Update NEWS

Sync boost/context assembly files for fibers

Fixes GH-10398

The stack was misaligned upon entering the trampoline function [1], this
causes a CPU trap when the SSE instruction i

Sync boost/context assembly files for fibers

Fixes GH-10398

The stack was misaligned upon entering the trampoline function [1], this
causes a CPU trap when the SSE instruction is executed to copy data from
the stack. This was fixed upstream [2]. This commit syncs all upstream
changes from the boost/context assembly files to our copy.

[1] https://github.com/php/php-src/pull/10407#issuecomment-1404180877
[2] https://github.com/boostorg/context/pull/219

Closes GH-10407.

show more ...

Fix GH-10385: FPM successful config test early exit

This introduces an enum `fpm_init_return_status` to propagate the status
up to fpm_main. This also makes the code clearer by not using

Fix GH-10385: FPM successful config test early exit

This introduces an enum `fpm_init_return_status` to propagate the status
up to fpm_main. This also makes the code clearer by not using magic
integer return numbers.

Closes GH-10388

show more ...

Fix GH-10315: FPM unknown child alert not valid

This changes the log level for an unknown child during wait as this is
not unuasual if FPM master has pid 1 and also possible in some case

Fix GH-10315: FPM unknown child alert not valid

This changes the log level for an unknown child during wait as this is
not unuasual if FPM master has pid 1 and also possible in some cases
for higher pid processes. Based on that and the fact that this is not
really a problem, there is just a debug level message emitted for pid 1
and for higher pid a warning is emitted.

Closes GH-10319

show more ...

Avoid crash for reset/end/next/prev() on ffi classes (#9711)

(And any PECLs returning `zend_empty_array` in the handler->get_properties
overrides)

Closes GH-9697

This i

Avoid crash for reset/end/next/prev() on ffi classes (#9711)

(And any PECLs returning `zend_empty_array` in the handler->get_properties
overrides)

Closes GH-9697

This is similar to the fix used in d9651a941915eb5fb5ad557090b65256fd8509b6
for array_walk.

This should make it safer for php-src (and PECLs, long-term) to return
the empty immutable array in `handler->get_properties` to avoid wasting memory.
See https://github.com/php/php-src/issues/9697#issuecomment-1273613175

The only possible internal iterator position for the empty array is at the end
of the empty array (nInternalPointer=0).
The `zend_hash*del*` helpers will always set nInternalPointer to 0 when an
array becomes empty,
regardless of previous insertions/deletions/updates to the array.

show more ...

Allow comments between intersection types and by-ref params

Fixes GH-10083
Closes GH-10125

Fix lineno for all constant expressions

Fixes GH-8821
Closes GH-8855

sockets updlite protocol support, with checksum coverage settings.

Close GH-10468

Fix incorrect check in phar tar parsing

The entry.flags was used to check whether the entry has the directory
flag. The flags however were masked to only contain the permissions. We

Fix incorrect check in phar tar parsing

The entry.flags was used to check whether the entry has the directory
flag. The flags however were masked to only contain the permissions. We
need to check the mode, before the permission masking, instead of the
flags to check whether it is a directory.

Closes GH-10464

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...

[ci skip] NEWS

Fix GH-10437: Set active fiber to null on bailout (#10443)

[ci skip] NEWS

[ci skip] NEWS

Fix incorrect check in zend_internal_call_should_throw()

This debug code is part of arginfo validation. This validation will
never trigger properly because the OR operation makes the fir

Fix incorrect check in zend_internal_call_should_throw()

This debug code is part of arginfo validation. This validation will
never trigger properly because the OR operation makes the first if
always true. Fix it by changing to an AND.

Closes GH-10417

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...

