From 7147434249e1de4e4688643d068e919d80f854b2 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Tue, 16 Jun 2026 15:12:16 -0400
Subject: [PATCH 1/4] Fix missing semicolon in mm session validate_sid handler

PS_VALIDATE_SID_FUNC(mm) was missing the semicolon after the
ps_mm_key_exists() assignment, so ext/session/mod_mm.c failed to compile
under --with-mm. The file is gated behind HAVE_LIBMM, so default builds
and CI never exercised it.

Closes GH-22336
---
 ext/session/mod_mm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/session/mod_mm.c b/ext/session/mod_mm.c
index ff8664c981a0..70000f5ca848 100644
--- a/ext/session/mod_mm.c
+++ b/ext/session/mod_mm.c
@@ -481,7 +481,7 @@ PS_VALIDATE_SID_FUNC(mm)
 	PS_MM_DATA;
 
 	mm_lock(data->mm, MM_LOCK_RD);
-	zend_result ret = ps_mm_key_exists(data, key)
+	zend_result ret = ps_mm_key_exists(data, key);
 	mm_unlock(data->mm);
 	return ret;
 }

From 235b9b5cc16b346c6fb0cb423e22e12214bef661 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Tue, 16 Jun 2026 18:17:08 -0400
Subject: [PATCH 2/4] Fix leak of preserved input string with
 FILTER_THROW_ON_FAILURE

php_zval_filter() copies the filtered value so it can be quoted in the
FilterFailedException message, then released the copy with
zend_string_delref(), which only decrements the refcount. When the input
is a non-string scalar that convert_to_string() turns into a fresh heap
string, the copy was the sole owner and leaked one string per call on
both the failure and the success path. Use zend_string_release() so it is
freed at refcount zero.

Closes GH-22339
---
 ext/filter/filter.c                           |  4 +-
 .../tests/filter_throw_on_failure_leak.phpt   | 37 +++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 ext/filter/tests/filter_throw_on_failure_leak.phpt

diff --git a/ext/filter/filter.c b/ext/filter/filter.c
index 4a928379877b..a169ecf987d0 100644
--- a/ext/filter/filter.c
+++ b/ext/filter/filter.c
@@ -298,10 +298,10 @@ static void php_zval_filter(zval *value, zend_long filter, zend_long flags, zval
 				filter_func.name,
 				ZSTR_VAL(copy_for_throwing)
 			);
-			zend_string_delref(copy_for_throwing);
+			zend_string_release(copy_for_throwing);
 			return;
 		}
-		zend_string_delref(copy_for_throwing);
+		zend_string_release(copy_for_throwing);
 		copy_for_throwing = NULL;
 	}
 
diff --git a/ext/filter/tests/filter_throw_on_failure_leak.phpt b/ext/filter/tests/filter_throw_on_failure_leak.phpt
new file mode 100644
index 000000000000..d42896a94e8f
--- /dev/null
+++ b/ext/filter/tests/filter_throw_on_failure_leak.phpt
@@ -0,0 +1,37 @@
+--TEST--
+filter: FILTER_THROW_ON_FAILURE does not leak the preserved input string
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+// php_zval_filter() copies the input string so it can be quoted in the
+// exception message. A non-string scalar input (here a float / a large int)
+// is turned into a fresh heap string by convert_to_string(), so the copy is
+// the sole extra owner. Releasing it with zend_string_delref() decremented
+// without freeing, leaking one string per call on both the failure and the
+// success path. Loop and assert memory stays flat.
+function leakcheck(callable $fn): bool {
+    $fn();
+    $before = memory_get_usage();
+    for ($i = 0; $i < 2000; $i++) {
+        $fn();
+    }
+    return memory_get_usage() - $before === 0;
+}
+
+// Validation fails -> exception thrown.
+var_dump(leakcheck(function () {
+    try {
+        filter_var(1.5, FILTER_VALIDATE_INT, ['flags' => FILTER_THROW_ON_FAILURE]);
+    } catch (\Filter\FilterFailedException $e) {
+    }
+}));
+
+// Validation succeeds.
+var_dump(leakcheck(function () {
+    filter_var(15, FILTER_VALIDATE_INT, ['flags' => FILTER_THROW_ON_FAILURE]);
+}));
+?>
+--EXPECT--
+bool(true)
+bool(true)

