random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source file might use non-secure
randomness.

This commit includes the new header wherever the CSPRNG is used, possibly
replacing the inclusion of php_random.h if nothing else is used, but also
includes it in the main php_random.h header for compatibility.

Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1,
2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and
b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.

show more ...

Fix #49278: SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output

Instead of early exiting, process the headers if tracing is enabled, and
exit after that.

Fix #49278: SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output

Instead of early exiting, process the headers if tracing is enabled, and
exit after that.

Closes GH-12609.

show more ...

Fix wrong backporting of previous soap patch

Fix GH-11382 add missing hash header for bin2hex

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client nonce is intended to protect
against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
and bullet point 2 below.

Tim pointed out that even though it's the MD5 of the nonce that gets sent,
enumerating 31 bits is trivial. So we have still a stack information leak
of 31 bits.

Furthermore, Tim found the following issues:
* The small size of cnonce might cause the server to erroneously reject
a request due to a repeated (cnonce, nc) pair. As per the birthday
problem 31 bits of randomness will return a duplication with 50%
chance after less than 55000 requests and nc always starts counting at 1.
* The cnonce is intended to protect the client and password against a
malicious server that returns a constant server nonce where the server
precomputed a rainbow table between passwords and correct client response.
As storage is fairly cheap, a server could precompute the client responses
for (a subset of) client nonces and still have a chance of reversing the
client response with the same probability as the cnonce duplication.

Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
table size by factor 2 billion, which is infeasible. But precomputing it
for 2^14 cnonces only increases the table size by factor 16k and the server
would still have a 10% chance of successfully reversing a password with a
single client request.

This patch fixes the issues by increasing the nonce size, and checking
the return value of php_random_bytes_throw(). In the process we also get
rid of the MD5 hashing of the nonce.

[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616

Co-authored-by: Tim Düsterhus <timwolla@php.net>

show more ...

Implement Random Extension

https://wiki.php.net/rfc/rng_extension
https://wiki.php.net/rfc/random_extension_improvement

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[i]
instead of ht->arData[i]
- in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar
familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes
(ZEND_HASH_MAP_FOREACH_*)
- introduced an additional family of macros to access elements of array
(packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX,
ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT
- zend_hash_minmax() prototype was changed to compare only values

Because of smaller data set, this patch may show performance improvement
on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser)

TODO:
- sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET).
- zend_hash_sort_ex() may require converting packed arrays to hash.

show more ...

Slightly clean up cookies handling

Make the property always an array with an empty array default.
Properly separate the array on modification to compensate.

Fix missing string copy

I changed this to a zend_string_copy, but that's not correct in
this case, as we still append to the string below.

Also fix a test on 32-bit.

Move derefs into accessor macros

These derefs are mostly there to be defensive, but clutter the
code somewhat. Move them directly into the access macros.

Declare remaining SoapClient properties

Use separate property to request digit auth

Currently, _digest is used both to request that digest auth be
used (_digest == null) and to later store the _digest parameters.

This

Use separate property to request digit auth

Currently, _digest is used both to request that digest auth be
used (_digest == null) and to later store the _digest parameters.

This relies on the ability to distinguish between _digest being
null and it being not set, which is not present with declared
properties. (Well, technically it is, we could just leave it
uninitialized, but that would be non-idiomatic.)

Resolve this by splitting into separate _use_digest and _digest
properties.

show more ...

Declare some SoapClient properties

This is only a subset of all properties for now (those without
underscore).

Fixed some spaces used instead of tabs

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |

show more ...

Use zend_string_equals() API instead of strcmp() in SOAP extension

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool is retained as an alias.

show more ...

ext/soap: Compare Set-Cookie header case-insensitively

Closes GH-6143.

Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"

Remove mention of PHP major version in Copyright headers

Closes GH-4732.

Report errors from stream read and write operations

The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Function

Report errors from stream read and write operations

The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Functions
like fread() and fwrite() will return false in that case.

As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams
should not be regarded as error conditions, and be reported as
successful zero-length reads/writes instead. The handling of EINTR
remains unclear and is internally inconsistent (e.g. some code-paths
will automatically retry on EINTR, while some won't).

I'm landing this now to make sure the stream wrapper ops API changes
make it into 7.4 -- however, if the user-facing changes turn out to
be problematic we have the option of clamping negative returns to
zero in php_stream_read() and php_stream_write() to restore the
old behavior in a relatively non-intrusive manner.

show more ...

Use ZEND_HASH_FOREACH APIs in a few more places

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'st

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'stream_context' => stream_context_create([
'http' => [
'content_type' => 'foobarX',
],
]),
]);

This is a backport of c55af3c65ac116bbd935bd3d695869d88056c49c
to the PHP 7.2 branch.

show more ...

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'st

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'stream_context' => stream_context_create([
'http' => [
'content_type' => 'foobarX',
],
]),
]);

show more ...

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly used by Vim and Emacs editors
yet with recent changes the once working definitions don't work
anymore in Vim without custom plugins or additional configuration.
Neither are these settings synced across the PHP code base.

A simpler and better approach is EditorConfig and fixing code
using some code style fixing tools in the future instead.

This patch also removes the so called modelines for Vim. Modelines
allow Vim editor specifically to set some editor configuration such as
syntax highlighting, indentation style and tab width to be set in the
first line or the last 5 lines per file basis. Since the php test
files have syntax highlighting already set in most editors properly and
EditorConfig takes care of the indentation settings, this patch removes
these as well for the Vim 6.0 and newer versions.

With the removal of local variables for certain editors such as
Emacs and Vim, the footer is also probably not needed anymore when
creating extensions using ext_skel.php script.

Additionally, Vim modelines for setting php syntax and some editor
settings has been removed from some *.phpt files. All these are
mostly not relevant for phpt files neither work properly in the
middle of the file.

show more ...