Merge remote-tracking branch 'origin/PHP-5.6' into str_size_and_int64_56_backport

* origin/PHP-5.6:
  updated libs versions
  added some notes about the win build system
  UPGRADING note about bug #67072
  UPGRADING note about bug #67072
  UPGRADING note about bug #67072
  refixed the test related to bug #67072
  Improved the fix for bug #67072, thanks Nikita
  Fixed test case for 5328d42
  These links to ~helly don't work anymore.
  updated NEWS
  updated NEWS
  Fixed bug #67072 Echoing unserialized "SplFileObject" crash
  updated UPGRADING
  updated UPGRADING
  correct the bug #67081 fix
  updated NEWS
  updated NEWS
  Fixed bug #67081 DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset

Author: weltling

NEWS

@@ -27,6 +27,10 @@ PHP                                                                        NEWS
   . Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is
     supplied). (Boro Sitnikovski)
 
+- DOM:
+  . Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,
+    not only the subset). (Anatol)
+
 - Fileinfo:
   . Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
     (Anatol)
@@ -55,6 +59,9 @@ PHP                                                                        NEWS
 - SQLite:
   . Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3). (Anatol)
 
+- Standard:
+  . Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol)
+
 - Apache2 Handler SAPI:
   . Fixed Apache log issue caused by APR's lack of support for %zu
     (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).

UPGRADING

@@ -161,6 +161,10 @@ PHP 5.6 UPGRADE NOTES
 - Support for FPM workers changing the apparmor profile through the pool configuration.
   (https://wiki.php.net/rfc/fpm_change_hat)
 
+- Support for several XML MIME types in the built-in CLI server. For static
+  files with extensions .xml, .xsl, .xsd the Content-Type header
+  application/xml is now sent automatically.
+
 ========================================
 3. Deprecated Functionality
 ========================================
@@ -231,6 +235,10 @@ PHP 5.6 UPGRADE NOTES
     . pg_send_query()
     . pg_send_query_params()
 
+- unserialize:
+  Manipulated serialization strings for objects implementing Serializable by
+  replacing "C:" with "O:" at the start will now produce an error.
+
 ========================================
 5. New Functions
 ========================================

UPGRADING.INTERNALS

@@ -12,6 +12,8 @@ UPGRADE NOTES - PHP X.Y
   g. Additional str_* APIs
   h. Addition of zend_hash_reindex
   i. Addition of zend_hash_splice
+  j. An additional parameter is sent to Countable::count()
+  k. Unserialization of manipulated object strings
 
 2. Build system changes
   a. Unix build system changes
@@ -189,6 +191,21 @@ UPGRADE NOTES - PHP X.Y
   fail. Extensions which implement Countable internally, need to accept one
   optional long as parameter.
 
+  k. Unserialization of manipulated object strings
+
+  Strings requiring unserialization of objects are now explicitly checked
+  whether the object they contain implements the Serializable interface.
+  This solves the situation where manipulated strings could be passed for
+  objects using Serializable to disallow serialization. An object
+  implementing Serializable will always start with "C:" in the serialized
+  string, all other objects are represented with starting "O:". Objects
+  implementing Serializable to disable serialization using
+  zend_class_unserialize_deny and zend_class_serialize_deny, when
+  instantiated from the serializer with a manipulated "O:" string at the
+  start, will most likely be defectively initialized. This is now
+  fixed at the appropriate place by checking for the presence of the
+  serialize callback in the class entry.
+
 ========================
 2. Build system changes
 ========================
@@ -199,5 +216,8 @@ UPGRADE NOTES - PHP X.Y
       variable. Previously `bison` was assumed to be in $PATH. 
 
   b. Windows build system changes
-    - 
-  
+    - The configure option --enable-static-analyze isn't available anymore.
+      The new option was introduced --with-analyzer.
+    - It is possible to disable PGO for single extensions, to do that
+      define a global variable PHP_MYMODULE_PGO evaluating to false
+      inside config.w32

Zend/tests/generators/errors/serialize_unserialize_error.phpt

@@ -32,12 +32,11 @@ Stack trace:
 #0 %s(%d): serialize(Object(Generator))
 #1 {main}
 
