust or fork tests for libxml 2.9.12

---
 ext/dom/tests/bug43364.phpt                   |  4 +-
 ext/dom/tests/bug80268.phpt                   |  4 ++
 ext/dom/tests/bug80268_2.phpt                 | 31 ++++++++++
 ext/libxml/tests/bug61367-read.phpt           |  5 +-
 ext/libxml/tests/bug61367-read_2.phpt         | 60 +++++++++++++++++++
 .../tests/libxml_disable_entity_loader.phpt   |  1 +
 .../tests/libxml_disable_entity_loader_2.phpt | 43 +++++++++++++
 7 files changed, 145 insertions(+), 3 deletions(-)
 create mode 100644 ext/dom/tests/bug80268_2.phpt
 create mode 100644 ext/libxml/tests/bug61367-read_2.phpt
 create mode 100644 ext/libxml/tests/libxml_disable_entity_loader_2.phpt

diff --git a/ext/dom/tests/bug43364.phpt b/ext/dom/tests/bug43364.phpt
index 68e030c20fc38..ea7b52742e2a3 100644
--- a/ext/dom/tests/bug43364.phpt
+++ b/ext/dom/tests/bug43364.phpt
@@ -36,7 +36,7 @@ $doc->xinclude();
 
 $count = loopElements(array($doc->documentElement));
 
-var_dump($count);
+var_dump($count == 13 || $count == 11);
 ?>
 --EXPECT--
-int(13)
+bool(true)
diff --git a/ext/dom/tests/bug80268.phpt b/ext/dom/tests/bug80268.phpt
index 313cf70a37e26..c5d3cfe270f70 100644
--- a/ext/dom/tests/bug80268.phpt
+++ b/ext/dom/tests/bug80268.phpt
@@ -2,6 +2,10 @@
 Bug #80268 (loadHTML() truncates at NUL bytes)
 --EXTENSIONS--
 dom
+--SKIPIF--
+<?php
+if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only');
+?>
 --FILE--
 <?php
 $doc = new DOMDocument;
diff --git a/ext/dom/tests/bug80268_2.phpt b/ext/dom/tests/bug80268_2.phpt
new file mode 100644
index 0000000000000..af8cf7faca5a5
--- /dev/null
+++ b/ext/dom/tests/bug80268_2.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug #80268 (loadHTML() truncates at NUL bytes)
+--EXTENSIONS--
+dom
+--SKIPIF--
+<?php
+if (LIBXML_VERSION < 20912) die('skip For libxml2 >= 2.9.12 only');
+?>
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadHTML("<p>foo\0bar</p>");
+$html = $doc->saveHTML();
+var_dump(strpos($html, '<p>foo</p>') !== false);
+
+file_put_contents(__DIR__ . '/80268.html', "<p>foo\0bar</p>");
+$doc = new DOMDocument;
+$doc->loadHTMLFile(__DIR__ . '/80268.html');
+$html = $doc->saveHTML();
+var_dump(strpos($html, '<p>foo</p>') !== false);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . '/80268.html');
+?>
+--EXPECTF--
+Warning: DOMDocument::loadHTML(): Char 0x0 out of allowed range in Entity, line: 1 in %s on line %d
+bool(false)
+
+Warning: DOMDocument::loadHTMLFile(): Char 0x0 out of allowed range in %s on line %d
+bool(false)
diff --git a/ext/libxml/tests/bug61367-read.phpt b/ext/libxml/tests/bug61367-read.phpt
index 959b404954bd7..441a162a57538 100644
--- a/ext/libxml/tests/bug61367-read.phpt
+++ b/ext/libxml/tests/bug61367-read.phpt
@@ -1,7 +1,10 @@
 --TEST--
 Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
 --SKIPIF--
-<?php if(!extension_loaded('dom')) echo 'skip dom extension not available'; ?>
+<?php
+if(!extension_loaded('dom')) echo 'skip dom extension not available';
+if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only');
+?>
 --INI--
 open_basedir=.
 --FILE--
diff --git a/ext/libxml/tests/bug61367-read_2.phpt b/ext/libxml/tests/bug61367-read_2.phpt
new file mode 100644
index 0000000000000..ed6576aa752ed
--- /dev/null
+++ b/ext/libxml/tests/bug61367-read_2.phpt
@@ -0,0 +1,60 @@
+--TEST--
+Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
+--SKIPIF--
+<?php
+if(!extension_loaded('dom')) echo 'skip dom extension not available';
+if (LIBXML_VERSION < 20912) die('skip For libxml2 >= 2.9.12 only');
+?>
+--INI--
+open_basedir=.
+--FILE--
+<?php
+/*
+ * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices.
+ */
+class StreamExploiter {
+    public function stream_close (  ) {
+        $doc = new DOMDocument;
+        $doc->resolveExternals = true;
+        $doc->substituteEntities = true;
+        $dir = htmlspecialchars(dirname(getcwd()));
+        $dir = str_replace('\\', '/', $dir); // fix for windows
+        $doc->loadXML( <<<XML
+<!DOCTYPE doc [
+    <!ENTITY file SYSTEM "file:///$dir/bad">
+]>
+<doc>&file;</doc>
+XML
+        );
+        print $doc->documentElement->firstChild->nodeValue;
+    }
+
+    public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
+        return true;
+    }
+}
+
+var_dump(mkdir('test_bug_61367-read'));
+var_dump(mkdir('test_bug_61367-read/base'));
+var_dump(file_put_contents('test_bug_61367-read/bad', 'blah'));
+var_dump(chdir('test_bug_61367-read/base'));
+
+stream_wrapper_register( 'exploit', 'StreamExploiter' );
+$s = fopen( 'exploit://', 'r' );
+
+?>
+--CLEAN--
+<?php
+unlink('test_bug_61367-read/bad');
+rmdir('test_bug_61367-read/base');
+rmdir('test_bug_61367-read');
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+int(4)
+bool(true)
+
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367-read/bad" in %s on line %d
+
+Warning: Attempt to read property "nodeValue" on null in %s on line %d
diff --git a/ext/libxml/tests/libxml_disable_entity_loader.phpt b/ext/libxml/tests/libxml_disable_entity_loader.phpt
index d72a9b21d6837..bfec49564a424 100644
--- a/ext/libxml/tests/libxml_disable_entity_loader.phpt
+++ b/ext/libxml/tests/libxml_disable_entity_loader.phpt
@@ -4,6 +4,7 @@ libxml_disable_entity_loader()
 <?php
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('dom')) die('skip dom extension not available');
+if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only');
 --FILE--
 <?php
 
