Bump libxml version requirement 2.7.6 => 2.9.0

Since libxml version 2.9.0 external entity loading is disabled by default.
Bumping the version requirement means that XML processing in PHP

Bump libxml version requirement 2.7.6 => 2.9.0

Since libxml version 2.9.0 external entity loading is disabled by default.
Bumping the version requirement means that XML processing in PHP is no
longer vulnerable to XXE processing attacks by default.

show more ...

FPM: Add pm.status_listen option

This option allows getting status from different endpoint (e.g. port
or UDS file) which is useful for getting status when all children are
busy with

FPM: Add pm.status_listen option

This option allows getting status from different endpoint (e.g. port
or UDS file) which is useful for getting status when all children are
busy with serving long running requests.

Internally a new shared pool with ondemand process manager is used. It
means that the status requests have reserved resources and should not
be blocked by other requests.

show more ...

[RFC] Only unserialize Phar metadata when getMetadata() is called

In other words, don't automatically unserialize when the magic
phar:// stream wrappers are used.
RFC: https://wiki.p

[RFC] Only unserialize Phar metadata when getMetadata() is called

In other words, don't automatically unserialize when the magic
phar:// stream wrappers are used.
RFC: https://wiki.php.net/rfc/phar_stop_autoloading_metadata

Also, change the signature from `getMetadata()`
to `getMetadata(array $unserialize_options = [])`.
Start throwing earlier if setMetadata() is called and serialization threw.

See https://externals.io/message/110856 and
https://bugs.php.net/bug.php?id=76774

This was refactored to add a phar_metadata_tracker for the following reasons:
- The way to properly copy a zval was previously implicit and undocumented
(e.g. is it a pointer to a raw string or an actual value)
- Avoid unnecessary serialization and unserialization in the most common case
- If a metadata value is serialized once while saving a new/modified phar file,
this allows reusing the same serialized string.
- Have as few ways to copy/clone/lazily parse metadata (etc.) as possible,
so that code changes can be limited to only a few places in the future.
- Performance is hopefully not a concern - copying a string should be faster
than unserializing a value, and metadata should be rare in most cases.

Remove unnecessary skip in a test(Compression's unused)

Add additional assertions about usage of persistent phars

Improve robustness of `Phar*->setMetadata()`

- Add sanity checks for edge cases freeing metadata, when destructors
or serializers modify the phar recursively.
- Typical use cases of php have phar.readonly=1 and would not be affected.

Closes GH-5855

show more ...

Make http stream wrapper advertise HTTP/1.1 by default

In practice, we always act as an HTTP/1.1 client, for compatibility
with servers which ignore protocol version. Sending the version

Make http stream wrapper advertise HTTP/1.1 by default

In practice, we always act as an HTTP/1.1 client, for compatibility
with servers which ignore protocol version. Sending the version in
the request will avoid problems with servers which don't ignore it.

HTTP/1.0 can still be forced using a stream context option.

Closes GH-5899.

show more ...

Merge branch 'levim/assert-throw'

This changes assert.exception to default to 1, or on by default.
Closes GH-5925.

Promote "undefined array key" notice to warning

This implements the last remaining part of the
https://wiki.php.net/rfc/engine_warnings RFC.

Closes GH-5927.

datetime: new format "p", same as "P" but returning "Z" for UTC

Default assert.exception to 1

Ensure correct signatures for magic methods

[skip ci] Fix grammar/typo nits in docs

The PHP error message says "well-formed", not "well formed"

Fixes GH-5920

Convert resources to objects in ext/openssl

Closes GH-5860

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Allow overriding completion in `auto_prepend_file`

Currently, it's possible to override `php -a`s completion
functionality to provide an alternative to the C implementation,
with `re

Allow overriding completion in `auto_prepend_file`

Currently, it's possible to override `php -a`s completion
functionality to provide an alternative to the C implementation,
with `readline_completion_function()`.