-exception 'Exception' with message 'Unserialization of 'Generator' is not allowed' in %s:%d
-Stack trace:
-#0 [internal function]: Generator->__wakeup()
-#1 %s(%d): unserialize('O:9:"Generator"...')
-#2 {main}
 
+Warning: Erroneous data format for unserializing 'Generator' in %sserialize_unserialize_error.php on line %d
+
+Notice: unserialize(): Error at offset 19 of 20 bytes in %sserialize_unserialize_error.php on line %s
+bool(false)
 exception 'Exception' with message 'Unserialization of 'Generator' is not allowed' in %s:%d
 Stack trace:
 #0 %s(%d): unserialize('C:9:"Generator"...')

ext/dom/documenttype.c

@@ -188,8 +188,7 @@ int dom_documenttype_internal_subset_read(dom_object *obj, zval **retval TSRMLS_
 {
 
 	xmlDtdPtr dtdptr;
-	xmlDtd *intsubset;
-	xmlOutputBuffer *buff = NULL;
+	xmlDtdPtr intsubset;
 
 	dtdptr = (xmlDtdPtr) dom_object_get_node(obj);
 
@@ -200,22 +199,37 @@ int dom_documenttype_internal_subset_read(dom_object *obj, zval **retval TSRMLS_
 
 	ALLOC_ZVAL(*retval);
 
-	if (dtdptr->doc != NULL && ((intsubset = dtdptr->doc->intSubset) != NULL)) {
-		buff = xmlAllocOutputBuffer(NULL);
-		if (buff != NULL) {
-			xmlNodeDumpOutput (buff, NULL, (xmlNodePtr) intsubset, 0, 0, NULL);
-			xmlOutputBufferFlush(buff);
+	if (dtdptr->doc != NULL && ((intsubset = xmlGetIntSubset(dtdptr->doc)) != NULL) && intsubset->children != NULL) {
+		smart_str ret_buf = {0};
+		xmlNodePtr cur = intsubset->children;
+
+		while (cur != NULL) {
+			xmlOutputBuffer *buff = xmlAllocOutputBuffer(NULL);
+
+			if (buff != NULL) {
+				xmlNodeDumpOutput (buff, NULL, cur, 0, 0, NULL);
+				xmlOutputBufferFlush(buff);
+
 #ifdef LIBXML2_NEW_BUFFER
-			ZVAL_STRINGL(*retval, xmlOutputBufferGetContent(buff), xmlOutputBufferGetSize(buff), 1);
+				smart_str_appendl(&ret_buf, xmlOutputBufferGetContent(buff), xmlOutputBufferGetSize(buff));
 #else
-			ZVAL_STRINGL(*retval, buff->buffer->content, buff->buffer->use, 1);
+				smart_str_appendl(&ret_buf, buff->buffer->content, buff->buffer->use);
 #endif
-			(void)xmlOutputBufferClose(buff);
+
+				(void)xmlOutputBufferClose(buff);
+			}
+
+			cur = cur->next;
+		}
+
+		if (ret_buf.len) {
+			ZVAL_STRINGL(*retval, ret_buf.c, ret_buf.len, 1);
+			smart_str_free(&ret_buf);
 			return SUCCESS;
 		}
 	}
 
-	ZVAL_EMPTY_STRING(*retval);
+	ZVAL_NULL(*retval);
 
 	return SUCCESS;
 

ext/dom/tests/DOMDocumentType_basic_001.phpt

@@ -43,6 +43,6 @@ print 'notation: '.$notation->nodeName."\n";
 publicId: -//OASIS//DTD DocBook XML//EN
 systemId: docbookx.dtd
 name: chapter
-internalSubset: <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML//EN" "docbookx.dtd">
+internalSubset: 
 entity: logo
-notation: gif
+notation: gif

