| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
This reverts commit 1ab4d0e6b7abb67d5a01ce3327bf973772271fb2.
This reverts commit a359635cb1a4df8b5137a506c88c4cb102acac0e.
|
| | |
|
| | |
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
| |
This method was used to protect code against XXE processing attacks.
Since PHP now requires libxml >= 2.9.0 external entity loading no longer
needs to be disabled to prevent these attacks. It is disabled by default.
Also, the method has an unwanted side effect that causes a lot of
confusion: Parsing XML data from resources like files is no longer possible.
Closes GH-5867.
|
| |
|
|
|
|
| |
Since libxml version 2.9.0 external entity loading is disabled by default.
Bumping the version requirement means that XML processing in PHP is no
longer vulnerable to XXE processing attacks by default.
|
| |
|
|
|
|
|
|
|
|
| |
This option allows getting status from different endpoint (e.g. port
or UDS file) which is useful for getting status when all children are
busy with serving long running requests.
Internally a new shared pool with ondemand process manager is used. It
means that the status requests have reserved resources and should not
be blocked by other requests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In other words, don't automatically unserialize when the magic
phar:// stream wrappers are used.
RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata
Also, change the signature from `getMetadata()`
to `getMetadata(array $unserialize_options = [])`.
Start throwing earlier if setMetadata() is called and serialization threw.
See https://externals.io/message/110856 and
https://bugs.php.net/bug.php?id=76774
This was refactored to add a phar_metadata_tracker for the following reasons:
- The way to properly copy a zval was previously implicit and undocumented
(e.g. is it a pointer to a raw string or an actual value)
- Avoid unnecessary serialization and unserialization in the most common case
- If a metadata value is serialized once while saving a new/modified phar file,
this allows reusing the same serialized string.
- Have as few ways to copy/clone/lazily parse metadata (etc.) as possible,
so that code changes can be limited to only a few places in the future.
- Performance is hopefully not a concern - copying a string should be faster
than unserializing a value, and metadata should be rare in most cases.
Remove unnecessary skip in a test(Compression's unused)
Add additional assertions about usage of persistent phars
Improve robustness of `Phar*->setMetadata()`
- Add sanity checks for edge cases freeing metadata, when destructors
or serializers modify the phar recursively.
- Typical use cases of php have phar.readonly=1 and would not be affected.
Closes GH-5855
|
| |
|
|
|
|
|
|
|
|
| |
In practice, we always act as an HTTP/1.1 client, for compatibility
with servers which ignore protocol version. Sending the version in
the request will avoid problems with servers which don't ignore it.
HTTP/1.0 can still be forced using a stream context option.
Closes GH-5899.
|
| |\
| |
| |
| |
| | |
This changes assert.exception to default to 1, or on by default.
Closes GH-5925.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
This implements the last remaining part of the
https://wiki.php.net/rfc/engine_warnings RFC.
Closes GH-5927.
|
| |/ |
|
| | |
|
| |
|
|
|
|
| |
The PHP error message says "well-formed", not "well formed"
Fixes GH-5920
|
| |
|
|
|
|
| |
Closes GH-5860
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, it's possible to override `php -a`s completion
functionality to provide an alternative to the C implementation,
with `readline_completion_function()`.
However, that surprisingly gets overridden when called from
`auto_prepend_file`, because those scripts get run before the interactive shell
is started. I believe that not overriding it would be more consistent
with what happens when you override the completion function **after** the
interactive shell.
CLI is the only built-in API that uses this (See discussion in GH-5872).
I believe MINIT and RINIT will only run once when invoked with `php -a`.
Add documentation about the architecture of how php uses readline/libedit
Closes GH-5872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From an engine perspective, named parameters mainly add three
concepts:
* The SEND_* opcodes now accept a CONST op2, which is the
argument name. For now, it is looked up by linear scan and
runtime cached.
* This may leave UNDEF arguments on the stack. To avoid having
to deal with them in other places, a CHECK_UNDEF_ARGS opcode
is used to either replace them with defaults, or error.
* For variadic functions, EX(extra_named_params) are collected
and need to be freed based on ZEND_CALL_HAS_EXTRA_NAMED_PARAMS.
RFC: https://wiki.php.net/rfc/named_params
Closes GH-5357.
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC: https://wiki.php.net/rfc/saner-numeric-strings
This removes the -1 allow_error mode from is_numeric_string functions and replaces it by
a trailing boolean out argument to preserve BC in a couple of places.
Most of the changes can be resumed to "numeric" strings which emitted a E_NOTICE now emit
a E_WARNING and "numeric" strings which emitted a E_WARNING now throw a TypeError.
This mostly affects:
- String offsets
- Arithmetic operations
- Bitwise operations
Closes GH-5762
|
| |
|
|
|
|
|
|
| |
RFC: https://wiki.php.net/rfc/shorter_attribute_syntax
Closes GH-5796.
Co-authored-by: Martin Schröder <m.schroeder2007@gmail.com>
|
| |
|
|
| |
For GH-5769 (mentioned in 07db64156e180c30daa5ab5d41ed72f9bba77e6d)
|
| |
|
|
|
|
|
|
|
|
| |
Don't expose references in debug_backtrace() or exception traces.
This is regardless of whether the argument is by-reference or not.
As a side-effect of this change, exception traces may now acquire
the interior value of a reference, which may be unexpected for
some internal functions. This is what necessitated the change in
the spl_array sort implementation.
|
| | |
|
| |
|
|
| |
This was deprecated in PHP 7.4.
|
| |
|
|
|
|
|
|
| |
RFC: https://wiki.php.net/rfc/nullsafe_operator
Closes GH-5619.
