fix: handle the GNU specific version of strerror_r

Close GH-11882

Fix GH-11830: ParentNode methods should perform their checks upfront

Closes GH-11887.

Fix manually calling __construct() on DOM classes

Closes GH-11894.

Don't test macOS & i386 without opcache on push

It should be incredibly rare for something to fail only without opcache while
also being platform specific. We're keeping opcache-less tes

Don't test macOS & i386 without opcache on push

It should be incredibly rare for something to fail only without opcache while
also being platform specific. We're keeping opcache-less tests for x64 Linux,
macOS and i386 will continue to be tested without opcache in nightly.

Closes GH-11867

show more ...

Fix MySQL Statement has a empty query result when the response field has changed, also Segmentation fault

Closes GH-11551.

Mark buildFromIterator test as conflicting

Commit 0b2e6bc2b0 started caching the directory entry type to improve
performance. Shortly after, we've seen flaky failures of the
buildFro

Mark buildFromIterator test as conflicting

Commit 0b2e6bc2b0 started caching the directory entry type to improve
performance. Shortly after, we've seen flaky failures of the
buildFromIterator phar test.

When it fails, it's always a value error in the constructor of
RecursiveDirectoryIterator::__construct() with a "no such file or
directory" error. What's happening here is this:
1) A parallel test creates a subdirectory in the current working dir.
2) This test checks hasChildren() on a directory entry, the cached entry
returns "yes" on the subdirectory.
3) The parallel test finishes and removes the subdirectory.
4) The constructor mentioned above is called, causing an exception
because the directory is gone.

This race has always been possible, even before said commit. It's just
that it was very hard to hit before: the expensive stat call made the
race window hard to hit. The race is now easier to hit because of the
caching that is fast.

Since there's many tests that modify the current working directory, it
seems best to mark this as an "all" conflict. We cannot avoid every
TOC-TOU race when working with files with these phar tests.

In particular, mounteddir.phpt caused every conflict I saw on CI, but
there's more tests that create subdirectories in the current working
directory.

Closes GH-11869.

show more ...

Revert the fix for GH-11498

People relied on manually waiting for children, but the fix for GH-11498
broke this. Fixing this in PHP is fundamentally incompatible with doing
the wait

Revert the fix for GH-11498

People relied on manually waiting for children, but the fix for GH-11498
broke this. Fixing this in PHP is fundamentally incompatible with doing
the wait loop in userland. This reverts to the old behaviour.

Closes GH-11863.

show more ...

Fix missing link variable in test

Fix GH-10964: Improve `man` page about the built-in server

Closes GH-11857.

Fix GH-11438: mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters

https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authen

Fix GH-11438: mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters

https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html
tells us that the nonce used in this authentication method is 20 bytes
long. However, we might receive additional scramble data in
php_mysqlnd_greet_read not used in this method.
On my test setup, I received 21 bytes (20 bytes + '\0'). This resulted
in the xor computation to incorrectly include the NUL byte. Every
password of at least 20 characters therefore failed to authenticate
using this method.

Looking at mysql-server source code also seems to reveal that it always
uses a fixed number of scramble bytes [1].

[1] https://github.com/mysql/mysql-server/blob/ea7087d885006918ad54458e7aad215b1650312c/sql/auth/sha2_password.cc#L1078-L1079

Closes GH-11445.

Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>

show more ...

Fix use-of-uninitialized-value in start_fake_frame

Closes GH-11732

Fix GH-11440: authentication to a sha256_password account fails over SSL

This is similar to bug #78680, but that bug wasn't really fixed in all
places. This is the only remaining place.

Fix GH-11440: authentication to a sha256_password account fails over SSL

This is similar to bug #78680, but that bug wasn't really fixed in all
places. This is the only remaining place.

Closes GH-11444.

show more ...

Fix json_encode result on DOMDocument

According to https://www.php.net/manual/en/class.domdocument:
When using json_encode() on a DOMDocument object the result will be
that of en

Fix json_encode result on DOMDocument

According to https://www.php.net/manual/en/class.domdocument:
When using json_encode() on a DOMDocument object the result will be
that of encoding an empty object.

But this was broken in 8.1. The output was `{"config": null}`.
That's because the config property is defined with a default value of
NULL, hence it was included. The other properties are not included
because they don't have a default property, and nothing is ever written
to their backing field. Hence, the JSON encoder excludes them.
Similarly, `(array) $doc` would yield the same `config` key in the
array.

Closes GH-11840.

show more ...

Fixed incorrect tracked malloc deallocation

Fixes ext/ffi/tests/list.phpt failure

Fix zend/test arginfo stub hash

Merge branch 'PHP-8.0' into PHP-8.1

NEWS

Signed-off-by: Ben Ramsey <ramsey@php.net>

Disable global state test on Windows

It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-te

Disable global state test on Windows

It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-test.
To add to the Windows trouble, libxml is statically linked in, ext/libxml can
only be built statically but ext/zend-test can be built both statically and
dynamically.
So the regression tests won't work in all possible configurations anyway on Windows.
All of this is no problem on Linux because it just uses dynamic linking
and pkg-config, without any magic.

Signed-off-by: Ben Ramsey <ramsey@php.net>

show more ...

Fix broken merge

Merge branch 'PHP-8.0' into PHP-8.1

Sanitize libxml2 globals before parsing

Fixes GHSA-3qrf-m4j2-pcrr.

To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains par

Sanitize libxml2 globals before parsing

Fixes GHSA-3qrf-m4j2-pcrr.

To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.

Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.

Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().

show more ...

Fix buffer mismanagement in phar_dir_read()

Fixes GHSA-jqcx-ccgc-xwhv.

Check if restart is pending before trying to lock SHM

This reduces lock contention when Opcache restart is scheduled
but not yet started.

Closes GH-11805

[ci skip] add CVE in NEWS

Fix wrong backporting of previous soap patch