diff --git a/ext/libxml/tests/libxml_disable_entity_loader_2.phpt b/ext/libxml/tests/libxml_disable_entity_loader_2.phpt
new file mode 100644
index 0000000000000..caa7356ad3076
--- /dev/null
+++ b/ext/libxml/tests/libxml_disable_entity_loader_2.phpt
@@ -0,0 +1,43 @@
+--TEST--
+libxml_disable_entity_loader()
+--SKIPIF--
+<?php
+if (!extension_loaded('libxml')) die('skip libxml extension not available');
+if (!extension_loaded('dom')) die('skip dom extension not available');
+if (LIBXML_VERSION < 20912) die('skip For libxml2 >= 2.9.12 only');
+--FILE--
+<?php
+
+$xml = <<<EOT
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [<!ENTITY xxe SYSTEM "XXE_URI">]>
+<foo>&xxe;</foo>
+EOT;
+
+$dir = str_replace('\\', '/', __DIR__);
+$xml = str_replace('XXE_URI', $dir . '/libxml_disable_entity_loader_payload.txt', $xml);
+
+function parseXML($xml) {
+  $doc = new DOMDocument();
+  $doc->resolveExternals = true;
+  $doc->substituteEntities = true;
+  $doc->validateOnParse = false;
+  $doc->loadXML($xml, 0);
+  return $doc->saveXML();
+}
+
+var_dump(strpos(parseXML($xml), 'SECRET_DATA') !== false);
+var_dump(libxml_disable_entity_loader(true));
+var_dump(strpos(parseXML($xml), 'SECRET_DATA') === false);
+
+echo "Done\n";
+?>
+--EXPECTF--
+bool(true)
+
+Deprecated: Function libxml_disable_entity_loader() is deprecated in %s on line %d
+bool(false)
+
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "%s" in %s on line %d
+bool(true)
+Done