mb_decode_numericentity converts entities which immediately follow a valid/invalid entity

alexdowad · alexdowad · commit 898519a9f15c · 2022-07-18T09:34:00.000+02:00
Thanks to Kamil Tieleka for suggesting that some of the behaviors of the legacy implementation which the new mb_decode_numericentity implementation took care to maintain were actually bugs and should be fixed. Thanks also to Trevor Rowbotham for providing a link to the HTML specification, showing how HTML numeric entities should be interpreted. mb_decode_numericentity now processes numeric entities in the following situations where the old implementation would not: - &<ENTITY> (for example, &&php#65;) - &#<ENTITY> - &#x<ENTITY> - <VALID BUT UNTERMINATED DECIMAL ENTITY><ENTITY> (for example, &php#65&php#65;) - <VALID BUT UNTERMINATED HEX ENTITY><ENTITY> - <INVALID AND UNTERMINATED DECIMAL ENTITY><ENTITY> (it does not matter why the first entity is invalid; the value could be too big, it could have too many digits, or it could not match the 'convmap' parameter) - <INVALID AND UNTERMINATED HEX ENTITY><ENTITY> This is consistent with the way that web browsers process HTML entities.
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -3408,11 +3408,6 @@ static zend_string* html_numeric_entity_decode(zend_string *input, const mbfl_en
 					/* Invalid entity */
 					memcpy(converted, p, (p2 - p) * 4);
 					converted += p2 - p;
-					if ((p2 - p) == 3) {
-						/* For compatibility with legacy behavior; if &#x is followed
-						 * by another entity, we don't convert the 2nd entity */
-						*converted++ = *p2++;
-					}
 				} else {
 					/* Valid hexadecimal entity */
 					uint32_t value = 0;
@@ -3430,16 +3425,12 @@ static zend_string* html_numeric_entity_decode(zend_string *input, const mbfl_en
 					uint32_t original;
 					if (html_numeric_entity_deconvert(value, convmap, mapsize, &original)) {
 						*converted++ = original;
-						if (*p2 != ';')
-							*converted++ = *p2;
+						if (*p2 == ';')
+							p2++;
 					} else {
-						memcpy(converted, p, (p2 - p + 1) * 4);
-						converted += p2 - p + 1;
+						memcpy(converted, p, (p2 - p) * 4);
+						converted += p2 - p;
 					}
-					/* For compatibility with legacy behavior:
-					 * We don't consider & as starting a new entity if it
-					 * terminates a preceding entity */
-					p2++;
 				}
 			} else if (p2 == wchar_buf + out_len && in_len) {
 				wchar_buf[0] = '&';
@@ -3469,11 +3460,6 @@ static zend_string* html_numeric_entity_decode(zend_string *input, const mbfl_en
 					/* Invalid entity */
 					memcpy(converted, p, (p2 - p) * 4);
 					converted += p2 - p;
-					if ((p2 - p) == 2) {
-						/* For compatibility with legacy behavior; if &# is followed
-						 * by another entity, we don't convert the 2nd entity */
-						*converted++ = *p2++;
-					}
 				} else {
 					/* Valid decimal entity */
 					uint32_t value = 0;
@@ -3492,16 +3478,12 @@ static zend_string* html_numeric_entity_decode(zend_string *input, const mbfl_en
 					uint32_t original;
 					if (html_numeric_entity_deconvert(value, convmap, mapsize, &original)) {
 						*converted++ = original;
-						if (*p2 != ';')
-							*converted++ = *p2;
+						if (*p2 == ';')
+							p2++;
 					} else {
-						memcpy(converted, p, (p2 - p + 1) * 4);
-						converted += p2 - p + 1;
+						memcpy(converted, p, (p2 - p) * 4);
+						converted += p2 - p;
 					}
-					/* For compatibility with legacy behavior:
-					 * We don't consider & as starting a new entity if it
-					 * terminates a preceding entity */
-					p2++;
 				}
 			}
 		} else if (p2 == wchar_buf + out_len) {
@@ -3516,17 +3498,6 @@ static zend_string* html_numeric_entity_decode(zend_string *input, const mbfl_en
 			}
 		} else {
 			*converted++ = '&';
-			if (*p2 == '&') {
-				/* Two successive ampersands convert to a single one,
-				 * and we do NOT allow the second one to start an entity
-				 * Duplicating the legacy behavior of mb_decode_numericentity here */
-				*converted++ = '&';
-				p2++;
-				if (p2 == wchar_buf + out_len) {
-					/* Corner case: two &'s at end of buffer */
-					goto process_converted_wchars_no_offset;
-				}
-			}
 		}
 decimal_entity_too_big:
 
diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt
@@ -93,33 +93,28 @@ test("More than 8 digits for hex entity", "&#x000000141;", "&#x000000141;", [0,
 
 test("Single &", "&", "&", [0, 0xFFFF, 0, 0xFFFF], "ASCII");
 
-// We don't allow an entity to come right after a preceding ampersand
-// (This is for compatibility with the legacy behavior of mb_decode_numericentity)
-test("Successive &", "&&#2,", "&&#2,", [0xffe9ade7, 0x6237b6ff, 0xaa597469, 0x612800], 'ASCII');
+// An entity can come right after a preceding ampersand
+test("Successive &", "&&#65,", "&A,", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
 
-// We don't allow an entity to come right after a preceding &#
-// (Also for compatibility with the legacy behavior of mb_decode_numericentity)
-test("Successive &#", "&#&#x32;", "&#&#x32;", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
-test("Successive &#x", "&#x&#x32;", "&#x&#x32;", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
+// An entity can come right after a preceding &#
+test("Successive &#", "&#&#x32;", "&#2", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
+test("Successive &#x", "&#x&#x32;", "&#x2", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
 
-// Don't allow the starting & of an entity to terminate a preceding entity
-// (Also for compatibility with the legacy behavior of mb_decode_numericentity)
-test("Successive &#65", "&#65&#65;", "A&#65;", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
+// The starting & of an entity can terminate a preceding entity
+test("Successive &#65", "&#65&#65;", "AA", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
+test("Successive hex entities", "&#x32&#x32;", "22", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
 
-// An entity CAN come right after an entity which is invalid because of being too long
+// An entity can come right after an entity which is invalid because of being too long
 test("Starting entity immediately after decimal entity which is too long", "&#10000000000&#65;", "&#10000000000A", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
 test("Starting entity immediately after hex entity which is too long", "&#x111111111&#65;", "&#x111111111A", [0, 0xFFFF, 0, 0xFFFF], 'ASCII');
 
-// The second entity is not accepted here, because it terminates a preceding entity
-// (To test entities which are as large as possible without being too large, we need to use UCS-4;
-// any other encoding would not allow codepoints that large)
 $ucs4_test1 = mb_convert_encoding("&#1000000000&#65;", 'UCS-4BE', 'ASCII');
-testNonAscii("Starting entity immediately after valid decimal entity which is just within maximum length", $ucs4_test1, "\x3B\x9A\xCA\x00\x00\x00\x00&\x00\x00\x00#\x00\x00\x006\x00\x00\x005\x00\x00\x00;", [0, 0xFFFFFFFF, 0, 0xFFFFFFFF], 'UCS-4BE');
+testNonAscii("Starting entity immediately after valid decimal entity which is just within maximum length", $ucs4_test1, "\x3B\x9A\xCA\x00\x00\x00\x00A", [0, 0xFFFFFFFF, 0, 0xFFFFFFFF], 'UCS-4BE');
 $ucs4_test2 = mb_convert_encoding("&#x11111111&#65;", 'UCS-4BE', 'ASCII');
-testNonAscii("Starting entity immediately after valid hex entity which is just within maximum length",  $ucs4_test2, "\x11\x11\x11\x11\x00\x00\x00&\x00\x00\x00#\x00\x00\x006\x00\x00\x005\x00\x00\x00;", [0, 0xFFFFFFFF, 0, 0xFFFFFFFF], 'UCS-4BE');
+testNonAscii("Starting entity immediately after valid hex entity which is just within maximum length",  $ucs4_test2, "\x11\x11\x11\x11\x00\x00\x00A", [0, 0xFFFFFFFF, 0, 0xFFFFFFFF], 'UCS-4BE');
 
