#
97b3b455 |
| 01-Feb-2024 |
Tim Düsterhus |
random: Move CSPRNG API into php_random_csprng.h (#13290) This allows consumers of just the CSPRNG to include a much smaller header. It also allows to verify at a glance whether a source
random: Move CSPRNG API into php_random_csprng.h (#13290) This allows consumers of just the CSPRNG to include a much smaller header. It also allows to verify at a glance whether a source file might use non-secure randomness. This commit includes the new header wherever the CSPRNG is used, possibly replacing the inclusion of php_random.h if nothing else is used, but also includes it in the main php_random.h header for compatibility. Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1, 2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.
show more ...
|
#
92e4e8bd |
| 04-Nov-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix #49278: SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output Instead of early exiting, process the headers if tracing is enabled, and exit after that.
Fix #49278: SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output Instead of early exiting, process the headers if tracing is enabled, and exit after that. Closes GH-12609.
show more ...
|
#
32c7c433 |
| 06-Jun-2023 |
Pierrick Charron |
Fix wrong backporting of previous soap patch
|
#
05724482 |
| 06-Jun-2023 |
Remi Collet |
Fix GH-11382 add missing hash header for bin2hex
|
#
ac4254ad |
| 16-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest If php_random_bytes_throw fails, the nonce will be uninitialized, but still sent to the server. The client
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest If php_random_bytes_throw fails, the nonce will be uninitialized, but still sent to the server. The client nonce is intended to protect against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], and bullet point 2 below. Tim pointed out that even though it's the MD5 of the nonce that gets sent, enumerating 31 bits is trivial. So we have still a stack information leak of 31 bits. Furthermore, Tim found the following issues: * The small size of cnonce might cause the server to erroneously reject a request due to a repeated (cnonce, nc) pair. As per the birthday problem 31 bits of randomness will return a duplication with 50% chance after less than 55000 requests and nc always starts counting at 1. * The cnonce is intended to protect the client and password against a malicious server that returns a constant server nonce where the server precomputed a rainbow table between passwords and correct client response. As storage is fairly cheap, a server could precompute the client responses for (a subset of) client nonces and still have a chance of reversing the client response with the same probability as the cnonce duplication. Precomputing the rainbow table for all 2^31 cnonces increases the rainbow table size by factor 2 billion, which is infeasible. But precomputing it for 2^14 cnonces only increases the table size by factor 16k and the server would still have a 10% chance of successfully reversing a password with a single client request. This patch fixes the issues by increasing the nonce size, and checking the return value of php_random_bytes_throw(). In the process we also get rid of the MD5 hashing of the nonce. [1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 Co-authored-by: Tim Düsterhus <timwolla@php.net>
show more ...
|
#
4d8dd8d2 |
| 19-Jul-2022 |
Go Kudo |
Implement Random Extension https://wiki.php.net/rfc/rng_extension https://wiki.php.net/rfc/random_extension_improvement
|
#
90b7bde6 |
| 03-Nov-2021 |
Dmitry Stogov |
Use more compact representation for packed arrays. - for packed arrays we store just an array of zvals without keys. - the elements of packed array are accessible throuf as ht->arPacked[
Use more compact representation for packed arrays. - for packed arrays we store just an array of zvals without keys. - the elements of packed array are accessible throuf as ht->arPacked[i] instead of ht->arData[i] - in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes (ZEND_HASH_MAP_FOREACH_*) - introduced an additional family of macros to access elements of array (packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX, ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT - zend_hash_minmax() prototype was changed to compare only values Because of smaller data set, this patch may show performance improvement on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser) TODO: - sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET). - zend_hash_sort_ex() may require converting packed arrays to hash.
show more ...
|
#
841d0b30 |
| 20-Aug-2021 |
Nikita Popov |
Slightly clean up cookies handling Make the property always an array with an empty array default. Properly separate the array on modification to compensate.
|
#
de6cf68a |
| 20-Aug-2021 |
Nikita Popov |
Fix missing string copy I changed this to a zend_string_copy, but that's not correct in this case, as we still append to the string below. Also fix a test on 32-bit.
|
#
50484b59 |
| 20-Aug-2021 |
Nikita Popov |
Move derefs into accessor macros These derefs are mostly there to be defensive, but clutter the code somewhat. Move them directly into the access macros.
|
#
e6c6abf6 |
| 19-Aug-2021 |
Nikita Popov |
Declare remaining SoapClient properties
|
#
aa4898ef |
| 20-Aug-2021 |
Nikita Popov |
Use separate property to request digit auth Currently, _digest is used both to request that digest auth be used (_digest == null) and to later store the _digest parameters. This
Use separate property to request digit auth Currently, _digest is used both to request that digest auth be used (_digest == null) and to later store the _digest parameters. This relies on the ability to distinguish between _digest being null and it being not set, which is not present with declared properties. (Well, technically it is, we could just leave it uninitialized, but that would be non-idiomatic.) Resolve this by splitting into separate _use_digest and _digest properties.
show more ...
|
#
018cb891 |
| 19-Aug-2021 |
Nikita Popov |
Declare some SoapClient properties This is only a subset of all properties for now (those without underscore).
