From 379ef33477d3c7f3d80ab7295f1af25f14ffe499 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crodriguez@owncloud.com>
Date: Fri, 10 Feb 2023 20:30:05 +0000
Subject: [PATCH 1/2] proc_open: reject array with empty command name

proc_open([""], $ds, $pipes) is invalid, reject and warn.
---
 ext/standard/proc_open.c                               |  6 ++++++
 .../tests/general_functions/proc_open_array.phpt       | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index dfffed6cfbe36..613cc48644c49 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -475,6 +475,12 @@ static zend_string *get_valid_arg_string(zval *zv, int elem_num) {
 		return NULL;
 	}
 
+	if (elem_num == 1 && ZSTR_LEN(str) == 0) {
+		zend_value_error("First element must contain a non-empty program name");
+		zend_string_release(str);
+		return NULL;
+	}
+
 	if (strlen(ZSTR_VAL(str)) != ZSTR_LEN(str)) {
 		zend_value_error("Command array element %d contains a null byte", elem_num);
 		zend_string_release(str);
diff --git a/ext/standard/tests/general_functions/proc_open_array.phpt b/ext/standard/tests/general_functions/proc_open_array.phpt
index 9f969a1c32f24..239dc116cd601 100644
--- a/ext/standard/tests/general_functions/proc_open_array.phpt
+++ b/ext/standard/tests/general_functions/proc_open_array.phpt
@@ -31,6 +31,13 @@ try {
     echo $exception->getMessage() . "\n";
 }
 
+echo "\nEmpty program name:\n";
+try {
+     proc_open([""], $ds, $pipes);
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
 echo "\nBasic usage:\n";
 $proc = proc_open([$php, '-r', 'echo "Hello World!\n";'], $ds, $pipes);
 fpassthru($pipes[1]);
@@ -76,6 +83,9 @@ Command array element 1 contains a null byte
 Nul byte in argument:
 Command array element 2 contains a null byte
 
+Empty program name:
+First element must contain a non-empty program name
+
 Basic usage:
 Hello World!
 

From 78f736b0a05f51a47fa2b98c7f6a50fe5e066cfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crodriguez@owncloud.com>
Date: Tue, 14 Feb 2023 16:09:01 +0000
Subject: [PATCH 2/2] add upgrading note for proc_open

---
 UPGRADING | 1 +
 1 file changed, 1 insertion(+)

diff --git a/UPGRADING b/UPGRADING
index 5a8429b6e7633..81b072a088d0c 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -73,6 +73,7 @@ PHP 8.3 UPGRADE NOTES
   . strtok() raises a warning in the case token is not provided when starting tokenization.
   . password_hash() will now chain the underlying Random\RandomException
     as the ValueError’s $previous Exception when salt generation fails.
+  . proc_open() $command array must now have at least one non empty element.
 
 ========================================
 6. New Functions