NEWS/UPGRADING changes

[ci skip] NEWS

Fix GH-8924 str_split of empty string must return empty array

Closes #8945.

Update UPGRADING

[ci skip] Fix typo

Fix GH-8907: Document forgotten API changes.

binary safe string comparisons and recent socket option addition.

Closes #8910.

[ci skip] NEWS and UPGRADING

[ci skip] Add true type support to UPGRADING file

Closes GH-8826.

Implement #77726: Allow null character in regex patterns

In 8b3c1a3, this was disallowed to fix #55856, which was a security
issue caused by the /e modifier. The fix that was made was th

Implement #77726: Allow null character in regex patterns

In 8b3c1a3, this was disallowed to fix #55856, which was a security
issue caused by the /e modifier. The fix that was made was the
"Easier fix" as described in the original report.

With this fix, pattern strings are no longer treated as null terminated,
so null characters can be placed inside and matched against with regex
patterns without security problems, so there is no longer a reason to
give the error. Allowing this is consistent with the behaviour of many
other languages, including JavaScript, and thanks to PCRE2[0], it does
not require manually escaping null characters. Now that we can avoid the
error here without the cost of escaping characters, there is really no
need anymore to stray here from the conventional behaviour.

Currently, null characters are still disallowed before the first
delimiter and in the options section at the end of a regex string, but
these error messages have been updated.

[0] Since PCRE2, pattern strings no longer have to be null terminated,
and raw null characters match as normal.

Closes GH-8114.

show more ...

Deprecate zend_atol() / add zend_ini_parse_quantity() (#7951)

Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi()

zend_atol() and zend_atoi() don't just do number p

Deprecate zend_atol() / add zend_ini_parse_quantity() (#7951)

Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi()

zend_atol() and zend_atoi() don't just do number parsing.
They also check for a 'K', 'M', or 'G' at the end of the string,
and multiply the parsed value out accordingly.

Unfortunately, they ignore any other non-numerics between the
numeric component and the last character in the string.
This means that numbers such as the following are both valid
and non-intuitive in their final output.

* "123KMG" is interpreted as "123G" -> 132070244352
* "123G " is interpreted as "123 " -> 123
* "123GB" is interpreted as "123B" -> 123
* "123 I like tacos." is also interpreted as "123." -> 123

Currently, in php-src these functions are used only for parsing ini values.

In this change we deprecate zend_atol(), zend_atoi(), and introduce a new
function with the same behavior, but with the ability to report invalid inputs
to the caller. The function's name also makes the behavior less unexpected:
zend_ini_parse_quantity().

Co-authored-by: Sara Golemon <pollita@php.net>

show more ...

Add new curl_upkeep() function

Expose new constants from libcurl 7.62 to 7.80

Add deprecation notices to utf8_encode and utf8_decode

Implements initial stage of accepted RFC to remove them:
https://wiki.php.net/rfc/remove_utf8_decode_and_utf8_encode

Tests

Add deprecation notices to utf8_encode and utf8_decode

Implements initial stage of accepted RFC to remove them:
https://wiki.php.net/rfc/remove_utf8_decode_and_utf8_encode

Tests relating to SOAP and htmlspecialchars seem to have been
using this entirely unnecessarily, so have been fixed.

Closes GH-8726.

show more ...

Add `SO_SETFIB` FreeBSD socket option constant.

Aims to set the route table.
Closes #8742.

Remove internal usage of SplFileInfo::_bad_state_ex() method (#8318)

* Use standard VM handling instead
* Deprecate the method as it is now useless

Add `SO_BPF_EXTENSIONS` flag to socket.

Returns the supported bpf extensions from the kernel. Linux only.
Closes GH-8713.

[skip ci] Update UPGRADING in regards to iterable compile time alias

Implements ancillary data on NetBSD.

With the couple LOCAL_CREDS/SCM_CREDS, in this system we get all the
infos needed (included the process id).
Closes GH-8700.

Implements socket ancillary data on FreeBSD. (#7708)

using LOCAL_CREDS_PERSISTENT/SCM_CREDS2 instead so we also get the send process id.

UPGRADING for libmysql change

Add upgrading entry for DatePeriod property changes

[skip ci]

Quote when adding to connection string in (PDO_)ODBC

Because the UID= and PWD= values are appended to the SQLDriverConnect
case when credentials are passed, we have to append them to the

Quote when adding to connection string in (PDO_)ODBC

Because the UID= and PWD= values are appended to the SQLDriverConnect
case when credentials are passed, we have to append them to the string
in case users are relying on this behaviour. However, they must be
quoted, or the arguments will be invalid (or possibly more injected).
This means users had to quote arguments or append credentials to the raw
connection string themselves.

It seems that ODBC quoting rules are consistent enough (and that
Microsoft trusts them enough to encode into the .NET BCL) that we can
actually check if the string is already quoted (in case a user is
already quoting because of this not being fixed), and if not, apply the
appropriate ODBC quoting rules.

This is because the code exists in main/, and are shared between
both ODBC extensions, so it doesn't make sense for it to only exist
in one or the other. There may be a better spot for it.

Closes GH-8307.

show more ...

[ci skip] NEWS, UPGRADING

Add upgrading entry for ext/tidy property changes

[skip ci]

Added a few missing punctuation marks in UPGRADING