Remove PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK from pcre compile options

mvorisek · nielsdos · commit 355700c90444 · 2025-03-31T20:01:45.000+02:00
This option is semi-deprecated [1] and shouldn't influence much anyway. The anticipated BC break is low. [1] PCRE2Project/pcre2#736 (comment) [2] PCRE2Project/pcre2#736 (comment) Closes GH-18150.
diff --git a/NEWS b/NEWS
@@ -96,6 +96,8 @@ PHP                                                                        NEWS
 
 - PCRE:
   . Upgraded to pre2lib from 10.44 to 10.45. (nielsdos)
+  . Remove PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK from pcre compile options.
+    (mvorisek)
 
 - PDO_PGSQL:
   . Added Iterable support for PDO::pgsqlCopyFromArray. (KentarouTakeda)
diff --git a/UPGRADING b/UPGRADING
@@ -59,6 +59,11 @@ PHP 8.5 UPGRADE NOTES
   . pcntl_exec() now throws ValueErrors when entries or keys of the
     $env_vars parameter contain null bytes.
 
+- PCRE:
+  . The extension is compiled without semi-deprecated
+    PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK compile option.
+    https://github.com/PCRE2Project/pcre2/issues/736#issuecomment-2754024651
+
 - PDO:
   . The constructor arguments set in conjunction with PDO::FETCH_CLASS now
     follow the usual CUFA (call_user_func_array) semantics.
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
@@ -199,13 +199,6 @@ static void php_pcre_efree(void *block, void *data)
 	efree(block);
 }
 
-#ifdef PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK
-	/* pcre 10.38 needs PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK, disabled by default */
-#define PHP_PCRE_DEFAULT_EXTRA_COPTIONS PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK
-#else
-#define PHP_PCRE_DEFAULT_EXTRA_COPTIONS 0
-#endif
-
 #define PHP_PCRE_PREALLOC_MDATA_SIZE 32
 
 static void php_pcre_init_pcre2(uint8_t jit)
@@ -226,8 +219,6 @@ static void php_pcre_init_pcre2(uint8_t jit)
 		}
 	}
 
-	pcre2_set_compile_extra_options(cctx, PHP_PCRE_DEFAULT_EXTRA_COPTIONS);
-
 	if (!mctx) {
 		mctx = pcre2_match_context_create(gctx);
 		if (!mctx) {
@@ -590,7 +581,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, bo
 #else
 	uint32_t			 coptions = 0;
 #endif
-	uint32_t			 eoptions = PHP_PCRE_DEFAULT_EXTRA_COPTIONS;
+	uint32_t			 eoptions = 0;
 	PCRE2_UCHAR	         error[128];
 	PCRE2_SIZE           erroffset;
 	int                  errnumber;
diff --git a/ext/pcre/tests/bug70345.phpt b/ext/pcre/tests/bug70345.phpt
@@ -1,5 +1,10 @@
 --TEST--
 Bug #70345 (Multiple vulnerabilities related to PCRE functions)
+--SKIPIF--
+<?php
+if (PCRE_VERSION_MAJOR == 10 && PCRE_VERSION_MINOR < 38) {
+    die("skip old pcre version");
+}
 --FILE--
 <?php
 $regex = '/(?=xyz\K)/';
@@ -14,8 +19,8 @@ preg_match($regex, $subject, $matches);
 var_dump($matches);
 ?>
 --EXPECTF--
+Warning: preg_split(): Compilation failed: \K is not allowed in lookarounds (but see PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK) at offset 9 in %s on line %d
 bool(false)
 
-Warning: preg_match(): Get subpatterns list failed in %s on line %d
-array(0) {
-}
+Warning: preg_match(): Compilation failed: \K is not allowed in lookarounds (but see PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK) at offset 12 in %s on line %d
+NULL
diff --git a/ext/pcre/tests/bug70345_old.phpt b/ext/pcre/tests/bug70345_old.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #70345 (Multiple vulnerabilities related to PCRE functions)
+--SKIPIF--
+<?php
+if (PCRE_VERSION_MAJOR != 10 || PCRE_VERSION_MINOR >= 38) {
+    die("skip new pcre version");
+}
+--FILE--
+<?php
+$regex = '/(?=xyz\K)/';
+$subject = "aaaaxyzaaaa";
+
+var_dump(preg_split($regex, $subject));
+
+$regex = '/(a(?=xyz\K))/';
+$subject = "aaaaxyzaaaa";
+preg_match($regex, $subject, $matches);
+
+var_dump($matches);
+?>
+--EXPECTF--
+bool(false)
+
+Warning: preg_match(): Get subpatterns list failed in %s on line %d
+array(0) {
+}
