#
daa38dd6 |
| 20-Nov-2023 |
Ilija Tovilo |
Fix in-place modification of filename in php_message_handler_for_zend php_strip_url_passwd modifies url in-place. We cannot assume from php_message_handler_for_zend that data is a tempor
Fix in-place modification of filename in php_message_handler_for_zend php_strip_url_passwd modifies url in-place. We cannot assume from php_message_handler_for_zend that data is a temporary, modifiable string. Fixes oss-fuzz #64209 Closes GH-12733
show more ...
|
#
51faf04d |
| 15-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers. It's possible that
Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers. It's possible that the thread disappears without us knowing, and then another thread gets spawned some time later with the same ID as the disappeared thread. Note that since it's a new thread the TSRM key pointer and cached pointer will be NULL. The Apache request handler `php_handler()` will try to fetch some fields from the SAPI globals. It uses a lazy thread resource allocation by calling `ts_resource(0);`. This allocates a thread resource and sets up the TSRM pointers if they haven't been set up yet. At least, that's what's supposed to happen. But since we are in a situation where the thread ID still has the resources of the *old* thread associated in the hashtable, the loop in `ts_resource_ex` will find that thread resource and assume the thread has been setup already. But this is not the case since this thread is actually a new thread, just reusing the ID of the old one, without any relation whatsoever to the old thread. Because of this assumption, the TSRM pointers will not be setup, leading to a NULL pointer dereference when trying to access the SAPI globals. We can easily detect this scenario: if we're in the fallback path, and the pointer is NULL, and we're looking for our own thread resource, we know we're actually reusing a thread ID. In that case, we'll free up the old thread resources gracefully (gracefully because there might still be resources open like database connection which need to be shut down cleanly). After freeing the resources, we'll create the new resources for this thread as if the stale resources never existed in the first place. From that point forward, it is as if that situation never occurred. The fact that this situation happens isn't that bad because a child process containing threads will eventually be respawned anyway by the SAPI, so the stale thread resources won't remain forever. Note that we can't simply assign our own TSRM pointers to the existing thread resource for our ID, since it was actually from a different thread (just with the same ID!). Furthermore, the dynamically loaded extensions have their own pointer, which is only set when their constructor is called, so we'd have to call their constructor anyway... I also tried to call the dtor and then the ctor again for those resources on the pre-existing thread resource to reuse storage, but that didn't work properly because other code doesn't expect something like that to happen, which breaks assumptions, and this in turn caused Valgrind to (rightfully) complain about memory bugs. Note 2: I also had to fix a bug in the core globals destruction because it always assumed that the thread destroying them was the owning thread, which on TSRM shutdown isn't always the case. A similar bug was fixed recently with the JIT globals. Closes GH-10863.
show more ...
|
#
716de0cf |
| 19-Jan-2023 |
Jakub Zelenka |
Introduce max_multipart_body_parts INI This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of parsed multipart body parts as currently all parts were always parsed.
|
#
3503b1da |
| 26-Jun-2022 |
Jakub Zelenka |
Fix bug #77780: "Headers already sent" when previous connection was aborted This change primarily splits SAPI deactivation to module and destroy parts. The reason is that currently some
Fix bug #77780: "Headers already sent" when previous connection was aborted This change primarily splits SAPI deactivation to module and destroy parts. The reason is that currently some SAPIs might bail out on deactivation. One of those SAPI is PHP-FPM that can bail out on request end if for example the connection is closed by the client (web sever). The problem is that in such case the resources are not freed and some values reset. The most visible impact can have not resetting the PG(headers_sent) which can cause erorrs in the next request. One such issue is described in #77780 bug which this fixes and is also cover by a test in this commit. It seems reasonable to separate deactivation and destroying of the resource which means that the bail out will not impact it.
show more ...
|
#
77e954af |
| 05-Jul-2022 |
Christoph M. Becker |
Fix GH-8923: error_log on Windows can hold the file write lock On Windows, closing a file which is locked may not immediately remove the lock. The `LockFileEx()` documentation states:
Fix GH-8923: error_log on Windows can hold the file write lock On Windows, closing a file which is locked may not immediately remove the lock. The `LockFileEx()` documentation states: | Therefore, it is recommended that your process explicitly unlock all | files it has locked when it terminates. We comply, and also use the macro `LOCK_EX` instead of the magic number `2`. Closes GH-8925.
