| #
093c08af |
| 17-Mar-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
The check happened too early as later code paths may perform more
mangling rules. Move the chec
Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
The check happened too early as later code paths may perform more
mangling rules. Move the check downwards right before adding the actual
variable.
show more ...
|
| #
cd66fcc6 |
| 17-Jun-2023 |
Ilija Tovilo |
Add request_parse_body() function
RFC: https://wiki.php.net/rfc/rfc1867-non-post
This function allows populating the $_POST and $_FILES globals for non-post
requests. This avoid
Add request_parse_body() function
RFC: https://wiki.php.net/rfc/rfc1867-non-post
This function allows populating the $_POST and $_FILES globals for non-post
requests. This avoids manual parsing of RFC1867 requests.
Fixes #55815
Closes GH-11472
show more ...
|
| #
732d92c0 |
| 28-Apr-2023 |
Javier Eguiluz |
[skip ci] Fix various typos and grammar issues (#11143)
|
| #
bc30ae4f |
| 19-Jan-2024 |
Jakub Zelenka |
Fix bug #75712: getenv in php-fpm should not read $_ENV, $_SERVER
Closes GH-13195
|
| #
0611be4e |
| 09-Sep-2022 |
Derick Rethans |
Fix #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.
|
| #
55908db0 |
| 16-May-2022 |
George Peter Banyard |
Add php_register_known_variable() for know var names
|
| #
b9e895bc |
| 31-Mar-2022 |
Max Kellermann |
Replace memcmp() with zend_string functions (#8216)
* ext/oci8: use zend_string_equals()
Eliminate duplicate code.
* main/php_variables: use zend_string_equals_literal()
Replace memcmp() with zend_string functions (#8216)
* ext/oci8: use zend_string_equals()
Eliminate duplicate code.
* main/php_variables: use zend_string_equals_literal()
Eliminate duplicate code.
* Zend/zend_string: add zend_string_equals_cstr()
Allows eliminating duplicate code.
* Zend, ext/{opcache,standard}, main/output: use zend_string_equals_cstr()
Eliminate duplicate code.
* Zend/zend_string: add zend_string_starts_with()
* ext/{opcache,phar,spl,standard}: use zend_string_starts_with()
This adds missing length checks to several callers, e.g. in
cache_script_in_shared_memory(). This is important when the
zend_string is shorter than the string parameter, when memcmp()
happens to check backwards; this can result in an out-of-bounds memory
access.
show more ...
|
| #
93a3c71e |
| 11-Jan-2022 |
Christoph M. Becker |
Fix GH-7896: Environment vars may be mangled on Windows
When bug 77574[1] has been fixed, the fix only catered to variables
retrieved via `getenv()` with a `$varname` passed, but neither
Fix GH-7896: Environment vars may be mangled on Windows
When bug 77574[1] has been fixed, the fix only catered to variables
retrieved via `getenv()` with a `$varname` passed, but neither to
`getenv()` without arguments nor to the general import of environment
variables into `$_ENV` and `$_SERVER`. We catch up on this by using
`GetEnvironmentStringsW()` in `_php_import_environment_variables()` and
converting the encoding to whatever had been chosen by the user.
[1] <https://bugs.php.net/bug.php?id=75574>
Closes GH-7928.
show more ...
|
| #
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |
show more ...
|
| #
462da6e0 |
| 31-Mar-2021 |
Josh Soref |
Fix spelling and grammar mistakes
This PR corrects misspellings identified by the check-spelling action.
The misspellings have been reported at jsoref@b6ba3e2#commitcomment-48946465
Fix spelling and grammar mistakes
This PR corrects misspellings identified by the check-spelling action.
The misspellings have been reported at jsoref@b6ba3e2#commitcomment-48946465
The action reports that the changes in this PR would make it happy: jsoref@602417c
Closes GH-6822.
show more ...
|
| #
4ce5d2ea |
| 09-Apr-2021 |
Nikita Popov |
Add known strings for jit autoglobals
We always create interned strings for all autoglobals anyway, so
we might as well add known strings to make them more widely usable.
|
| #
3e01f5af |
| 15-Jan-2021 |
Nikita Popov |
Replace zend_bool uses with bool
We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.
Of course, zend_bool
Replace zend_bool uses with bool
We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.
Of course, zend_bool is retained as an alias.
show more ...
|
| #
95e1a415 |
| 21-Sep-2020 |
Stanislav Malyshev |
Do not decode cookie names anymore
|
| #
6559fe91 |
| 21-Sep-2020 |
Stanislav Malyshev |
Do not decode cookie names anymore
|
| #
fc4d462e |
| 23-Jul-2020 |
Christoph M. Becker |
Fix #78236: convert error on receiving variables when duplicate [
When an input variable name contains a non matched open bracket, we not
only have to replace that with an underscore, bu
Fix #78236: convert error on receiving variables when duplicate [
When an input variable name contains a non matched open bracket, we not
only have to replace that with an underscore, but also all following
forbidden characters.
show more ...
|
| #
2b5de6f8 |
| 01-Jul-2020 |
Max Semenik |
Remove proto comments from C files
Closes GH-5758
|
| #
83a77015 |
| 08-Jun-2020 |
twosee |
Add helper APIs for maybe-interned string creation
Add ZVAL_CHAR/RETVAL_CHAR/RETURN_CHAR as a shortcut for using
ZVAL_INTERNED_STRING and ZSTR_CHAR.
