Merge branch 'PHP-8.1' into PHP-8.2

Author: ramsey

NEWS

@@ -76,6 +76,10 @@ PHP                                                                        NEWS
 - Intl:
   . Fix memory leak in MessageFormatter::format() on failure. (Girgias)
 
+- Libxml:
+  . Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
+    in XML without enabling it). (CVE-2023-3823) (nielsdos, ilutov)
+
 - MBString:
   . Fix GH-11300 (license issue: restricted unicode license headers).
     (nielsdos)
@@ -101,6 +105,8 @@ PHP                                                                        NEWS
 
 - Phar:
   . Add missing check on EVP_VerifyUpdate() in phar util. (nielsdos)
+  . Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
+    (CVE-2023-3824) (nielsdos)
 
 - PHPDBG:
   . Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option). (adsr)

ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt

@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('dom')) die('skip dom extension not available');
 if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
+if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
 ?>
 --FILE--
 <?php

ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt

@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
 if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
+if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
 ?>
 --FILE--
 <?php

ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt

@@ -5,6 +5,7 @@ GHSA-3qrf-m4j2-pcrr (libxml global state entity loader bypass)
 if (!extension_loaded('libxml')) die('skip libxml extension not available');
 if (!extension_loaded('xmlreader')) die('skip xmlreader extension not available');
 if (!extension_loaded('zend-test')) die('skip zend-test extension not available');
+if (!function_exists('zend_test_override_libxml_global_state')) die('skip not for Windows');
 ?>
 --FILE--
 <?php

ext/zend_test/test.c

@@ -32,7 +32,7 @@
 #include "test.h"
 #include "test_arginfo.h"
 
-#ifdef HAVE_LIBXML
+#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
 # include <libxml/globals.h>
 # include <libxml/parser.h>
 #endif
@@ -311,6 +311,7 @@ static ZEND_FUNCTION(zend_get_current_func_name)
     RETURN_STR(function_name);
 }
 
+#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
 static ZEND_FUNCTION(zend_test_override_libxml_global_state)
 {
 	ZEND_PARSE_PARAMETERS_NONE();
@@ -322,6 +323,7 @@ static ZEND_FUNCTION(zend_test_override_libxml_global_state)
 	(void) xmlLineNumbersDefault(1);
 	(void) xmlKeepBlanksDefault(0);
 }
+#endif
 
 /* TESTS Z_PARAM_ITERABLE and Z_PARAM_ITERABLE_OR_NULL */
 static ZEND_FUNCTION(zend_iterable)

ext/zend_test/test.stub.php

@@ -171,7 +171,7 @@ function zend_get_map_ptr_last(): int {}
 
     function zend_test_crash(?string $message = null): void {}
 
-#ifdef HAVE_LIBXML
+#if defined(HAVE_LIBXML) && !defined(PHP_WIN32)
 function zend_test_override_libxml_global_state(): void {}
 #endif
 }