However, that surprisingly gets overridden when called from
`auto_prepend_file`, because those scripts get run before the interactive shell
is started. I believe that not overriding it would be more consistent
with what happens when you override the completion function **after** the
interactive shell.

CLI is the only built-in API that uses this (See discussion in GH-5872).
I believe MINIT and RINIT will only run once when invoked with `php -a`.

Add documentation about the architecture of how php uses readline/libedit

Closes GH-5872

show more ...

Implement named parameters

From an engine perspective, named parameters mainly add three
concepts:

* The SEND_* opcodes now accept a CONST op2, which is the
argument nam

Implement named parameters

From an engine perspective, named parameters mainly add three
concepts:

* The SEND_* opcodes now accept a CONST op2, which is the
argument name. For now, it is looked up by linear scan and
runtime cached.
* This may leave UNDEF arguments on the stack. To avoid having
to deal with them in other places, a CHECK_UNDEF_ARGS opcode
is used to either replace them with defaults, or error.
* For variadic functions, EX(extra_named_params) are collected
and need to be freed based on ZEND_CALL_HAS_EXTRA_NAMED_PARAMS.

RFC: https://wiki.php.net/rfc/named_params

Closes GH-5357.

show more ...

Improve wording and spelling consistency in UPGRADING

[ci skip]

Implement 'Saner Numeric Strings' RFC:

RFC: https://wiki.php.net/rfc/saner-numeric-strings

This removes the -1 allow_error mode from is_numeric_string functions and replaces it by

Implement 'Saner Numeric Strings' RFC:

RFC: https://wiki.php.net/rfc/saner-numeric-strings

This removes the -1 allow_error mode from is_numeric_string functions and replaces it by
a trailing boolean out argument to preserve BC in a couple of places.

Most of the changes can be resumed to "numeric" strings which emitted a E_NOTICE now emit
a E_WARNING and "numeric" strings which emitted a E_WARNING now throw a TypeError.

This mostly affects:
- String offsets
- Arithmetic operations
- Bitwise operations

Closes GH-5762

show more ...

Implement Shorter Attribute Syntax

RFC: https://wiki.php.net/rfc/shorter_attribute_syntax

Closes GH-5796.

Co-authored-by: Martin Schröder <m.schroeder2007@gmail.com>

[skip ci] Add zend.exception_string_param_max_len to UPGRADING

For GH-5769 (mentioned in 07db64156e180c30daa5ab5d41ed72f9bba77e6d)

Fix bug #79108

Don't expose references in debug_backtrace() or exception traces.
This is regardless of whether the argument is by-reference or not.

As a side-effect of this chan

Fix bug #79108

Don't expose references in debug_backtrace() or exception traces.
This is regardless of whether the argument is by-reference or not.

As a side-effect of this change, exception traces may now acquire
the interior value of a reference, which may be unexpected for
some internal functions. This is what necessitated the change in
the spl_array sort implementation.

show more ...

Avoid UNKNOWN default in PDO::query()

Make nested ternary without parentheses a compile error

This was deprecated in PHP 7.4.

Implement nullsafe ?-> operator

RFC: https://wiki.php.net/rfc/nullsafe_operator

Closes GH-5619.

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Treat namespaced names as single token

Namespace names are now lexed as single tokens of type
T_NAME_QUALIFIED, T_NAME_FULLY_QUALIFIED or T_NAME_RELATIVE.

RFC: https://wiki.php.

Treat namespaced names as single token

Namespace names are now lexed as single tokens of type
T_NAME_QUALIFIED, T_NAME_FULLY_QUALIFIED or T_NAME_RELATIVE.

RFC: https://wiki.php.net/rfc/namespaced_names_as_token

Closes GH-5827.

show more ...

Improved number to string comparison semantics

RFC: https://wiki.php.net/rfc/string_to_number_comparison

Closes GH-3886.

Fix bug #79857: Add upgrading note for exit dtor change

[ci skip]

Ignore inheritance rules on private methods

Closes GH-5401