Specifics of your environment

1. Acting as SP
2. SimpleSAMLphp: 2.4.0
3. PHP: 8.3.19
4. Platform: Windows
5. Webserver: IIS

Describe the bug
When config/config.php contains a syntax error (e.g. unclosed string), SimpleSAMLphp correctly throws a CriticalConfigurationError via Configuration::getInstance().

However, during construction of the error, the call to guessBasePath() fails because, on Windows, $_SERVER['SCRIPT_FILENAME'] contains a path with \ instead of /, which might then trip up preg_match() with preg_match(): Compilation failed: PCRE2 does not support \F, \L, \l, \N{name}, \U, or \u with the unescaped \.

To Reproduce

1. On Windows, introduce a syntax error in config/config.php (e.g. remove the ending quote from a string).
2. Trigger config loading, e.g. by calling \SimpleSAML\Configuration::getInstance();.
3. Instead of getting the CriticalConfigurationError, we get the preg_match() error.

Expected behavior
If config/config.php cannot be parsed, the related error message should be thrown or logged.

Possible fixes

• The explode() calls in guessBasePath() may use PHP's DIRECTORY_SEPARATOR instead of / to properly split the path on Windows.
• preg_quote() may be used on the $script variable used in preg_match() to prevent unintentional escape sequences.
• Add error catching to CriticalConfigurationError::_construct to catch the guessBasePath() isuue.