From 98563c2d8e40dc71848fb2d090702bfc3d25aeb1 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Tue, 16 Jun 2026 15:33:43 -0400
Subject: [PATCH 3/4] Fix MIME charset sniffing advancing by name length not
 value length

php_libxml_sniff_charset_from_string() advanced the parse cursor by the
parameter name length after collecting an unquoted parameter value
(WHATWG mime-sniff step 11.9.1), instead of the value length. When a
Content-Type parameter before charset had a name and value of different
lengths, the cursor misaligned and the charset parameter was missed, so
document loading fell back to the wrong encoding.

Closes GH-22343
---
 .../html/encoding/HTMLDocument_createFromFile_http_header.phpt  | 2 ++
 ext/libxml/mime_sniff.c                                         | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ext/dom/tests/modern/html/encoding/HTMLDocument_createFromFile_http_header.phpt b/ext/dom/tests/modern/html/encoding/HTMLDocument_createFromFile_http_header.phpt
index 5c602b87f23e..5164ac68041d 100644
--- a/ext/dom/tests/modern/html/encoding/HTMLDocument_createFromFile_http_header.phpt
+++ b/ext/dom/tests/modern/html/encoding/HTMLDocument_createFromFile_http_header.phpt
@@ -46,6 +46,7 @@ $tests = [
         "text/html; ;;   ; ;; Charset=\"ISO-8859-1\"",
         "text/html;Charset=\"ISO-8859-1",
         "tex.t/h#\$%!&'*%2B-.^_`|~tml;Charset=\"ISO-8859-1\"", // Note: have to encode + as 2B because of implementation details of http_server()
+        "text/html; abcd=ef;charset=ISO-8859-1",
     ],
     "Valid input, but invalid encoding name" => [
         "text/html;Charset=\"ISO-8859-1\\",
@@ -100,6 +101,7 @@ foreach ($tests as $name => $headers) {
 äöü
 äöü
 äöü
+äöü
 --- Valid input, but invalid encoding name ---
 ���
 ���
diff --git a/ext/libxml/mime_sniff.c b/ext/libxml/mime_sniff.c
index 0ca032f9b795..2840c69701fc 100644
--- a/ext/libxml/mime_sniff.c
+++ b/ext/libxml/mime_sniff.c
@@ -273,7 +273,7 @@ PHP_LIBXML_API zend_string *php_libxml_sniff_charset_from_string(const char *sta
 			/* 11.9.1. Set parameterValue to the result of collecting a sequence of code points that are not ';' */
 			size_t parameter_value_length = collect_a_sequence_of_code_points(start, end, is_not_semicolon);
 			parameter_value = zend_string_init(start, parameter_value_length, false);
-			start += parameter_name_length;
+			start += parameter_value_length;
 
 			/* 11.9.2. Remove trailing HTTP whitespace from parameterValue */
 			while (ZSTR_LEN(parameter_value) > 0 && is_http_whitespace(ZSTR_VAL(parameter_value)[ZSTR_LEN(parameter_value) - 1])) {

From 9be705297bf0148ed84bf643949972475bef2deb Mon Sep 17 00:00:00 2001
From: Weilin Du <weilindu@php.net>
Date: Thu, 18 Jun 2026 10:46:35 +0800
Subject: [PATCH 4/4] [skip ci] CONTRIBUTING.md: Document the discord server as
 a recommended place to get help (#22333)

The discord server is now mostly used in discussion rather then the IRC channel.
Good to document it as a way to get help in CONTRIBUTING.md.
---
 CONTRIBUTING.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e6bff3d6a9ca..aabd945ad385 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -152,9 +152,8 @@ about what you're working on, you can contact us via the
 issues.
 
 Although not a formal channel, you can also find a number of core developers on
-the #php.pecl channel on [EFnet](http://www.efnet.org/). Similarly, many
-documentation writers can be found on #php.doc. Windows development IRC channel
-is available at #winphp-dev on FreeNode.
+the [php community discord server](https://phpc.chat/) (`#php-internals` channel)
+where many people are eager to help.
 
 ## PHP source code directory structure