Fix incorrect check in cs_8559_5 in map_from_unicode()

The condition `code == 0x0450 || code == 0x045D` is always false because
of an incorrect range check on code.
According to the

Fix incorrect check in cs_8559_5 in map_from_unicode()

The condition `code == 0x0450 || code == 0x045D` is always false because
of an incorrect range check on code.
According to the BMP coverage in the encoding spec for ISO-8859-5
(https://encoding.spec.whatwg.org/iso-8859-5-bmp.html) the range of
valid characters is 0x0401 - 0x045F (except for 0x040D, 0x0450, 0x045D).
The current check has an upper bound of 0x044F instead of 0x045F.
Fix this by changing the upper bound.

Closes GH-10399

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...

Fix incorrect page_size check

The current check always evaluated to false because if `!page_size`
is true, then `page_size & (page_size - 1)` equals `0 & (0 - 1)` which
is always 0.

Fix incorrect page_size check

The current check always evaluated to false because if `!page_size`
is true, then `page_size & (page_size - 1)` equals `0 & (0 - 1)` which
is always 0. The if condition is meant to check if page_size is zero or
not a power of two, thus we must change the AND to an OR to fix this
issue.

Closes GH-10427

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...

[ci skip] NEWS (#10442)

Fix GH-10259 ReflectionClass::getStaticProperties doesn't need null return type (#10418)

random netbsd 10 update finally supporting getrandom syscall properly.

Close GH-10327.

password: Use `php_random_bytes_throw` in `php_password_make_salt` (#10393)

The CSPRNG failing should be rare nowadays, but it *might* happen and without
this patch it's hard for the use

password: Use `php_random_bytes_throw` in `php_password_make_salt` (#10393)

The CSPRNG failing should be rare nowadays, but it *might* happen and without
this patch it's hard for the user to find out why the salt generation failed:
The error message is not actionable.

This patch will automatically set the CSPRNG exception to the `$previous`
exception of the ValueError that is thrown, allowing the developer to determine
the cause of the salt generation failure.

Before:

Fatal error: Uncaught ValueError: Unable to generate salt in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
thrown in php-src/test3.php on line 3

After:

Fatal error: Uncaught Random\RandomException: Cannot open /dev/urandom: No such file or directory in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}

Next ValueError: Unable to generate salt in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
thrown in php-src/test3.php on line 3

show more ...

random: Do not trust arc4random_buf() on glibc (#10390)

This effectively reverts #8984.

As discussed in #10327 which will enable the use of the getrandom(2) syscall on
NetBSD in

random: Do not trust arc4random_buf() on glibc (#10390)

This effectively reverts #8984.

As discussed in #10327 which will enable the use of the getrandom(2) syscall on
NetBSD instead of relying on the userland arc4random_buf(), the CSPRNG should
prioritize security over speed [1] and history has shown that userland
implementations unavoidably fall short on the security side. In fact the glibc
implementation is a thin wrapper around the syscall due to security concerns
and thus does not provide any benefit over just calling getrandom(2) ourselves.

Even without any performance optimizations the CSPRNG should be plenty fast for
the vast majority of applications, because they often only need a few bytes of
randomness to generate a session ID. If speed is desired, the OO API offers
faster, but non-cryptographically secure engines.

show more ...

strtok warns in case the string to split was not set.

Close GH-10016.

sockets add AF_DIVERT constant.

Allow to bind a socket to a divert port without being concerned
by its address. for ipfw filter purpose (SO_USER_COOKIE constant).
FreeBSD only.

sockets add AF_DIVERT constant.

Allow to bind a socket to a divert port without being concerned
by its address. for ipfw filter purpose (SO_USER_COOKIE constant).
FreeBSD only.

Close GH-10415.

show more ...

Remove duplicated length check in exif and
remove always false condition from exif

The latter condition will never trigger because otherwise the do-while loop
wouldn't have exited.

Remove duplicated length check in exif and
remove always false condition from exif

The latter condition will never trigger because otherwise the do-while loop
wouldn't have exited.

Close GH-10402

show more ...

Fix GH-10292 make the default value of the first parame of srand() and mt_srand() nullable (#10380)

Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>