Make (DOM)XPath::quote only accept strings without NULL bytes (#13960)

nielsdos · divinity76 · web-flow · commit a136117eaa85 · 2024-04-14T21:16:07.000+02:00
* Make (DOM)XPath::quote only accept strings without NULL bytes

The reason is that libxml will cut off on a NULL byte, and so strings
containing NULL bytes may not be necessarily safe even when coming out
of quoting.

* Add test

Co-authored-by: divinity76 &lt;divinity76@gmail.com&gt;

---------

Co-authored-by: divinity76 &lt;divinity76@gmail.com&gt;
diff --git a/ext/dom/tests/gh13960.phpt b/ext/dom/tests/gh13960.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-13960 (NULL bytes in XPath query)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$domd = new DOMDocument();
+@$domd->loadHTML("<foo>tes\x00t</foo>");
+$xp = new DOMXPath($domd);
+try {
+    $xp->query("//foo[contains(text(), " . $xp->quote("tes\x00t") . ")]");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+DOMXPath::quote(): Argument #1 ($str) must not contain any null bytes
diff --git a/ext/dom/xpath.c b/ext/dom/xpath.c
@@ -473,7 +473,7 @@ PHP_METHOD(DOMXPath, registerPhpFunctionNS)
 PHP_METHOD(DOMXPath, quote) {
 	const char *input;
 	size_t input_len;
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &input, &input_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &input, &input_len) == FAILURE) {
 		RETURN_THROWS();
 	}
 	if (memchr(input, '\'', input_len) == NULL) {

Original file line number	Diff line number	Diff line change
`@@ -473,7 +473,7 @@ PHP_METHOD(DOMXPath, registerPhpFunctionNS)`
`473`	`473`	`PHP_METHOD(DOMXPath, quote) {`
`474`	`474`	`const char *input;`
`475`	`475`	`size_t input_len;`
`476`		`- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &input, &input_len) == FAILURE) {`
	`476`	`+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &input, &input_len) == FAILURE) {`
`477`	`477`	`RETURN_THROWS();`
`478`	`478`	`}`
`479`	`479`	`if (memchr(input, '\'', input_len) == NULL) {`