From 2e2c8443a50d07a2d4bf6fa31a3bb163a9a0ebe2 Mon Sep 17 00:00:00 2001
From: Weilin Du <weilindu@php.net>
Date: Thu, 18 Jun 2026 11:14:58 +0800
Subject: [PATCH] ext/standard: Reject NUL bytes in `dl()`

---
 NEWS                                               |  2 ++
 UPGRADING                                          |  2 ++
 ext/standard/dl.c                                  |  2 +-
 .../tests/general_functions/dl_null_bytes.phpt     | 14 ++++++++++++++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/general_functions/dl_null_bytes.phpt

diff --git a/NEWS b/NEWS
index 2bbe43032ece..652c415d526f 100644
--- a/NEWS
+++ b/NEWS
@@ -254,6 +254,8 @@ PHP                                                                        NEWS
     (Weilin Du)
   . getenv() and putenv() now raises a ValueError when the first argument
     contains null bytes. (Weilin Du)
+  . dl() now raises a ValueError when the $extension_filename argument
+    contains null bytes. (Weilin Du)
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes. (Weilin Du)
   . proc_open() now raises a ValueError when the $cwd argument contains
diff --git a/UPGRADING b/UPGRADING
index bdadc6efbefc..f840340fb7fb 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -151,6 +151,8 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
   . getenv() and putenv() now raises a ValueError when the first argument
     contains null bytes.
+  . dl() now raises a ValueError when the $extension_filename argument
+    contains null bytes.
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes.
   . linkinfo() now raises a ValueError when the $path argument is empty.
diff --git a/ext/standard/dl.c b/ext/standard/dl.c
index a6d0ced6fa86..ca8ba57a16e9 100644
--- a/ext/standard/dl.c
+++ b/ext/standard/dl.c
@@ -43,7 +43,7 @@ PHPAPI PHP_FUNCTION(dl)
 	size_t filename_len;
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(filename, filename_len)
+		Z_PARAM_PATH(filename, filename_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (!PG(enable_dl)) {
diff --git a/ext/standard/tests/general_functions/dl_null_bytes.phpt b/ext/standard/tests/general_functions/dl_null_bytes.phpt
new file mode 100644
index 000000000000..7f251393ba3b
--- /dev/null
+++ b/ext/standard/tests/general_functions/dl_null_bytes.phpt
@@ -0,0 +1,14 @@
+--TEST--
+dl() rejects null bytes in extension filename
+--FILE--
+<?php
+
+try {
+    dl("foo\0bar");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+dl(): Argument #1 ($extension_filename) must not contain any null bytes