286162e9 | 05-May-2021 |
Christoph M. Becker |
Fix #76452: Crash while parsing blob data in firebird_fetch_blob We need to prevent integer overflow when calling `erealloc()` with `len+1`. |
a5538c62 | 14-Jun-2021 |
Christoph M. Becker |
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL We need to ensure that the password detected by parse_url() is actually a valid password; we can re-use is_userinfo_valid() for that. |
98c8ad92 | 27-Apr-2021 |
Christoph M. Becker |
7.3.29 is next |
096f148c | 27-Apr-2021 |
Christoph M. Becker |
Fix ./makedist wrt. to GH move We can no longer export from git.php.net, and apparently exporting from Github is not supported. We apply a quick fix to export from the local clone b
Fix ./makedist wrt. to GH move We can no longer export from git.php.net, and apparently exporting from Github is not supported. We apply a quick fix to export from the local clone by default, still leaving an option to export from some other repo. This is, unfortunately, a minor BC break in a security release. Co-authored-by: Remi Collet <remi@php.net> Closes GH-6919.
show more ...
|
60a68a45 | 27-Apr-2021 |
Christoph M. Becker |
Add missing NEWS entry for #80710 |
37962c61 | 05-Feb-2021 |
Christoph M. Becker |
Fix #80710: imap_mail_compose() header injection Like `mail()` and `mb_send_mail()`, `imap_mail_compose()` must prevent header injection. For maximum backward compatibility, we still al
Fix #80710: imap_mail_compose() header injection Like `mail()` and `mb_send_mail()`, `imap_mail_compose()` must prevent header injection. For maximum backward compatibility, we still allow header folding for general headers, and still accept trailing line breaks for address lists.
show more ...
|
1b88c85c | 27-Apr-2021 |
Stanislav Malyshev |
Revert "Fix #80852: Stack-overflow when json_encode()'ing SimpleXMLElement" Sorry, this solution seems to have BC breaks, will need to look for better one. This reverts commit 9
Revert "Fix #80852: Stack-overflow when json_encode()'ing SimpleXMLElement" Sorry, this solution seems to have BC breaks, will need to look for better one. This reverts commit 9f7e8b777cb3e8aac53e677f3152af18413ab672.
show more ...
|
9f7e8b77 | 11-Mar-2021 |
Christoph M. Becker |
Fix #80852: Stack-overflow when json_encode()'ing SimpleXMLElement We ignore `XML_ENTITY_DECL` nodes when getting the hash of the properties of a `SimpleXMLElement`. |
729cd8ba | 22-Feb-2021 |
Dylan K. Taylor |
run-tests: fixed exit code not being set on BORKED tests When no test paths are specified this shows up when 'make test' is used on a PECL extension without specifying tests to run (or in ph
run-tests: fixed exit code not being set on BORKED tests When no test paths are specified this shows up when 'make test' is used on a PECL extension without specifying tests to run (or in php-src too, I guess...) Closes GH-6717.
show more ...
|
06c9633b | 01-Feb-2021 |
Nikita Popov |
Fix newly introduced compiler warning (cherry picked from commit ab8177de2c89672e63a7a1ccef4df8f7bf34fbd2) |
039ca4e2 | 02-Feb-2021 |
Christoph M. Becker |
7.3.28 is next |
57257a43 | 01-Feb-2021 |
Christoph M. Becker |
Revert "Updated to version 2021.1 (2021a)" This reverts commit 491488d21707062fa8e9b9187db3585fb0d347da, since PHP-7.3 is in security mode, and this does not look security related. |
3c939e3f | 01-Feb-2021 |
Stanislav Malyshev |
Fix bug #80672 - Null Dereference in SoapClient |
9c673083 | 27-Jan-2021 |
Stanislav Malyshev |
Rm unneeded function |
4a89e726 | 19-Jan-2021 |
Christoph M. Becker |
Alternative fix for bug 77423 That bug report originally was about `parse_url()` misbehaving, but the security aspect was actually only regarding `FILTER_VALIDATE_URL`. Since the cha
Alternative fix for bug 77423 That bug report originally was about `parse_url()` misbehaving, but the security aspect was actually only regarding `FILTER_VALIDATE_URL`. Since the changes to `parse_url_ex()` apparently affect userland code which is relying on the sloppy URL parsing[1], this alternative restores the old parsing behavior, but ensures that the userinfo is checked for correctness for `FILTER_VALIDATE_URL`. [1] <https://github.com/php/php-src/commit/5174de7cd33c3d4fa591c9c93859ff9989b07e8c#commitcomment-45967652>
show more ...