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Namespace names are now lexed as single tokens of type
T_NAME_QUALIFIED, T_NAME_FULLY_QUALIFIED or T_NAME_RELATIVE.
RFC: https://wiki.php.net/rfc/namespaced_names_as_token
Closes GH-5827.
|
| |
|
|
|
|
| |
RFC: https://wiki.php.net/rfc/string_to_number_comparison
Closes GH-3886.
|
| |
|
|
| |
[ci skip]
|
| |
|
|
| |
Closes GH-5401
|
| |
|
|
| |
Closes GH-5777.
|
| |
|
|
|
|
|
| |
I added this to UPGRADING.INTERNALS, but it should also be
mentioned in UPGRADING, as it affects user-visible behavior.
[ci skip]
|
| |
|
|
| |
[ci skip]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Some extension may need to retrieve the `gdImagePtr` from an `GdImage`
object; thus, we export the respective function. To not being forced
to include gd.h in php_gd.h, we use the opaque `struct gdImageStruct *`
as return type.
We also rename php_gd2.dll to php_gd.dll, since there's not really much
point in giving the DLL a version number, since there is no php_gd.dll
for years (if there ever has been). Renaming, on the other hand,
matches the name on other systems (gd.so), and allows to actually use
`ADD_EXTENSION_DEP()`.
|
| |
|
|
|
|
| |
RFC: https://wiki.php.net/rfc/match_expression_v2
Closes GH-5371.
|
| |
|
|
| |
Closes GH-5822.
|
| |
|
|
| |
Closes GH-5784
|
| |
|
|
| |
We also remove the mbregex ISO 8859 aliases with underscores.
|
| |
|
|
|
|
|
| |
From now on, ldap_set_rebind_proc() will only accept callable or null
as argument 2.
Closes GH-5763
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Modify php_hash_ops to contain the algorithm name and
serialize and unserialize methods.
* Implement __serialize and __unserialize magic methods on
HashContext.
Note that serialized HashContexts are not necessarily portable
between PHP versions or from architecture to architecture.
(Most are, though Keccak and slow SHA3s are not.)
An exception is thrown when an unsupported serialization is
attempted.
Because of security concerns, HASH_HMAC contexts are not
currently serializable; attempting to serialize one throws
an exception.
Serialization exposes the state of HashContext memory, so ensure
that memory is zeroed before use by allocating it with a new
php_hash_alloc_context function. Performance impact is
negligible.
Some hash internal states have logical pointers into a buffer,
or sponge, that absorbs input provided in bytes rather than
chunks. The unserialize functions for these hash functions
must validate that the logical pointers are all within bounds,
lest future hash operations cause out-of-bounds memory accesses.
* Adler32, CRC32, FNV, joaat: simple state, no buffer positions
* Gost, MD2, SHA3, Snefru, Tiger, Whirlpool: buffer positions
must be validated
* MD4, MD5, SHA1, SHA2, haval, ripemd: buffer positions encoded
bitwise, forced to within bounds on use; no need to validate
|
| |
|
|
|
|
|
|
| |
This properly addresses the issue from bug #79741. Silently
interpreting objects as mangled property tables is almost
always a bad idea.
Closes GH-5773.
|
| |
|
|
|
|
|
|
|
| |
RFC: https://wiki.php.net/rfc/attribute_amendments
Support for attribute grouping is left out, because the short
attribute syntax RFC will likely make it obsolete.
Closes GH-5751.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Don't include a trailing newline in T_COMMENT tokens, instead leave
it for a following T_WHITESPACE token. The newline does not belong
to the comment logically, and this makes for an ugly special case,
as other tokens do not include trailing newlines.
Whitespace-sensitive tooling will want to either forward or backward
emulate this change.
Closes GH-5182.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make user-exposed sorts stable, by storing the position of elements
in the original array, and using those positions as a fallback
comparison criterion. The base sort is still hybrid q/insert.
The use of true/false comparison functions is deprecated (but still
supported) and should be replaced by -1/0/1 comparison functions,
driven by the <=> operator.
RFC: https://wiki.php.net/rfc/stable_sorting
Closes GH-5236.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Userland classes that implement Traversable must do so either
through Iterator or IteratorAggregate. The same requirement does
not exist for internal classes: They can implement the internal
get_iterator mechanism, without exposing either the Iterator or
IteratorAggregate APIs. This makes them usable in get_iterator(),
but incompatible with any Iterator based APIs.
A lot of internal classes do this, because exposing the userland
APIs is simply a lot of work. This patch alleviates this issue by
providing a generic InternalIterator class, which acts as an
adapater between get_iterator and Iterator, and can be easily
used by many internal classes. At the same time, we extend the
requirement that Traversable implies Iterator or IteratorAggregate
to internal classes as well.
Closes GH-5216.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Context: https://externals.io/message/108789
This essentially moves the functionality of SimpleXMLIterator into
SimpleXMLElement, and makes SimpleXMLIterator a no-op extension.
Ideally SimpleXMLElement would be an IteratorAggregate, whose
getIterator() method returns SimpleXMLIterator. However, because
SimpleXMLIterator extends SimpleXMLElement (and code depends on
this in non-trivial ways), this is not possible.
The only way to not keep SimpleXMLElement as a magic Traversable
(that implements neither Iterator nor IteratorAggregate) is to
move the SimpleXMLIterator functionality into it.
Closes GH-5234.
|
| |
|
|
|
| |
We make `shmop_close()` a NOP, and deprecate the function right away;
detaching from SHM now happens when the wrapper object is freed.
|
