From ac8464139e21ca834cf4bdfe5988198c0ddb1498 Mon Sep 17 00:00:00 2001
From: lamentxu <1372449351@qq.com>
Date: Sat, 25 Apr 2026 15:34:29 +0800
Subject: [PATCH] initial fix

---
 NEWS                                           |  2 ++
 UPGRADING                                      |  2 ++
 ext/standard/proc_open.c                       |  2 +-
 .../proc_open_cwd_null_bytes.phpt              | 18 ++++++++++++++++++
 4 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt

diff --git a/NEWS b/NEWS
index d26148877670..fc8ef24ab073 100644
--- a/NEWS
+++ b/NEWS
@@ -174,6 +174,8 @@ PHP                                                                        NEWS
     (Weilin Du)
   . getenv() and putenv() now raises a ValueError when the first argument
     contains null bytes. (Weilin Du)
+  . proc_open() now raises a ValueError when the $cwd argument contains
+    null bytes. (Weilin Du)
 
 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
diff --git a/UPGRADING b/UPGRADING
index 6c6115ebcc84..9da0b9801363 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -95,6 +95,8 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
   . scandir() now raises a ValueError when an invalid $sorting_order
     argument value is passed.
+  . proc_open() now raises a ValueError when the $cwd argument contains
+    null bytes.
 
 - Zip:
   . ZipArchive::extractTo now raises a TypeError for the
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index edccbeae5646..111111406799 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -1240,7 +1240,7 @@ PHP_FUNCTION(proc_open)
 		Z_PARAM_ARRAY_HT(descriptorspec)
 		Z_PARAM_ZVAL(pipes)
 		Z_PARAM_OPTIONAL
-		Z_PARAM_STRING_OR_NULL(cwd, cwd_len)
+		Z_PARAM_PATH_OR_NULL(cwd, cwd_len)
 		Z_PARAM_ARRAY_HT_OR_NULL(environment)
 		Z_PARAM_ARRAY_OR_NULL(other_options)
 	ZEND_PARSE_PARAMETERS_END();
diff --git a/ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt b/ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt
new file mode 100644
index 000000000000..faa86c824177
--- /dev/null
+++ b/ext/standard/tests/general_functions/proc_open_cwd_null_bytes.phpt
@@ -0,0 +1,18 @@
+--TEST--
+proc_open() rejects null bytes in cwd
+--SKIPIF--
+<?php
+if (!function_exists("proc_open")) echo "skip proc_open() is not available";
+?>
+--FILE--
+<?php
+
+try {
+    proc_open("does_not_matter", [], $pipes, "foo\0bar");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+proc_open(): Argument #4 ($cwd) must not contain any null bytes