Fix wrong backporting of previous soap patch

Fix GH-11382 add missing hash header for bin2hex

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client nonce is intended to protect
against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
and bullet point 2 below.

Tim pointed out that even though it's the MD5 of the nonce that gets sent,
enumerating 31 bits is trivial. So we have still a stack information leak
of 31 bits.

Furthermore, Tim found the following issues:
* The small size of cnonce might cause the server to erroneously reject
a request due to a repeated (cnonce, nc) pair. As per the birthday
problem 31 bits of randomness will return a duplication with 50%
chance after less than 55000 requests and nc always starts counting at 1.
* The cnonce is intended to protect the client and password against a
malicious server that returns a constant server nonce where the server
precomputed a rainbow table between passwords and correct client response.
As storage is fairly cheap, a server could precompute the client responses
for (a subset of) client nonces and still have a chance of reversing the
client response with the same probability as the cnonce duplication.

Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
table size by factor 2 billion, which is infeasible. But precomputing it
for 2^14 cnonces only increases the table size by factor 16k and the server
would still have a 10% chance of successfully reversing a password with a
single client request.

This patch fixes the issues by increasing the nonce size, and checking
the return value of php_random_bytes_throw(). In the process we also get
rid of the MD5 hashing of the nonce.

[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616

Co-authored-by: Tim Düsterhus <timwolla@php.net>

show more ...

ext/soap: Compare Set-Cookie header case-insensitively

Closes GH-6143.

Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"

Remove mention of PHP major version in Copyright headers

Closes GH-4732.

Report errors from stream read and write operations

The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Function

Report errors from stream read and write operations

The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Functions
like fread() and fwrite() will return false in that case.

As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams
should not be regarded as error conditions, and be reported as
successful zero-length reads/writes instead. The handling of EINTR
remains unclear and is internally inconsistent (e.g. some code-paths
will automatically retry on EINTR, while some won't).

I'm landing this now to make sure the stream wrapper ops API changes
make it into 7.4 -- however, if the user-facing changes turn out to
be problematic we have the option of clamping negative returns to
zero in php_stream_read() and php_stream_write() to restore the
old behavior in a relatively non-intrusive manner.

show more ...

Use ZEND_HASH_FOREACH APIs in a few more places

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'st

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'stream_context' => stream_context_create([
'http' => [
'content_type' => 'foobarX',
],
]),
]);

This is a backport of c55af3c65ac116bbd935bd3d695869d88056c49c
to the PHP 7.2 branch.

show more ...

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'st

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'stream_context' => stream_context_create([
'http' => [
'content_type' => 'foobarX',
],
]),
]);

show more ...

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly used by Vim and Emacs editors
yet with recent changes the once working definitions don't work
anymore in Vim without custom plugins or additional configuration.
Neither are these settings synced across the PHP code base.

A simpler and better approach is EditorConfig and fixing code
using some code style fixing tools in the future instead.

This patch also removes the so called modelines for Vim. Modelines
allow Vim editor specifically to set some editor configuration such as
syntax highlighting, indentation style and tab width to be set in the
first line or the last 5 lines per file basis. Since the php test
files have syntax highlighting already set in most editors properly and
EditorConfig takes care of the indentation settings, this patch removes
these as well for the Vim 6.0 and newer versions.

With the removal of local variables for certain editors such as
Emacs and Vim, the footer is also probably not needed anymore when
creating extensions using ext_skel.php script.

Additionally, Vim modelines for setting php syntax and some editor
settings has been removed from some *.phpt files. All these are
mostly not relevant for phpt files neither work properly in the
middle of the file.

show more ...

Remove yearly range from copyright notice

Remove year range from copyright notice

Future-proof email addresses

Future-proof email addresses...

Trim trailing whitespace in source code files

Trim trailing whitespace in source code files

Fix some misspellings

Fix typos in code comments

Remove unused Git attributes ident

The $Id$ keywords were used in Subversion where they can be substituted
with filename, last revision number change, last changed date, and last
use

Remove unused Git attributes ident

The $Id$ keywords were used in Subversion where they can be substituted
with filename, last revision number change, last changed date, and last
user who changed it.

In Git this functionality is different and can be done with Git attribute
ident. These need to be defined manually for each file in the
.gitattributes file and are afterwards replaced with 40-character
hexadecimal blob object name which is based only on the particular file
contents.

This patch simplifies handling of $Id$ keywords by removing them since
they are not used anymore.

show more ...

Use zend_string_release_ex() instread of zend_string_release() in places, where we sure about string persistence.

Trailing whitespaces

Signed-off-by: Gabriel Caruso <carusogabriel34@gmail.com>

year++

year++

year++