Merge branch 'PHP-8.2'

Author: ramsey

NEWS

@@ -15,13 +15,21 @@ PHP                                                                        NEWS
 - FFI:
   . Fix leaking definitions when using FFI::cdef()->new(...). (ilutov)
 
+- Libxml:
+  . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
+    in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)
+
 - MBString:
   . Fix use-after-free of mb_list_encodings() return value. (ilutov)
 
 - Opcache:
   . Avoid adding an unnecessary read-lock when loading script from shm if
     restart is in progress. (mikhainin)
 
+- Phar:
+  . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
+    (CVE-2023-3824) (nielsdos)
+
 - Streams:
   . Fixed bug GH-11735 (Use-after-free when unregistering user stream wrapper
     from itself). (ilutov)

ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt

@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('dom')) die('skip dom extension not available');
 if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
+if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
 ?>
 --FILE--
 <?php

ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt

@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
 if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
+if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
 ?>
 --FILE--
 <?php

ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt

@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('xmlreader')) die('skip xmlreader extension not available');
 if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
+if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
 ?>
 --FILE--
 <?php

ext/zend_test/test.c

@@ -33,7 +33,7 @@
 #include "zend_call_stack.h"
 #include "zend_exceptions.h"
 
-#ifdef HAVE_LIBXML
+#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
 # include <libxml/globals.h>
 # include <libxml/parser.h>
 #endif
@@ -358,6 +358,7 @@ static ZEND_FUNCTION(zend_get_current_func_name)
     RETURN_STR(function_name);
 }
 
+#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
 static ZEND_FUNCTION(zend_test_override_libxml_global_state)
 {
 	ZEND_PARSE_PARAMETERS_NONE();
@@ -369,6 +370,7 @@ static ZEND_FUNCTION(zend_test_override_libxml_global_state)
 	(void) xmlLineNumbersDefault(1);
 	(void) xmlKeepBlanksDefault(0);
 }
+#endif
 
 /* TESTS Z_PARAM_ITERABLE and Z_PARAM_ITERABLE_OR_NULL */
 static ZEND_FUNCTION(zend_iterable)

ext/zend_test/test.stub.php

@@ -227,8 +227,8 @@ function zend_test_create_throwing_resource() {}
 
     function get_open_basedir(): ?string {}
 
-#ifdef HAVE_LIBXML
-	function zend_test_override_libxml_global_state(): void {}
+#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
+function zend_test_override_libxml_global_state(): void {}
 #endif
 }