From 65fd4d83bcd5ded8321f2c4fa707ff380326cec4 Mon Sep 17 00:00:00 2001
From: Peter Kokot <peterkokot@gmail.com>
Date: Wed, 28 Jan 2026 17:25:40 +0100
Subject: [PATCH 1/4] Remove ext/spl dependency from ext/session (#21060)

This is a follow-up of 668606816f4f7cffe872ed5344f5aa7225ea51e3
(GH-21001).

The SPL extension is no longer needed to be listed among dependencies.
The https://bugs.php.net/53141 is tested in
ext/session/tests/bug53141.phpt.

Additionally:
- Added missing inclusion guards to Zend/zend_autoload.h
---
 Zend/zend_autoload.h   |  5 +++++
 ext/session/config.m4  |  2 --
 ext/session/config.w32 |  2 --
 ext/session/session.c  | 11 +++--------
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/Zend/zend_autoload.h b/Zend/zend_autoload.h
index 24f1de6b78df..fde4a4a82e9a 100644
--- a/Zend/zend_autoload.h
+++ b/Zend/zend_autoload.h
@@ -16,6 +16,9 @@
    +----------------------------------------------------------------------+
 */
 
+#ifndef _ZEND_AUTOLOAD_H
+#define _ZEND_AUTOLOAD_H
+
 #include "zend_string.h"
 #include "zend_hash.h"
 #include "zend_API.h"
@@ -28,3 +31,5 @@ ZEND_API void zend_autoload_fcc_map_to_callable_zval_map(zval *return_value);
 /* Only for deprecated strange behaviour of spl_autoload_unregister() */
 ZEND_API void zend_autoload_clean_class_loaders(void);
 void zend_autoload_shutdown(void);
+
+#endif
diff --git a/ext/session/config.m4 b/ext/session/config.m4
index 36cfdf10972a..cce00e585122 100644
--- a/ext/session/config.m4
+++ b/ext/session/config.m4
@@ -20,8 +20,6 @@ if test "$PHP_SESSION" != "no"; then
     [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
 
   PHP_ADD_EXTENSION_DEP(session, date)
-  dnl https://bugs.php.net/53141
-  PHP_ADD_EXTENSION_DEP(session, spl, true)
 
   PHP_SUBST([SESSION_SHARED_LIBADD])
   PHP_INSTALL_HEADERS([ext/session], [php_session.h mod_files.h mod_user.h])
diff --git a/ext/session/config.w32 b/ext/session/config.w32
index 40f9f78a313e..50fdc087d4e9 100644
--- a/ext/session/config.w32
+++ b/ext/session/config.w32
@@ -5,8 +5,6 @@ ARG_ENABLE("session", "session support", "yes");
 if (PHP_SESSION == "yes") {
 	EXTENSION("session", "mod_user_class.c session.c mod_files.c mod_user.c", false /* never shared */, "/DZEND_ENABLE_STATIC_TSRMLS_CACHE=1");
 	ADD_EXTENSION_DEP('session', 'date');
-	// https://bugs.php.net/53141
-	ADD_EXTENSION_DEP('session', 'spl', true);
 	AC_DEFINE("HAVE_PHP_SESSION", 1, "Define to 1 if the PHP extension 'session' is available.");
 	PHP_INSTALL_HEADERS("ext/session", "php_session.h mod_files.h mod_user.h");
 }
diff --git a/ext/session/session.c b/ext/session/session.c
index 8796005e9232..91a62dcfb092 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1527,7 +1527,7 @@ static bool php_can_change_session_setting(const char *setting_name, bool check_
 
 		return false;
 	}
-	
+
 	if (SG(headers_sent) && (!check_cookies || PS(use_cookies))) {
 		char error_msg[256];
 		snprintf(error_msg, sizeof(error_msg), "Session %s cannot be changed after headers have already been sent", setting_name);
@@ -1535,7 +1535,7 @@ static bool php_can_change_session_setting(const char *setting_name, bool check_
 
 		return false;
 	}
-	
+
 	return true;
 }
 
@@ -3055,11 +3055,6 @@ static PHP_MINFO_FUNCTION(session)
 	DISPLAY_INI_ENTRIES();
 }
 
-static const zend_module_dep session_deps[] = {
-	ZEND_MOD_OPTIONAL("spl")
-	ZEND_MOD_END
-};
-
 /* ************************
    * Upload hook handling *
    ************************ */
@@ -3347,7 +3342,7 @@ static zend_result php_session_rfc1867_callback(unsigned int event, void *event_
 zend_module_entry session_module_entry = {
 	STANDARD_MODULE_HEADER_EX,
 	NULL,
-	session_deps,
+	NULL,
 	"session",
 	ext_functions,
 	PHP_MINIT(session), PHP_MSHUTDOWN(session),

From 93d32eae2751089ed0d255ba2cf37d5c8a7353e5 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Tue, 27 Jan 2026 15:24:45 +0100
Subject: [PATCH 2/4] Add missing clobbered registers

Inline assembly in zend_safe_address() clobbers flags register. Add missing
register in clobber list for aarch64 and powerpc64. Other archs were already
correct.

