Fix phpGH-12616: DOM: Removing XMLNS namespace node results in invalid default: prefix

The namespace data is freed and set to NULL, but there remain references
to the namespace declaration nodes. This (rightfully) confuses libxml2
because its invariants are broken. We also have to remove all remaining
references from the subtree. This fixes the data corruption bug.

Closes phpGH-12681.

Author: nielsdos

NEWS

@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.1.27
 
+- DOM:
+  . Fixed bug GH-12616 (DOM: Removing XMLNS namespace node results in invalid
+    default: prefix). (nielsdos)
+
 - Intl:
   . Fixed bug GH-12635 (Test bug69398.phpt fails with ICU 74.1). (nielsdos)
 

ext/dom/element.c

@@ -724,6 +724,83 @@ PHP_METHOD(DOMElement, setAttributeNS)
 }
 /* }}} end dom_element_set_attribute_ns */
 
+static void dom_remove_eliminated_ns_single_element(xmlNodePtr node, xmlNsPtr eliminatedNs)
+{
+	ZEND_ASSERT(node->type == XML_ELEMENT_NODE);
+	if (node->ns == eliminatedNs) {
+		node->ns = NULL;
+	}
+
+	for (xmlAttrPtr attr = node->properties; attr != NULL; attr = attr->next) {
+		if (attr->ns == eliminatedNs) {
+			attr->ns = NULL;
+		}
+	}
+}
+
+static void dom_remove_eliminated_ns(xmlNodePtr node, xmlNsPtr eliminatedNs)
+{
+	dom_remove_eliminated_ns_single_element(node, eliminatedNs);
+
+	xmlNodePtr base = node;
+	node = node->children;
+	while (node != NULL) {
+		ZEND_ASSERT(node != base);
+
+		if (node->type == XML_ELEMENT_NODE) {
+			dom_remove_eliminated_ns_single_element(node, eliminatedNs);
+
+			if (node->children) {
+				node = node->children;
+				continue;
+			}
+		}
+
+		if (node->next) {
+			node = node->next;
+		} else {
+			/* Go upwards, until we find a parent node with a next sibling, or until we hit the base. */
+			do {
+				node = node->parent;
+				if (node == base) {
+					return;
+				}
+			} while (node->next == NULL);
+			node = node->next;
+		}
+	}
+}
+
+static void dom_eliminate_ns(xmlNodePtr nodep, xmlNsPtr nsptr)
+{
+	if (nsptr->href != NULL) {
+		xmlFree((char *) nsptr->href);
+		nsptr->href = NULL;
+	}
+	if (nsptr->prefix != NULL) {
+		xmlFree((char *) nsptr->prefix);
+		nsptr->prefix = NULL;
+	}
+
+	/* Remove it from the list and move it to the old ns list */
+	xmlNsPtr current_ns = nodep->nsDef;
+	if (current_ns == nsptr) {
+		nodep->nsDef = nsptr->next;
+	} else {
+		do {
+			if (current_ns->next == nsptr) {
+				current_ns->next = nsptr->next;
+				break;
+			}
+			current_ns = current_ns->next;
+		} while (current_ns != NULL);
+	}
+	nsptr->next = NULL;
+	dom_set_old_ns(nodep->doc, nsptr);
+
+	dom_remove_eliminated_ns(nodep, nsptr);
+}
+
 /* {{{ URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-ElRemAtNS
 Since: DOM Level 2
 */
@@ -754,14 +831,7 @@ PHP_METHOD(DOMElement, removeAttributeNS)
 	nsptr = dom_get_nsdecl(nodep, (xmlChar *)name);
 	if (nsptr != NULL) {
 		if (xmlStrEqual((xmlChar *)uri, nsptr->href)) {
-			if (nsptr->href != NULL) {
-				xmlFree((char *) nsptr->href);
-				nsptr->href = NULL;
-			}
-			if (nsptr->prefix != NULL) {
-				xmlFree((char *) nsptr->prefix);
-				nsptr->prefix = NULL;
-			}
+			dom_eliminate_ns(nodep, nsptr);
 		} else {
 			RETURN_NULL();
 		}

ext/dom/tests/gh12616_1.phpt

@@ -0,0 +1,36 @@
+--TEST--
+GH-12616 (DOM: Removing XMLNS namespace node results in invalid default: prefix)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$doc = new DOMDocument();
+$doc->loadXML(
+    <<<XML
+    <container xmlns="http://symfony.com/schema/dic/services">
+      CHILDREN
+    </container>
+    XML
+);
+
+$doc->documentElement->removeAttributeNS('http://symfony.com/schema/dic/services', '');
+echo $doc->saveXML();
+
+$new = new DOMDocument();
+$new->append(
+    $new->importNode($doc->documentElement, true)
+);
+
+echo $new->saveXML();
+
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<container>
+  CHILDREN
+</container>
+<?xml version="1.0"?>
+<container>
+  CHILDREN
+</container>