|
#
aff36587 |
| 29-Jun-2021 |
Patrick Allaert |
Fixed some spaces used instead of tabs
|
#
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier". 3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted. 4. fixed indentation in some files before |
show more ...
|
#
84e12626 |
| 17-Mar-2021 |
George Peter Banyard |
Use zend_string_equals() API instead of strcmp() in SOAP extension
|
#
3e01f5af |
| 15-Jan-2021 |
Nikita Popov |
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool is retained as an alias.
show more ...
|
#
efc52f17 |
| 16-Sep-2020 |
Gabríel Arthúr Pétursson |
ext/soap: Compare Set-Cookie header case-insensitively Closes GH-6143.
|
#
f7c43b8c |
| 18-Aug-2020 |
Matteo Beccati |
Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"
|
Revision tags: php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6, php-7.3.12RC1, php-7.2.25RC1, php-7.4.0RC5, php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4, php-7.3.11RC1, php-7.2.24RC1, php-7.4.0RC3 |
|
#
5d6e923d |
| 24-Sep-2019 |
Gabriel Caruso |
Remove mention of PHP major version in Copyright headers Closes GH-4732.
|
Revision tags: php-7.2.23, php-7.3.10, php-7.4.0RC2, php-7.2.23RC1, php-7.3.10RC1, php-7.4.0RC1, php-7.1.32, php-7.2.22, php-7.3.9, php-7.4.0beta4, php-7.2.22RC1, php-7.3.9RC1, php-7.4.0beta2, php-7.1.31, php-7.2.21, php-7.3.8, php-7.4.0beta1 |
|
#
d59aac58 |
| 18-Jul-2019 |
Nikita Popov |
Report errors from stream read and write operations The php_stream_read() and php_stream_write() functions now return an ssize_t value, with negative results indicating failure. Function
Report errors from stream read and write operations The php_stream_read() and php_stream_write() functions now return an ssize_t value, with negative results indicating failure. Functions like fread() and fwrite() will return false in that case. As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams should not be regarded as error conditions, and be reported as successful zero-length reads/writes instead. The handling of EINTR remains unclear and is internally inconsistent (e.g. some code-paths will automatically retry on EINTR, while some won't). I'm landing this now to make sure the stream wrapper ops API changes make it into 7.4 -- however, if the user-facing changes turn out to be problematic we have the option of clamping negative returns to zero in php_stream_read() and php_stream_write() to restore the old behavior in a relatively non-intrusive manner.
show more ...
|
#
290e520c |
| 16-Jul-2019 |
Nikita Popov |
Use ZEND_HASH_FOREACH APIs in a few more places
|
Revision tags: php-7.2.21RC1, php-7.3.8RC1, php-7.4.0alpha3, php-7.3.7, php-7.2.20, php-7.4.0alpha2, php-7.3.7RC3, php-7.3.7RC2, php-7.2.20RC2, php-7.4.0alpha1, php-7.3.7RC1, php-7.2.20RC1, php-7.2.19, php-7.3.6, php-7.1.30, php-7.2.19RC1, php-7.3.6RC1, php-7.1.29, php-7.2.18, php-7.3.5 |
|
#
5f8c22d4 |
| 23-Apr-2019 |
Vincent JARDIN |
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'st
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'stream_context' => stream_context_create([ 'http' => [ 'content_type' => 'foobarX', ], ]), ]); This is a backport of c55af3c65ac116bbd935bd3d695869d88056c49c to the PHP 7.2 branch.
show more ...
|
#
c55af3c6 |
| 23-Apr-2019 |
Vincent JARDIN |
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'st
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'stream_context' => stream_context_create([ 'http' => [ 'content_type' => 'foobarX', ], ]), ]);
show more ...
|
Revision tags: php-7.2.18RC1, php-7.3.5RC1, php-7.2.17, php-7.3.4, php-7.1.28, php-7.3.4RC1, php-7.2.17RC1, php-7.1.27, php-7.3.3, php-7.2.16, php-7.3.3RC1, php-7.2.16RC1, php-7.2.15, php-7.3.2, php-7.2.15RC1 |
|
#
92ac598a |
| 22-Jan-2019 |
Peter Kokot |
Remove local variables This patch removes the so called local variables defined per file basis for certain editors to properly show tab width, and similar settings. These are mainly
Remove local variables This patch removes the so called local variables defined per file basis for certain editors to properly show tab width, and similar settings. These are mainly used by Vim and Emacs editors yet with recent changes the once working definitions don't work anymore in Vim without custom plugins or additional configuration. Neither are these settings synced across the PHP code base. A simpler and better approach is EditorConfig and fixing code using some code style fixing tools in the future instead. This patch also removes the so called modelines for Vim. Modelines allow Vim editor specifically to set some editor configuration such as syntax highlighting, indentation style and tab width to be set in the first line or the last 5 lines per file basis. Since the php test files have syntax highlighting already set in most editors properly and EditorConfig takes care of the indentation settings, this patch removes these as well for the Vim 6.0 and newer versions. With the removal of local variables for certain editors such as Emacs and Vim, the footer is also probably not needed anymore when creating extensions using ext_skel.php script. Additionally, Vim modelines for setting php syntax and some editor settings has been removed from some *.phpt files. All these are mostly not relevant for phpt files neither work properly in the middle of the file.
show more ...
|