Fixes GH-21029
---
 NEWS                 | 2 ++
 Zend/zend_multiply.h | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index b593a1827b1c..c4a6378163c1 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.19
 
+- Core:
+  . Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). (Arnaud)
 
 12 Feb 2026, PHP 8.4.18
 
diff --git a/Zend/zend_multiply.h b/Zend/zend_multiply.h
index 3e730042e7ad..d536d3247f60 100644
--- a/Zend/zend_multiply.h
+++ b/Zend/zend_multiply.h
@@ -267,7 +267,8 @@ static zend_always_inline size_t zend_safe_address(size_t nmemb, size_t size, si
 		: "=&r"(res), "=&r"(m_overflow)
 		: "r"(nmemb),
 		  "r"(size),
-		  "r"(offset));
+		  "r"(offset)
+		: "cc");
 
 	if (UNEXPECTED(m_overflow)) {
 		*overflow = 1;
@@ -291,7 +292,8 @@ static zend_always_inline size_t zend_safe_address(size_t nmemb, size_t size, si
              : "=&r"(res), "=&r"(m_overflow)
              : "r"(nmemb),
                "r"(size),
-               "r"(offset));
+               "r"(offset)
+             : "xer");
 
         if (UNEXPECTED(m_overflow)) {
                 *overflow = 1;

From 303752681052c582f4599a2aa7e367b71ee8ae77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Saos?= <loicsaos@gmail.com>
Date: Wed, 28 Jan 2026 14:16:25 +0900
Subject: [PATCH 3/4] Fix GH-21055: Pdo/Pgsql typo for GSS negotiation
 connection status attribute.

close GH-21057
---
 NEWS                         | 4 ++++
 ext/pdo_pgsql/pgsql_driver.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index c4a6378163c1..d0803cb6dae0 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). (Arnaud)
 
+- PDO_PGSQL:
+  . Fixed bug GH-21055 (connection attribute status typo for GSS negotiation).
+    (lsaos)
+
 12 Feb 2026, PHP 8.4.18
 
 - Core:
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
index e7891f6c5cd3..0c6175d365de 100644
--- a/ext/pdo_pgsql/pgsql_driver.c
+++ b/ext/pdo_pgsql/pgsql_driver.c
@@ -509,7 +509,7 @@ static int pdo_pgsql_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *return_
 					break;
 #endif
 #ifdef CONNECTION_GSS_STARTUP
-				case CONNECTION_SSL_STARTUP:
+				case CONNECTION_GSS_STARTUP:
 					ZVAL_STRINGL(return_value, "Negotiating GSSAPI.", strlen("Negotiating GSSAPI."));
 					break;
 #endif

From cd32c597a71f93a238959959d0d141ddc8768fe9 Mon Sep 17 00:00:00 2001
From: Calvin Buckley <calvinb@php.net>
Date: Wed, 28 Jan 2026 16:50:06 -0400
Subject: [PATCH 4/4] Fix regression with header removal removing whole
 prefixes (#21020)

* Fix regression with header removing removing whole prefixes

The header removal code looked for the colon for key-value at the wrong
place, so it would overzealously remove headers. Tweak that condition,
and make the alternative condition only active if it's set (with the
remove prefix op case).

Fixes GH-21018.

* avoid reading past the actual length

* Rename variable to be more clear
---
 .../tests/general_functions/gh21018.phpt      | 21 +++++++++++++++++++
 main/SAPI.c                                   | 11 +++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/general_functions/gh21018.phpt

diff --git a/ext/standard/tests/general_functions/gh21018.phpt b/ext/standard/tests/general_functions/gh21018.phpt
new file mode 100644
index 000000000000..249cfb515aeb
--- /dev/null
+++ b/ext/standard/tests/general_functions/gh21018.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-21018 (header() removes headers with the same prefix)
+--INI--
+expose_php=On
+--CGI--
+--FILE--
+<?php
+header('a: 1');
+header('a-test: 1');
+header('a: 1');
+var_dump(headers_list());
+?>
+--EXPECTF--
+array(3) {
+  [0]=>
+  string(%d) "X-Powered-By: PHP/%s"
+  [1]=>
+  string(9) "a-test: 1"
+  [2]=>
+  string(4) "a: 1"
+}
diff --git a/main/SAPI.c b/main/SAPI.c
index 6709d467e34f..2fd7e18adcea 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -601,7 +601,7 @@ static void sapi_update_response_code(int ncode)
  * since zend_llist_del_element only removes one matched item once,
  * we should remove them manually
  */
-static void sapi_remove_header(zend_llist *l, char *name, size_t len, size_t header_len)
+static void sapi_remove_header(zend_llist *l, char *name, size_t len, size_t prefix_len)
 {
 	sapi_header_struct *header;
 	zend_llist_element *next;
@@ -610,8 +610,13 @@ static void sapi_remove_header(zend_llist *l, char *name, size_t len, size_t hea
 	while (current) {
 		header = (sapi_header_struct *)(current->data);
 		next = current->next;
-		if (header->header_len > header_len
-				&& (header->header[header_len] == ':' || len > header_len)
+		/*
+		 * prefix_len is set for DELETE_PREFIX (used for deleting i.e.
+		 * "Set-Cookie: PHPSESSID=", where we need more than just key)
+		 * look for the : otherwise
+		 */
+		if (header->header_len > len
+				&& (header->header[len] == ':' || (prefix_len && len > prefix_len))
 				&& !strncasecmp(header->header, name, len)) {
 			if (current->prev) {
 				current->prev->next = next;