ext/dom/tests/bug67081.phpt

@@ -0,0 +1,43 @@
+--TEST--
+Bug #67081 DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+?>
+--FILE--
+<?php
+	$domDocument = new DOMDocument();
+	$domDocument->load(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug67081_0.xml");
+	var_dump($domDocument->doctype->internalSubset);
+
+	$domDocument = new DOMDocument();
+	$domDocument->load(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug67081_1.xml");
+	var_dump($domDocument->doctype->internalSubset);
+
+	$domDocument = new DOMDocument();
+	$domDocument->load(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug67081_2.xml");
+	var_dump($domDocument->doctype->internalSubset);
+
+	$domDocument = new DOMDocument();
+	$domDocument->load(dirname(__FILE__) . DIRECTORY_SEPARATOR . "dom.xml");
+	var_dump($domDocument->doctype->internalSubset);
+?>
+===DONE===
+--EXPECT--
+string(19) "<!ELEMENT a EMPTY>
+"
+string(38) "<!ELEMENT a EMPTY>
+<!ELEMENT b EMPTY>
+"
+NULL
+string(277) "<!ENTITY % incent SYSTEM "dom.ent">
+<!ENTITY amp "&#38;#38;">
+<!ENTITY gt "&#62;">
+<!ENTITY % coreattrs "title CDATA #IMPLIED">
+<!ENTITY % attrs "%coreattrs;">
+<!ATTLIST foo bar CDATA #IMPLIED>
+<!ELEMENT foo (#PCDATA)>
+<!ELEMENT root (foo)+>
+<!ATTLIST th title CDATA #IMPLIED>
+"
+===DONE===

ext/dom/tests/bug67081_0.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<!DOCTYPE a [
+   <!ELEMENT a EMPTY>
+]>
+<a></a>
+

ext/dom/tests/bug67081_1.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<!DOCTYPE a [
+   <!ELEMENT a EMPTY>
+   <!ELEMENT b EMPTY>
+]>
+<a></a>
+

ext/dom/tests/bug67081_2.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<a></a>
+

ext/spl/README

@@ -4,4 +4,4 @@ code in the file spl.php or in the corresponding .inc file in the examples
 subdirectory. Based on the internal implementations or the files in the 
 examples subdirectory there are also some .php files to experiment with.
 
-For more information look at: http://php.net/~helly/php/ext/spl
+For more information look at: http://php.net/manual/en/book.spl.php

ext/spl/spl.php

@@ -145,9 +145,6 @@
  * - Debug session 2 <a href="http://talks.somabo.de/200509_toronto_iterator_debug_session_1.pps">[pps]</a>, <a href="http://talks.somabo.de/200509_toronto_iterator_debug_session_1.pdf">[pdf]</a>, <a href="http://taks.somabo.de/200411_php_conference_frankfrurt_iterator_debug_session.swf">[swf]</a>
  * - Debug session 3 <a href="http://talks.somabo.de/200509_toronto_iterator_debug_session_2.pps">[pps]</a>, <a href="http://talks.somabo.de/200509_toronto_iterator_debug_session_2.pdf">[pdf]</a>
  *
- * You can download this documentation as a chm file
- * <a href="http://php.net/~helly/php/ext/spl/spl.chm">here</a>.
- *
  * (c) Marcus Boerger, 2003 - 2007
  */
 

ext/standard/tests/serialize/005.phpt

@@ -156,9 +156,11 @@ object(TestNAOld)#%d (0) {
 }
 ===NANew===
 unserializer(TestNANew)
-TestNew::__wakeup()
-object(TestNANew)#%d (0) {
-}
+
+Warning: Erroneous data format for unserializing 'TestNANew' in %s005.php on line %d
+
+Notice: unserialize(): Error at offset 19 of 20 bytes in %s005.php on line %d
+bool(false)
 ===NANew2===
 unserializer(TestNANew2)
 TestNew::unserialize()

ext/standard/tests/serialize/bug67072.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #67072 Echoing unserialized "SplFileObject" crash
+--FILE--
+<?php
+	echo unserialize('O:13:"SplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Erroneous data format for unserializing 'SplFileObject' in %sbug67072.php on line %d
+
+Notice: unserialize(): Error at offset 24 of 64 bytes in %sbug67072.php on line %d
+===DONE==