From 7c081db885756d7b176a55b90b8746f664d1e042 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 7 Mar 2020 11:20:06 +0100
Subject: Fix #61597: SXE properties may lack attributes and content

We must not treat a node as string if it has attributes, unless it is
an entity declaration which is always treated as string by simplexml.
---
 NEWS                              |  3 +++
 ext/simplexml/simplexml.c         |  2 +-
 ext/simplexml/tests/000.phpt      | 32 +++++++++++++++++++++++++++++++-
 ext/simplexml/tests/009b.phpt     | 25 +++++++++++++++++++++++--
 ext/simplexml/tests/bug51615.phpt | 26 +++++++++++++++++++++++---
 ext/simplexml/tests/bug61597.phpt | 30 ++++++++++++++++++++++++++++++
 6 files changed, 111 insertions(+), 7 deletions(-)
 create mode 100644 ext/simplexml/tests/bug61597.phpt

diff --git a/NEWS b/NEWS
index 7d61149ac0..8fd4c708fd 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #79364 (When copy empty array, next key is unspecified). (cmb)
   . Fixed bug #78210 (Invalid pointer address). (cmb, Nikita)
 
+- SimpleXML:
+  . Fixed bug #61597 (SXE properties may lack attributes and content). (cmb)
+
 - Spl:
   . Fixed bug #75673 (SplStack::unserialize() behavior). (cmb)
 
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index ab394b5c83..a27a9849a3 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -964,7 +964,7 @@ static void _get_base_node_value(php_sxe_object *sxe_ref, xmlNodePtr node, zval
 	php_sxe_object *subnode;
 	xmlChar        *contents;
 
-	if (node->children && node->children->type == XML_TEXT_NODE && !xmlIsBlankNode(node->children)) {
+	if ((!node->properties || node->type == XML_ENTITY_DECL) && node->children && node->children->type == XML_TEXT_NODE && !xmlIsBlankNode(node->children)) {
 		contents = xmlNodeListGetString(node->doc, node->children, 1);
 		if (contents) {
 			ZVAL_STRING(value, (char *)contents);
diff --git a/ext/simplexml/tests/000.phpt b/ext/simplexml/tests/000.phpt
index 8a35fc9ba3..dde32d8eaa 100644
--- a/ext/simplexml/tests/000.phpt
+++ b/ext/simplexml/tests/000.phpt
@@ -51,7 +51,37 @@ object(SimpleXMLElement)#%d (3) {
   ["elem1"]=>
   array(2) {
     [0]=>
-    string(36) "There is some text.Here is some more"
+    object(SimpleXMLElement)#%d (3) {
+      ["@attributes"]=>
+      array(2) {
+        ["attr1"]=>
+        string(5) "first"
+        ["attr2"]=>
+        string(6) "second"
+      }
+      ["comment"]=>
+      object(SimpleXMLElement)#%d (0) {
+      }
+      ["elem2"]=>
+      object(SimpleXMLElement)#%d (2) {
+        ["@attributes"]=>
+        array(2) {
+          ["att25"]=>
+          string(2) "25"
+          ["att42"]=>
+          string(2) "42"
+        }
+        ["elem3"]=>
+        object(SimpleXMLElement)#%d (1) {
+          ["elem4"]=>
+          object(SimpleXMLElement)#%d (1) {
+            ["test"]=>
+            object(SimpleXMLElement)#%d (0) {
+            }
+          }
+        }
+      }
+    }
     [1]=>
     object(SimpleXMLElement)#%d (1) {
       ["@attributes"]=>
diff --git a/ext/simplexml/tests/009b.phpt b/ext/simplexml/tests/009b.phpt
index fd920e2e26..a8ca72c5ea 100644
--- a/ext/simplexml/tests/009b.phpt
+++ b/ext/simplexml/tests/009b.phpt
@@ -28,8 +28,29 @@ object(SimpleXMLElement)#%d (3) {
     string(5) "elem1"
   }
   ["elem1"]=>
-  string(10) "Bla bla 1."
+  object(SimpleXMLElement)#%d (3) {
+    ["@attributes"]=>
+    array(1) {
+      ["attr1"]=>
+      string(5) "first"
+    }
+    ["comment"]=>
+    object(SimpleXMLElement)#%d (0) {
+    }
+    ["elem2"]=>
+    string(35) "
+   Here we have some text data.
+  "
+  }
   ["elem11"]=>
-  string(10) "Bla bla 2."
+  object(SimpleXMLElement)#%d (2) {
+    ["@attributes"]=>
+    array(1) {
+      ["attr2"]=>
+      string(6) "second"
+    }
+    [0]=>
+    string(10) "Bla bla 2."
+  }
 }
 ===DONE===
diff --git a/ext/simplexml/tests/bug51615.phpt b/ext/simplexml/tests/bug51615.phpt
index b935414b80..32af5f6ee4 100644
--- a/ext/simplexml/tests/bug51615.phpt
+++ b/ext/simplexml/tests/bug51615.phpt
@@ -22,7 +22,7 @@ foreach ($html->body->span as $obj) {
 Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d
 
 Warning: DOMDocument::loadHTML(): error parsing attribute name in Entity, line: 1 in %s on line %d
-object(SimpleXMLElement)#%d (3) {
+object(SimpleXMLElement)#5 (3) {
   ["@attributes"]=>
   array(2) {
     ["title"]=>
@@ -31,9 +31,29 @@ object(SimpleXMLElement)#%d (3) {
     string(0) ""
   }
   [0]=>
-  string(1) "x"
+  object(SimpleXMLElement)#4 (2) {
+    ["@attributes"]=>
+    array(2) {
+      ["title"]=>
+      string(0) ""
+      ["y"]=>
+      string(0) ""
+    }
+    [0]=>
+    string(1) "x"
+  }
   [1]=>
-  string(1) "x"
+  object(SimpleXMLElement)#6 (2) {
+    ["@attributes"]=>
+    array(2) {
+      ["title"]=>
+      string(0) ""
+      ["z"]=>
+      string(0) ""
+    }
+    [0]=>
+    string(1) "x"
+  }
 }
 string(0) ""
 string(0) ""
diff --git a/ext/simplexml/tests/bug61597.phpt b/ext/simplexml/tests/bug61597.phpt
new file mode 100644
index 0000000000..65fa6be772
--- /dev/null
+++ b/ext/simplexml/tests/bug61597.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #61597 (SXE properties may lack attributes and content)
+--SKIPIF--
+<?php
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+?>
+--FILE--
+<?php
+$xml = <<<'EOX'
+<?xml version="1.0"?>
+<data>
+<datum file-key="8708124062829849862">corn</datum>
+</data>
+EOX;
+
+var_dump(simplexml_load_string($xml));
+?>
+--EXPECTF--
+object(SimpleXMLElement)#%d (1) {
+  ["datum"]=>
+  object(SimpleXMLElement)#%d (2) {
+    ["@attributes"]=>
+    array(1) {
+      ["file-key"]=>
+      string(19) "8708124062829849862"
+    }
+    [0]=>
+    string(4) "corn"
+  }
+}
-- 
cgit v1.2.1