Fix #80849: HTTP Status header truncation

While truncating the contents of a header is okay, we must never omit
the trailing CRLF.

Closes GH-7238.

Fix #72595: php_output_handler_append illegal write access

We must make sure that `handler->buffer.size + grow_max` does not
overflow, so we're using `safe_erealloc()` instead.

Fix #72595: php_output_handler_append illegal write access

We must make sure that `handler->buffer.size + grow_max` does not
overflow, so we're using `safe_erealloc()` instead.

Closes GH-7241.

show more ...

Fix #72146: Integer overflow on substr_replace

Adding two `zend_long`s may overflow, and casting `size_t` to
`zend_long` may truncate; we can avoid this here by enforcing unsigned
ar

Fix #72146: Integer overflow on substr_replace

Adding two `zend_long`s may overflow, and casting `size_t` to
`zend_long` may truncate; we can avoid this here by enforcing unsigned
arithmetic.

Closes GH-7240.

show more ...

Update NEWS for 7.4.22

Fix #79908: json_encode encodes negative zero as int

Encoding a negative zero as `-0` is likely to loose the sign when
decoding (at least it does with `json_decode()`). Therefore, we en

Fix #79908: json_encode encodes negative zero as int

Encoding a negative zero as `-0` is likely to loose the sign when
decoding (at least it does with `json_decode()`). Therefore, we encode
it as if `JSON_PRESERVE_ZERO_FRACTION` was specified, i.e. as `-0.0`.

Closes GH-7234.

show more ...

Fix #73226: --r[fcez] always return zero exit code

This makes the behavior consistent with `--ri`, and is likely useful
for scripting.

Closes GH-7221.

Fix #81243: Too much memory is allocated for preg_replace()

Trimming a potentially over-allocated string appears to be reasonable,
so we drop the condition altogether.

We also r

Fix #81243: Too much memory is allocated for preg_replace()

Trimming a potentially over-allocated string appears to be reasonable,
so we drop the condition altogether.

We also re-allocate twice the size needed in the first place, and not
roughly tripple the size.

Closes GH-7231.

show more ...

Fix #81223: flock() only locks first byte of file

`flock()` should lock the whole file, like on other systems which use
mandatory locking. We cannot use `0` like for `flck.l_len`, so we

Fix #81223: flock() only locks first byte of file

`flock()` should lock the whole file, like on other systems which use
mandatory locking. We cannot use `0` like for `flck.l_len`, so we use
the largest number, what is valid according to the documentation:
<https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-lockfileex#remarks>.

Closes GH-7216.

show more ...

Fix #74264: grapheme_strrpos() broken for negative offsets

We must not assume that `usearch_last()` gives the proper result for
negative offsets. Instead we'd need to continue to search

Fix #74264: grapheme_strrpos() broken for negative offsets

We must not assume that `usearch_last()` gives the proper result for
negative offsets. Instead we'd need to continue to search backwards
(`usearch_previous`) until we find a proper match. However, apparently
searching backwards is broken, so we work around by searching forward
from the start of the string until we pass the `offset_pos`, and then
use the previous result.

Closes GH-7189.

show more ...

Fixed bug #80173

The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property return

Fixed bug #80173

The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property returned the original variable_ptr
rather than the zend_assign_to_variable() return value, which will
DEREF the variable before overwriting it.

show more ...

Fix #52093: openssl_csr_sign truncates $serial

We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.

[1] <https://www.openssl.org/docs/man1.

Fix #52093: openssl_csr_sign truncates $serial

We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.

[1] <https://www.openssl.org/docs/man1.1.0/man3/ASN1_INTEGER_set_int64.html#HISTORY>

Closes GH-7209.

show more ...

Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']

The built-in Webserver's `on_path`, `on_query_string` and `on_url`
callbacks may be called multiple times from the parse

Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']

The built-in Webserver's `on_path`, `on_query_string` and `on_url`
callbacks may be called multiple times from the parser; we must not
simply replace the old values, but need to concatenate the new values
instead.

This appears to be tricky for `on_path` due to the path normalization,
so we fail if the function is called again.

The built-in Webserver logs errors during request parsing to stderr,
but this is ignored by the php_cli_server framework, and apparently the
Webserver does not send a resonse at all in such cases (instead of an
4xx). Thus we can only check that a request with an overly long path
fails.

Closes GH-7207.

show more ...

Fix bug #80728: Don't reset the timeout on ini deactivate

When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for

Fix bug #80728: Don't reset the timeout on ini deactivate

When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for the
timeout change, which will unset then reset the timeout. However,
this is done even if the script is done executing, and say, the CGI
or CLI web server process is idle.