Add zend_string_init_fast()
Add helper APIs for maybe-interned string creation
Add ZVAL_CHAR/RETVAL_CHAR/RETURN_CHAR as a shortcut for using
ZVAL_INTERNED_STRING and ZSTR_CHAR.
Add zend_string_init_fast() as a helper for the empty string /
one char interned string / zend_string_init() pattern.
Also add corresponding ZVAL_STRINGL_FAST etc macros.
Closes GH-5684.
show more ...
|
| #
88355dd3 |
| 07-Jun-2020 |
twosee |
Constify char * arguments of APIs
Closes GH-5676.
|
| #
f91f7260 |
| 22-Apr-2020 |
George Peter Banyard |
Drop unnecessary stdint and inttypes header checks
These are always available as of C99.
Closes GH-5323
Co-authored-by: "Christoph M. Becker" <cmbecker69@gmx.de>
|
| #
7b464ce6 |
| 11-Feb-2020 |
Christoph M. Becker |
Fix #79254: getenv() w/o arguments not showing changes
To be able to see changes done only with `SetEnvironmentVariable()`, we
have to use `GetEnvironmentStrings()` instead of `environ`,
Fix #79254: getenv() w/o arguments not showing changes
To be able to see changes done only with `SetEnvironmentVariable()`, we
have to use `GetEnvironmentStrings()` instead of `environ`, because the
latter sees only changes done with `putenv()`.
For best backward compatibility we're using `GetEnvironmentStringsA()`;
switching to the wide string version likely makes sense for master,
though.
show more ...
|
| #
58b17906 |
| 03-Feb-2020 |
Nikita Popov |
Apply tidy formatting
Mostly reindent PHP scripts to spaces.
|
| #
79376ab2 |
| 12-Dec-2019 |
Kachalin Alexey |
Fix #78929: plus signs in cookie values are converted to spaces
We switch the cookie value parsing function from `php_url_decode()` to
`php_raw_url_decode()`, so that cookie values are n
Fix #78929: plus signs in cookie values are converted to spaces
We switch the cookie value parsing function from `php_url_decode()` to
`php_raw_url_decode()`, so that cookie values are now parsed according
to RFC 6265, section 4.1.1. We also refactor to remove duplicate code
without changing the execution flow.
show more ...
|
|
Revision tags: php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6, php-7.3.12RC1, php-7.2.25RC1, php-7.4.0RC5, php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4, php-7.3.11RC1, php-7.2.24RC1, php-7.4.0RC3 |
|
| #
5d6e923d |
| 24-Sep-2019 |
Gabriel Caruso |
Remove mention of PHP major version in Copyright headers
Closes GH-4732.
|
|
Revision tags: php-7.2.23, php-7.3.10, php-7.4.0RC2, php-7.2.23RC1, php-7.3.10RC1, php-7.4.0RC1, php-7.1.32, php-7.2.22, php-7.3.9, php-7.4.0beta4, php-7.2.22RC1, php-7.3.9RC1, php-7.4.0beta2, php-7.1.31, php-7.2.21, php-7.3.8, php-7.4.0beta1 |
|
| #
d59aac58 |
| 18-Jul-2019 |
Nikita Popov |
Report errors from stream read and write operations
The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Function
Report errors from stream read and write operations
The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Functions
like fread() and fwrite() will return false in that case.
As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams
should not be regarded as error conditions, and be reported as
successful zero-length reads/writes instead. The handling of EINTR
remains unclear and is internally inconsistent (e.g. some code-paths
will automatically retry on EINTR, while some won't).
I'm landing this now to make sure the stream wrapper ops API changes
make it into 7.4 -- however, if the user-facing changes turn out to
be problematic we have the option of clamping negative returns to
zero in php_stream_read() and php_stream_write() to restore the
old behavior in a relatively non-intrusive manner.
show more ...
|
|
Revision tags: php-7.2.21RC1, php-7.3.8RC1, php-7.4.0alpha3, php-7.3.7, php-7.2.20, php-7.4.0alpha2, php-7.3.7RC3, php-7.3.7RC2, php-7.2.20RC2, php-7.4.0alpha1, php-7.3.7RC1, php-7.2.20RC1, php-7.2.19, php-7.3.6, php-7.1.30, php-7.2.19RC1, php-7.3.6RC1, php-7.1.29, php-7.2.18, php-7.3.5, php-7.2.18RC1, php-7.3.5RC1, php-7.2.17, php-7.3.4, php-7.1.28 |
|
| #
072eb6dd |
| 29-Mar-2019 |
Joe Watkins |
tsrm environment lock
|