show more ...
|
#
efc8f0eb |
| 17-Jun-2022 |
Arnaud Le Blanc |
Deprecate zend_atol() / add zend_ini_parse_quantity() (#7951) Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi() zend_atol() and zend_atoi() don't just do number p
Deprecate zend_atol() / add zend_ini_parse_quantity() (#7951) Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi() zend_atol() and zend_atoi() don't just do number parsing. They also check for a 'K', 'M', or 'G' at the end of the string, and multiply the parsed value out accordingly. Unfortunately, they ignore any other non-numerics between the numeric component and the last character in the string. This means that numbers such as the following are both valid and non-intuitive in their final output. * "123KMG" is interpreted as "123G" -> 132070244352 * "123G " is interpreted as "123 " -> 123 * "123GB" is interpreted as "123B" -> 123 * "123 I like tacos." is also interpreted as "123." -> 123 Currently, in php-src these functions are used only for parsing ini values. In this change we deprecate zend_atol(), zend_atoi(), and introduce a new function with the same behavior, but with the ability to report invalid inputs to the caller. The function's name also makes the behavior less unexpected: zend_ini_parse_quantity(). Co-authored-by: Sara Golemon <pollita@php.net>
show more ...
|
Revision tags: php-8.1.7RC1 |
|
#
5ba6ecd5 |
| 24-May-2022 |
George Peter Banyard |
Minor refactoring of main/main.c and TSRM (#8608)
|
#
265c88b9 |
| 22-May-2022 |
George Peter Banyard |
Don't initialise pointers to zend_stat_t
|
#
2ecd46f4 |
| 22-May-2022 |
George Peter Banyard |
Initialise zend_stat_t to fix MSAN build
|
#
b5db594f |
| 27-Apr-2022 |
George Peter Banyard |
Refacto php_module_startup() (#8303) It only ever uses at most 1 additional modules
|
#
93a44f8c |
| 15-Jun-2022 |
Heiko Weber |
Fix potential use after free in php_binary_init() Closes GH-8791.
|
#
f07a08df |
| 06-May-2022 |
Arnaud Le Blanc |
Fix unregistering ini entries of dynamically loaded extension (#8435) Fixes GH-8185
|
#
1bd9890b |
| 06-Apr-2022 |
Christoph M. Becker |
Fix GH-8310: Registry settings are no longer recognized `zend_file_handle->filename` is a `zend_string*` pointer now, so we must not cast to `char*` but rather pass the underlying `char*
Fix GH-8310: Registry settings are no longer recognized `zend_file_handle->filename` is a `zend_string*` pointer now, so we must not cast to `char*` but rather pass the underlying `char*`. Closes GH-8313.
show more ...
|
Revision tags: php-8.1.4RC1, php-8.1.3 |
|
#
e6cf5831 |
| 12-Feb-2022 |
Bob Weinand |
Fix GH-8082: Prevent leaking memory on observed transient run_time_caches This is achieved by tracking the observers on the run_time_cache (with a fixed amount of slots, 2 for each observer)
Fix GH-8082: Prevent leaking memory on observed transient run_time_caches This is achieved by tracking the observers on the run_time_cache (with a fixed amount of slots, 2 for each observer). That way round, if the run_time_cache is freed all associated observer data is as well. This approach has been chosen, as to avoid any ABI or API breakage. Future versions may for example choose to provide a hookable API for run_time_cache freeing or similar.
show more ...
|
Revision tags: php-8.1.2RC1, php-8.1.0, php-7.3.33 |
|
#
26e42446 |
| 09-Nov-2021 |
Nikita Popov |
Fix bug #81598: Use C.UTF-8 as LC_CTYPE locale by default Unfortunately, libedit is locale based and does not accept UTF-8 input when the C locale is used. This patch switches the defaul
Fix bug #81598: Use C.UTF-8 as LC_CTYPE locale by default Unfortunately, libedit is locale based and does not accept UTF-8 input when the C locale is used. This patch switches the default locale to C.UTF-8 instead (if it is available). This makes libedit work and I believe it shouldn't affect behavior of single-byte locale-dependent functions that PHP otherwise uses. Closes GH-7635.