This is probably incorrect, but isn't a problem on most platforms,
because PHP uses a timer that only ticks when the process is active
(that is, executing code). Since when it's idle, it's blocking on
listen/read, it won't tick because nothing executes. However, on
platforms where only the real-time timer is supported, (Cygwin/PASE)
it ticks regardless of if PHP is even executing. This means that the
idle processes are subject to timeouts from the INI reset on script
end.

This makes it so the timer is never set if the state is deactivating.
Testing with the CLI web server indicates the timer no longer
spuriously activates under PASE.

Closes GH-6683.

show more ...

Fix #68471: IntlDateFormatter fails for "GMT+00:00" timezone

GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no
issues when GMT+00:00 is passed to `IntlTimeZone::cre

Fix #68471: IntlDateFormatter fails for "GMT+00:00" timezone

GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no
issues when GMT+00:00 is passed to `IntlTimeZone::createTimeZone()`,
but passing it to IntlDateFormatter::__construct() causes a failure,
since there is an additional check regarding the validity. While
checking the validity of the result of `TimeZone::createTimeZone()`[1]
is a good idea, comparing the IDs is overly restrictive. Instead we
just check that the timezone is supported by ICU.

[1] <https://unicode-org.github.io/icu-docs/apidoc/dev/icu4c/classicu_1_1TimeZone.html#a35da0507b62754ffe5d8d59c19775cdb>

Closes GH-7190.

show more ...

Update NEWS

NEWS: Add bug #81101 note

[ci skip]

Signed-off-by: Anatol Belski <ab@php.net>

Fix bug #81163 indirect vars in __sleep

Fix #81145: copy() and stream_copy_to_stream() fail for +4GB files

When mapping the file, we need to pass the proper `dwFileOffsetHigh`
instead of `0`.

Co-authored-by: Nikita Po

Fix #81145: copy() and stream_copy_to_stream() fail for +4GB files

When mapping the file, we need to pass the proper `dwFileOffsetHigh`
instead of `0`.

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Closes GH-7158.

show more ...

Fix #72809: Locale::lookup() wrong result with canonicalize option

Canonicalization converts the locale to ICU format[1]. However, the
lookup described in RFC 4647, section 3.4, is abou

Fix #72809: Locale::lookup() wrong result with canonicalize option

Canonicalization converts the locale to ICU format[1]. However, the
lookup described in RFC 4647, section 3.4, is about POSIX format. To
make that lookup work for ICU format, we also need to cater to keyword
separators.

The results are somewhat unexpected, but apparently canonical lookup is
explicitly supposed to return canonical language tags[2].

[1] <https://unicode-org.github.io/icu/userguide/locale/#canonicalization>
[2] <https://github.com/php/php-src/blob/php-7.4.20/ext/intl/locale/locale_methods.c#L1504>

Closes GH-7151.

show more ...

Prepare for 7.4.22

Fix #81092: fflush before stream_filter_remove corrupts stream

When doing a non finishing flush, BZ2_bzCompress() returns BZ_FLUSH_OK
(not BZ_FINISH_OK) what requires us to do further fl

Fix #81092: fflush before stream_filter_remove corrupts stream

When doing a non finishing flush, BZ2_bzCompress() returns BZ_FLUSH_OK
(not BZ_FINISH_OK) what requires us to do further flushes right away.

We also refactor the while-loop as do-loop.

Closes GH-7113.

show more ...

Fixed bug #81070

When the memory limit is reduced using an `ini_set("memory_limit", ..)`
below the currently allocated memory, the out-of-memory check overflowed.
Instead of implemen

Fixed bug #81070

When the memory limit is reduced using an `ini_set("memory_limit", ..)`
below the currently allocated memory, the out-of-memory check overflowed.
Instead of implementing additional checks during allocation,
`zend_set_memory_limit()` now validates the new memory limit. When
below the current memory usage the ini_set call will fail and throw
a warning.

This is part of GH-7040.

show more ...

Fix #76694: native Windows cert verification uses CN as sever name

This is not guaranteed to work, since the actual server name may only
be given as SAN. Since we're doing the peer veri

Fix #76694: native Windows cert verification uses CN as sever name

This is not guaranteed to work, since the actual server name may only
be given as SAN. Since we're doing the peer verification later anyway
(using the respective context options as appropriate), there is no need
to even supply a server name when verifying against the Windows cert
store.

Closes GH-7060.

show more ...

Fixed bug #81090

For concatenation, the in-place variant can be much more efficient,
because it will reallocate the string in-place. Special-case the
typed property compound assignme

Fixed bug #81090

For concatenation, the in-place variant can be much more efficient,
because it will reallocate the string in-place. Special-case the
typed property compound assignment code for the case where we
concatenate to a string, in which case we know that the result
will also be a string, and we don't need the type check anyway.

show more ...

Fix #76359: open_basedir bypass through adding ".."

We explicitly forbid adding paths with a leading `..` to `open_basedir`
at runtime.

Closes GH-7024.