Commit 36c4195a2e5 for php.net
commit 36c4195a2e56814263bb62ad9849aebd8ebd69bf
Author: Ilia Alshanetsky <ilia@ilia.ws>
Date: Sat Apr 18 08:46:43 2026 -0400
phar: fix NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent
In the CGI/FastCGI branch of webPhar(), sapi_getenv("SCRIPT_NAME") can return NULL when the upstream server doesn't forward SCRIPT_NAME in the FastCGI params block. The return value was passed directly to strstr() without a NULL check, causing a segfault.
Add a NULL guard that jumps to the finish: label, which is already used for the "SCRIPT_NAME doesn't match the phar basename" case. The fix matches the intent of the existing strstr check and requires no new cleanup.
Closes GH-21797
Closes GH-21802
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 18db3190bb0..cd888adc41e 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -649,6 +649,9 @@ PHP_METHOD(Phar, webPhar)
char *testit;
testit = sapi_getenv("SCRIPT_NAME", sizeof("SCRIPT_NAME")-1);
+ if (!testit) {
+ goto finish;
+ }
if (!(pt = strstr(testit, basename))) {
efree(testit);
goto finish;
diff --git a/ext/phar/tests/gh21797.phpt b/ext/phar/tests/gh21797.phpt
new file mode 100644
index 00000000000..b24e30b7829
--- /dev/null
+++ b/ext/phar/tests/gh21797.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-21797: Phar::webPhar() NULL dereference when SCRIPT_NAME absent from SAPI environment
+--CGI--
+--EXTENSIONS--
+phar
+--INI--
+phar.readonly=0
+phar.require_hash=0
+variables_order=EGPC
+register_argc_argv=0
+cgi.fix_pathinfo=0
+--ENV--
+REQUEST_METHOD=GET
+PATH_INFO=/gh21797.phar
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.phar';
+$phar = new Phar($fname);
+$phar->addFromString('index.php', '<?php echo "ok\n"; ?>');
+$phar->setStub('<?php
+Phar::webPhar();
+echo "no crash\n";
+__HALT_COMPILER(); ?>');
+unset($phar);
+include $fname;
+?>
+--CLEAN--
+<?php @unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar'); ?>
+--EXPECT--
+no crash