ext/dom/tests/gh12616_2.phpt

@@ -0,0 +1,39 @@
+--TEST--
+GH-12616 (DOM: Removing XMLNS namespace node results in invalid default: prefix)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$doc = new DOMDocument();
+$doc->loadXML(
+    <<<XML
+    <container xmlns:test="urn:test" xmlns:symfony="http://symfony.com/schema/dic/services">
+        <symfony:services>
+            <test:service id="hello" />
+        </symfony:services>
+    </container>
+    XML
+);
+
+$doc->documentElement->removeAttributeNS('http://symfony.com/schema/dic/services', 'symfony');
+$xpath = new DOMXPath($doc);
+$xpath->registerNamespace('test', 'urn:test');
+
+echo $doc->saveXML();
+
+$result = $xpath->query('//container/services/test:service[@id="hello"]');
+var_dump($result);
+
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<container xmlns:test="urn:test">
+    <services>
+        <test:service id="hello"/>
+    </services>
+</container>
+object(DOMNodeList)#4 (1) {
+  ["length"]=>
+  int(1)
+}

ext/dom/tests/gh12616_3.phpt

@@ -0,0 +1,152 @@
+--TEST--
+GH-12616 (DOM: Removing XMLNS namespace node results in invalid default: prefix)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$doc = new DOMDocument();
+$doc->loadXML(
+    <<<XML
+    <container>
+      <child1 xmlns:x="http://symfony.com/schema/dic/services">
+        <x:foo x:bar=""/>
+        <x:foo x:bar=""/>
+      </child1>
+      <child2 xmlns:x="http://symfony.com/schema/dic/services">
+        <x:foo x:bar=""/>
+        <x:foo x:bar=""/>
+      </child2>
+    </container>
+    XML
+);
+
+$doc->documentElement->firstElementChild->removeAttributeNS('http://symfony.com/schema/dic/services', 'x');
+echo $doc->saveXML();
+
+$xpath = new DOMXPath($doc);
+
+echo "--- Namespaces of child1 ---\n";
+
+foreach ($xpath->query("/container/child1/namespace::*") as $ns) {
+    var_dump($ns);
+}
+
+echo "--- Namespaces of child1/foo (both nodes) ---\n";
+
+foreach ($xpath->query("/container/child1/foo/namespace::*") as $ns) {
+    var_dump($ns);
+}
+
+echo "--- Namespaces of child2 ---\n";
+
+foreach ($xpath->query("/container/child2/namespace::*") as $ns) {
+    var_dump($ns);
+}
+
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<container>
+  <child1>
+    <foo bar=""/>
+    <foo bar=""/>
+  </child1>
+  <child2 xmlns:x="http://symfony.com/schema/dic/services">
+    <x:foo x:bar=""/>
+    <x:foo x:bar=""/>
+  </child2>
+</container>
+--- Namespaces of child1 ---
+object(DOMNameSpaceNode)#4 (8) {
+  ["nodeName"]=>
+  string(9) "xmlns:xml"
+  ["nodeValue"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["nodeType"]=>
+  int(18)
+  ["prefix"]=>
+  string(3) "xml"
+  ["localName"]=>
+  string(3) "xml"
+  ["namespaceURI"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["ownerDocument"]=>
+  string(22) "(object value omitted)"
+  ["parentNode"]=>
+  string(22) "(object value omitted)"
+}
+--- Namespaces of child1/foo (both nodes) ---
+object(DOMNameSpaceNode)#5 (8) {
+  ["nodeName"]=>
+  string(9) "xmlns:xml"
+  ["nodeValue"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["nodeType"]=>
+  int(18)
+  ["prefix"]=>
+  string(3) "xml"
+  ["localName"]=>
+  string(3) "xml"
+  ["namespaceURI"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["ownerDocument"]=>
+  string(22) "(object value omitted)"
+  ["parentNode"]=>
+  string(22) "(object value omitted)"
+}
+object(DOMNameSpaceNode)#8 (8) {
+  ["nodeName"]=>
+  string(9) "xmlns:xml"
+  ["nodeValue"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["nodeType"]=>
+  int(18)
+  ["prefix"]=>
+  string(3) "xml"
+  ["localName"]=>
+  string(3) "xml"
+  ["namespaceURI"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["ownerDocument"]=>
+  string(22) "(object value omitted)"
+  ["parentNode"]=>
+  string(22) "(object value omitted)"
+}
+--- Namespaces of child2 ---
+object(DOMNameSpaceNode)#9 (8) {
+  ["nodeName"]=>
+  string(9) "xmlns:xml"
+  ["nodeValue"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["nodeType"]=>
+  int(18)
+  ["prefix"]=>
+  string(3) "xml"
+  ["localName"]=>
+  string(3) "xml"
+  ["namespaceURI"]=>
+  string(36) "http://www.w3.org/XML/1998/namespace"
+  ["ownerDocument"]=>
+  string(22) "(object value omitted)"
+  ["parentNode"]=>
+  string(22) "(object value omitted)"
+}
+object(DOMNameSpaceNode)#5 (8) {
+  ["nodeName"]=>
+  string(7) "xmlns:x"
+  ["nodeValue"]=>
+  string(38) "http://symfony.com/schema/dic/services"
+  ["nodeType"]=>
+  int(18)
+  ["prefix"]=>
+  string(1) "x"
+  ["localName"]=>
+  string(1) "x"
+  ["namespaceURI"]=>
+  string(38) "http://symfony.com/schema/dic/services"
+  ["ownerDocument"]=>
+  string(22) "(object value omitted)"
+  ["parentNode"]=>
+  string(22) "(object value omitted)"
+}