|
491488d2 | 25-Jan-2021 |
Derick Rethans |
Updated to version 2021.1 (2021a) |
65d7ade6 | 04-Jan-2021 |
Stanislav Malyshev |
[ci skip] Fix order |
8967e665 | 04-Jan-2021 |
Stanislav Malyshev |
[ci skip] Unpdate NEWS |
128fca40 | 02-Jan-2021 |
Stanislav Malyshev |
Merge branch 'PHP-7.2' into PHP-7.3 * PHP-7.2: Fix #77423: parse_url() will deliver a wrong host to user
|
2d3d7241 | 13-May-2020 |
Christoph M. Becker |
Fix #77423: parse_url() will deliver a wrong host to user To avoid that `parse_url()` returns an erroneous host, which would be valid for `FILTER_VALIDATE_URL`, we make sure that only us
Fix #77423: parse_url() will deliver a wrong host to user To avoid that `parse_url()` returns an erroneous host, which would be valid for `FILTER_VALIDATE_URL`, we make sure that only userinfo which is valid according to RFC 3986 is treated as such. For consistency with the existing url parsing code, we use ctype functions, although that is not necessarily correct.
show more ...
|
40d9e3ab | 15-Dec-2020 |
Christoph M. Becker |
7.3.27 is next |
0697a64f | 02-Dec-2020 |
Daniel Black |
Fix mysqli_expire_password test for mariadb In MariaDB-10.4.3 EXPIRE passwords where supported for MariaDB. This only behaves like MySQL when the system variable disconnect_on_expire
Fix mysqli_expire_password test for mariadb In MariaDB-10.4.3 EXPIRE passwords where supported for MariaDB. This only behaves like MySQL when the system variable disconnect_on_expired_passwords=1. MariaDB if there was no password it could not be considered expired. So the test is adjusted to use actual passwords. (MariaDB commit a94b20a8e0d9e64eeaabdaaa7a3e03fcdb8a686e) The error codes produced my MariaDB are different however still conforming to the SQL specification. Closes GH-6480.
show more ...
|
d6fcaf5d | 02-Dec-2020 |
Nikita Popov |
Fixed bug #80457 On x32 sizeof(size_t) != sizeof(zend_long), so we need to be careful with sign extension here. Patch by bruno dot premont at restena dot lu. |
68570816 | 27-Nov-2020 |
Jakub Zelenka |
Fix test for bug62890 to not depend on system cert store |
4a10037c | 27-Nov-2020 |
Daniel Black |
Fix mysqli_get_client_stats test MySQL removed RENAME DATABASE in 18300001c1dbbfddf9a0adcbaeea68956102bdd0 (Sept 2007, 5.1.23). As this briefest existance is very insignificant lets remo
Fix mysqli_get_client_stats test MySQL removed RENAME DATABASE in 18300001c1dbbfddf9a0adcbaeea68956102bdd0 (Sept 2007, 5.1.23). As this briefest existance is very insignificant lets remove it. It also breaks when testing against MariaDB. As the alternate path in this test covers all supported MySQL and MariaDB versions and a signifant portion of unsupported versions lets keep it simple. Closes GH-6459.
show more ...
|