Fix GHSA-9pqp-7h25-4f32

multipart/form-data boundaries larger than the read buffer result in erroneous
parsing, which violates data integrity.

Limit boundary size, as allowed by

Fix GHSA-9pqp-7h25-4f32

multipart/form-data boundaries larger than the read buffer result in erroneous
parsing, which violates data integrity.

Limit boundary size, as allowed by RFC 1521:

Encapsulation boundaries [...] must be no longer than 70 characters, not
counting the two leading hyphens.

We correctly parse payloads with boundaries of length up to
FILLUNIT-strlen("\r\n--") bytes, so allow this for BC.

show more ...

Set SG(rfc1867_uploaded_files) to null after destroy

Closes GH-14499

Add request_parse_body() function

RFC: https://wiki.php.net/rfc/rfc1867-non-post

This function allows populating the $_POST and $_FILES globals for non-post
requests. This avoid

Add request_parse_body() function

RFC: https://wiki.php.net/rfc/rfc1867-non-post

This function allows populating the $_POST and $_FILES globals for non-post
requests. This avoids manual parsing of RFC1867 requests.

Fixes #55815
Closes GH-11472

show more ...

Fix -Wenum-int-mismatch warnings on gcc 13

Closes GH-11103

Declare main constants in stubs - part 3 (#9731)

Introduce max_multipart_body_parts INI

This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed.

Fix repeated warning for file uploads limit exceeding

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[i]
instead of ht->arData[i]
- in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar
familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes
(ZEND_HASH_MAP_FOREACH_*)
- introduced an additional family of macros to access elements of array
(packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX,
ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT
- zend_hash_minmax() prototype was changed to compare only values

Because of smaller data set, this patch may show performance improvement
on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser)

TODO:
- sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET).
- zend_hash_sort_ex() may require converting packed arrays to hash.

show more ...

Use ASCII lower case for misc case folding

Use ASCII case conversion instead of locale-dependent case conversion in
the following places:

* grapheme_stripos() and grapheme_strri

Use ASCII lower case for misc case folding

Use ASCII case conversion instead of locale-dependent case conversion in
the following places:

* grapheme_stripos() and grapheme_strripos() in the "fast" path
* ldap_get_entries()
* oci_pconnect() for case folding of parameters when constructing a key
into the connection or session pool
* SoapClient: case folding of function names
* get_meta_tags(): case conversion of property names
* http stream wrapper: header names
* phpinfo(): anchor names
* php_verror(): docref URLs
* rfc1867.c: Content-Type boundary parameter name
* streams.c: stream protocol names

Using locale-dependent case folding for these cases is either
unnecessary or actively incorrect. These functions could have
misbehaved when used with certain locales (e.g. Turkish).

Closes GH-7511.

show more ...

Fix #77372: Retain full path of files for directory uploads (#6917)

To fix https://bugs.php.net/bug.php?id=77372 and improve support of `<input type="file" name="files" multiple webkitdirect

Fix #77372: Retain full path of files for directory uploads (#6917)

To fix https://bugs.php.net/bug.php?id=77372 and improve support of `<input type="file" name="files" multiple webkitdirectory>` I introduced another item to the `$_FILES` array called `full_path`, containing the full filename, as supplied by the user-agent.

Co-authored-by: Björn Tantau <bjoern@bjoern-tantau.de>

show more ...

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |

show more ...

Remove variable registration code from rfc1867

This now longer does anything -- registering a variable for a NULL
array is a no-op.

Fix spelling and grammar mistakes

This PR corrects misspellings identified by the check-spelling action.

The misspellings have been reported at jsoref@b6ba3e2#commitcomment-48946465

Fix spelling and grammar mistakes

This PR corrects misspellings identified by the check-spelling action.

The misspellings have been reported at jsoref@b6ba3e2#commitcomment-48946465

The action reports that the changes in this PR would make it happy: jsoref@602417c

Closes GH-6822.

show more ...

Fixed bug #42560

Check open_basedir after the fallback to the system's temporary
directory in tempnam().

In order to preserve the current behavior of upload_tmp_dir
(do not

Fixed bug #42560

Check open_basedir after the fallback to the system's temporary
directory in tempnam().

In order to preserve the current behavior of upload_tmp_dir
(do not check explicitly specified dir, but check fallback),
new flags are added to check open_basedir for explicit dir
and for fallback.

Closes GH-6526.

show more ...

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool is retained as an alias.

show more ...

Prefer strtoll over atoll

Both are specified by C99, but strtoll has specified overflow
behavior while atoll does not, so prefer using it.

Fix #78876: Long variables cause OOM and temp files are not cleaned

We use the proper type for size calculations, which is `size_t`.

Fix #78875: Long filenames cause OOM and temp files are not cleaned

We must not cast `size_t` to `int` (unless the `size_t` value is
guaranteed to be less than or equal to `INT_MAX`). I

Fix #78875: Long filenames cause OOM and temp files are not cleaned

We must not cast `size_t` to `int` (unless the `size_t` value is
guaranteed to be less than or equal to `INT_MAX`). In this case we can
declare `array_len` as `size_t` in the first place.

show more ...

Improve comment on RFC 1867 filename handling

It was pointed out on the internals ML[1] that the basename comment
around RFC 1867 file handling was confusing. The comment seemed to
s

Improve comment on RFC 1867 filename handling

It was pointed out on the internals ML[1] that the basename comment
around RFC 1867 file handling was confusing. The comment seemed to
say that the basename handling was only necessary because of some
esoteric bug in Windows IE. In fact that comment applied to earlier
versions of the code and was, therefore, misleading. The comment
needs to clear that basename is required per RFC 7578[2].

[1]:https://externals.io/message/108624
[2]:https://tools.ietf.org/html/rfc7578

show more ...

Fix #78880: Another bunch of spelling errors

Remove mention of PHP major version in Copyright headers

Closes GH-4732.

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly

Remove local variables

This patch removes the so called local variables defined per
file basis for certain editors to properly show tab width, and
similar settings. These are mainly used by Vim and Emacs editors
yet with recent changes the once working definitions don't work
anymore in Vim without custom plugins or additional configuration.
Neither are these settings synced across the PHP code base.

A simpler and better approach is EditorConfig and fixing code
using some code style fixing tools in the future instead.

This patch also removes the so called modelines for Vim. Modelines
allow Vim editor specifically to set some editor configuration such as
syntax highlighting, indentation style and tab width to be set in the
first line or the last 5 lines per file basis. Since the php test
files have syntax highlighting already set in most editors properly and
EditorConfig takes care of the indentation settings, this patch removes
these as well for the Vim 6.0 and newer versions.

With the removal of local variables for certain editors such as
Emacs and Vim, the footer is also probably not needed anymore when
creating extensions using ext_skel.php script.

Additionally, Vim modelines for setting php syntax and some editor
settings has been removed from some *.phpt files. All these are
mostly not relevant for phpt files neither work properly in the
middle of the file.

show more ...

Remove yearly range from copyright notice

Remove year range from copyright notice

Replace zend_hash_apply... with ZEND_HASH_FOREACH...