show more ...
|
#
4c171ed5 |
| 04-Nov-2021 |
Nikita Popov |
Fix bug #81591: ignore_repeated_errors broken We should suppress the error if the message is the same, not if it's different. Apparently we had no test coverage for these options.
|
Revision tags: php-7.3.32 |
|
#
36576936 |
| 12-Oct-2021 |
Christoph M. Becker |
Fix #81518: Header injection via default_mimetype / default_charset We forbid setting these INI options to values containing NUL bytes, CR or LF. Closes GH-7574.
|
#
c96be7b8 |
| 24-Sep-2021 |
Tim Starling |
Use ASCII lower case for misc case folding Use ASCII case conversion instead of locale-dependent case conversion in the following places: * grapheme_stripos() and grapheme_strri
Use ASCII lower case for misc case folding Use ASCII case conversion instead of locale-dependent case conversion in the following places: * grapheme_stripos() and grapheme_strripos() in the "fast" path * ldap_get_entries() * oci_pconnect() for case folding of parameters when constructing a key into the connection or session pool * SoapClient: case folding of function names * get_meta_tags(): case conversion of property names * http stream wrapper: header names * phpinfo(): anchor names * php_verror(): docref URLs * rfc1867.c: Content-Type boundary parameter name * streams.c: stream protocol names Using locale-dependent case folding for these cases is either unnecessary or actively incorrect. These functions could have misbehaved when used with certain locales (e.g. Turkish). Closes GH-7511.
show more ...
|
Revision tags: php-7.3.31, php-7.3.30 |
|
#
1da5df80 |
| 21-Jul-2021 |
Nikita Popov |
Don't enable rc_debug mode if module startup fails
|
#
efbb2198 |
| 12-Jul-2021 |
Nikita Popov |
Return value from ZEND_ATOL Instead of assigning it as part of the macro itself, which makes usage quite awkward.
|
Revision tags: php-7.3.29, php-7.3.28 |
|
#
98a21d1d |
| 12-Feb-2021 |
Calvin Buckley |
Fix bug #80728: Don't reset the timeout on ini deactivate When the time limit for a script is changed, when the script ends, its INI value will be reset. This calls the event handler for
Fix bug #80728: Don't reset the timeout on ini deactivate When the time limit for a script is changed, when the script ends, its INI value will be reset. This calls the event handler for the timeout change, which will unset then reset the timeout. However, this is done even if the script is done executing, and say, the CGI or CLI web server process is idle. This is probably incorrect, but isn't a problem on most platforms, because PHP uses a timer that only ticks when the process is active (that is, executing code). Since when it's idle, it's blocking on listen/read, it won't tick because nothing executes. However, on platforms where only the real-time timer is supported, (Cygwin/PASE) it ticks regardless of if PHP is even executing. This means that the idle processes are subject to timeouts from the INI reset on script end. This makes it so the timer is never set if the state is deactivating. Testing with the CLI web server indicates the timer no longer spuriously activates under PASE. Closes GH-6683.
show more ...
|
#
aff36587 |
| 29-Jun-2021 |
Patrick Allaert |
Fixed some spaces used instead of tabs
|
#
d8165c25 |
| 08-Jun-2021 |
Nikita Popov |
Fixed bug #81104 When the memory limit is restored during shutdown, we may still be using a lot of memory. Ignore the failure at that point and set it again after the MM is shut down
Fixed bug #81104 When the memory limit is restored during shutdown, we may still be using a lot of memory. Ignore the failure at that point and set it again after the MM is shut down, at which point memory usage should be at its lowest point.
show more ...
|
#
e9b00515 |
| 31-May-2021 |
Nikita Popov |
Fix output buffer discard on memory limit Move this code directly into the error handler, and check the heap->overflow flag. Discarding output here allows us to print the normal memo
Fix output buffer discard on memory limit Move this code directly into the error handler, and check the heap->overflow flag. Discarding output here allows us to print the normal memory limit message to standard output. Otherwise nothing would be printed unless a different log medium was used, which makes for a suboptimal debugging experience.
show more ...
|
#
1aafed5e |
| 31-May-2021 |
Nikita Popov |
Remove zend_set_memory_limit_ex() API This was added temporarily for the PHP-8.0 branch to avoid an ABI break.
|