-test("Starting entity immediately after invalid decimal entity", "&#0&#65;", "&#0&#65;", [0x1, 0xFFFF, 0, 0xFFFF], 'ASCII');
-test("Starting entity immediately after invalid hex entity", "&#x0&#65;", "&#x0&#65;", [0x1, 0xFFFF, 0, 0xFFFF], 'ASCII');
+test("Starting entity immediately after invalid decimal entity", "&#0&#65;", "&#0A", [0x1, 0xFFFF, 0, 0xFFFF], 'ASCII');
+test("Starting entity immediately after invalid hex entity", "&#x0&#65;", "&#x0A", [0x1, 0xFFFF, 0, 0xFFFF], 'ASCII');
 
 test("Starting entity immediately after too-big decimal entity", "&#7001492542&#65;", "&#7001492542A", [0, 0xFFFFFFFF, 0, 0xFFFFFFFF], 'ASCII');
 
@@ -166,16 +161,17 @@ More than 10 digits for decimal entity: string(14) "&#00000000165;" => string(14
 8 digits for hex entity: string(12) "&#x00000041;" => string(1) "A" (Good)
 More than 8 digits for hex entity: string(13) "&#x000000141;" => string(13) "&#x000000141;" (Good)
 Single &: string(1) "&" => string(1) "&" (Good)
-Successive &: string(5) "&&#2," => string(5) "&&#2," (Good)
-Successive &#: string(8) "&#&#x32;" => string(8) "&#&#x32;" (Good)
-Successive &#x: string(9) "&#x&#x32;" => string(9) "&#x&#x32;" (Good)
-Successive &#65: string(9) "&#65&#65;" => string(6) "A&#65;" (Good)
+Successive &: string(6) "&&#65," => string(3) "&A," (Good)
+Successive &#: string(8) "&#&#x32;" => string(3) "&#2" (Good)
+Successive &#x: string(9) "&#x&#x32;" => string(4) "&#x2" (Good)
+Successive &#65: string(9) "&#65&#65;" => string(2) "AA" (Good)
+Successive hex entities: string(11) "&#x32&#x32;" => string(2) "22" (Good)
 Starting entity immediately after decimal entity which is too long: string(18) "&#10000000000&#65;" => string(14) "&#10000000000A" (Good)
 Starting entity immediately after hex entity which is too long: string(17) "&#x111111111&#65;" => string(13) "&#x111111111A" (Good)
-Starting entity immediately after valid decimal entity which is just within maximum length: 000000260000002300000031000000300000003000000030000000300000003000000030000000300000003000000030000000260000002300000036000000350000003b => 3b9aca00000000260000002300000036000000350000003b (Good)
-Starting entity immediately after valid hex entity which is just within maximum length: 0000002600000023000000780000003100000031000000310000003100000031000000310000003100000031000000260000002300000036000000350000003b => 11111111000000260000002300000036000000350000003b (Good)
-Starting entity immediately after invalid decimal entity: string(8) "&#0&#65;" => string(8) "&#0&#65;" (Good)
-Starting entity immediately after invalid hex entity: string(9) "&#x0&#65;" => string(9) "&#x0&#65;" (Good)
+Starting entity immediately after valid decimal entity which is just within maximum length: 000000260000002300000031000000300000003000000030000000300000003000000030000000300000003000000030000000260000002300000036000000350000003b => 3b9aca0000000041 (Good)
+Starting entity immediately after valid hex entity which is just within maximum length: 0000002600000023000000780000003100000031000000310000003100000031000000310000003100000031000000260000002300000036000000350000003b => 1111111100000041 (Good)
+Starting entity immediately after invalid decimal entity: string(8) "&#0&#65;" => string(4) "&#0A" (Good)
+Starting entity immediately after invalid hex entity: string(9) "&#x0&#65;" => string(5) "&#x0A" (Good)
 Starting entity immediately after too-big decimal entity: string(17) "&#7001492542&#65;" => string(13) "&#7001492542A" (Good)
 Regression test (entity which decodes to 0xFFFFFFFF): string(5) "&#xe;" => string(1) "?" (Good)
 Regression test (truncation of successive & with JIS encoding): string(3) "&&&" => string(3) "&&&" (Good)
