#
dce5e561 |
| 31-Jan-2022 |
Christoph M. Becker |
Fix #81708: UAF due to php_filter_float() failing for ints We must only release the zval, if we actually assign a new zval.
|
#
288c25f7 |
| 20-Sep-2021 |
Christoph M. Becker |
Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing It makes no sense to compare IPv6 address ranges as strings; there are too many different representation possibilities.
Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing It makes no sense to compare IPv6 address ranges as strings; there are too many different representation possibilities. Instead, we change `_php_filter_validate_ipv6()` so that it can calculate the IP address as integer array. We do not rely on `inet_pton()` which may not be available everywhere, at least IPv6 support may not, but rather parse the IP address manually. Finally, we compare the integers. Note that this patch does not fix what we consider as reserved and private, respectively, but merely tries to keep what we had so far. Co-authored-by: Nikita Popov <nikita.ppv@gmail.com> Closes GH-7476.
show more ...
|
#
7bab67c2 |
| 28-Jun-2021 |
Stanislav Malyshev |
Fix warning (cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef)
|
#
a5538c62 |
| 14-Jun-2021 |
Christoph M. Becker |
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL We need to ensure that the password detected by parse_url() is actually a valid password; we can re-use is_userinfo_valid() for that.
|
#
4a89e726 |
| 19-Jan-2021 |
Christoph M. Becker |
Alternative fix for bug 77423 That bug report originally was about `parse_url()` misbehaving, but the security aspect was actually only regarding `FILTER_VALIDATE_URL`. Since the cha
Alternative fix for bug 77423 That bug report originally was about `parse_url()` misbehaving, but the security aspect was actually only regarding `FILTER_VALIDATE_URL`. Since the changes to `parse_url_ex()` apparently affect userland code which is relying on the sloppy URL parsing[1], this alternative restores the old parsing behavior, but ensures that the userinfo is checked for correctness for `FILTER_VALIDATE_URL`. [1] <https://github.com/php/php-src/commit/5174de7cd33c3d4fa591c9c93859ff9989b07e8c#commitcomment-45967652>
show more ...
|
Revision tags: php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6, php-7.3.12RC1, php-7.2.25RC1, php-7.4.0RC5, php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4, php-7.3.11RC1, php-7.2.24RC1, php-7.4.0RC3, php-7.2.23, php-7.3.10, php-7.4.0RC2, php-7.2.23RC1, php-7.3.10RC1, php-7.4.0RC1, php-7.1.32, php-7.2.22, php-7.3.9, php-7.4.0beta4, php-7.2.22RC1, php-7.3.9RC1, php-7.4.0beta2, php-7.1.31, php-7.2.21, php-7.3.8, php-7.4.0beta1, php-7.2.21RC1, php-7.3.8RC1, php-7.4.0alpha3, php-7.3.7, php-7.2.20, php-7.4.0alpha2, php-7.3.7RC3, php-7.3.7RC2, php-7.2.20RC2, php-7.4.0alpha1, php-7.3.7RC1, php-7.2.20RC1, php-7.2.19, php-7.3.6, php-7.1.30, php-7.2.19RC1, php-7.3.6RC1, php-7.1.29, php-7.2.18, php-7.3.5, php-7.2.18RC1, php-7.3.5RC1, php-7.2.17, php-7.3.4, php-7.1.28 |
|
#
07df6594 |
| 29-Mar-2019 |
Florian Berberich |
Added range options to the float validation filter php_filter_int (called via the constant FILTER_VALIDATE_INT) has the options min_range and max_range. they allow the user to not only t
Added range options to the float validation filter php_filter_int (called via the constant FILTER_VALIDATE_INT) has the options min_range and max_range. they allow the user to not only test if a value is a double but also if the value is inside a specific range. php_filter_float (called via the constant FILTER_VALIDATE_FLOAT) didn't provide this yet, making validation of numeric but not-only-int values more complicated for the user. this commits implements the options min_range and max_range for the function php_filter_float to fix this inconsistency.
show more ...
|
Revision tags: php-7.3.4RC1, php-7.2.17RC1, php-7.1.27, php-7.3.3, php-7.2.16, php-7.3.3RC1, php-7.2.16RC1, php-7.2.15, php-7.3.2, php-7.2.15RC1 |
|
#
92ac598a |
| 22-Jan-2019 |
Peter Kokot |
Remove local variables This patch removes the so called local variables defined per file basis for certain editors to properly show tab width, and similar settings. These are mainly
Remove local variables This patch removes the so called local variables defined per file basis for certain editors to properly show tab width, and similar settings. These are mainly used by Vim and Emacs editors yet with recent changes the once working definitions don't work anymore in Vim without custom plugins or additional configuration. Neither are these settings synced across the PHP code base. A simpler and better approach is EditorConfig and fixing code using some code style fixing tools in the future instead. This patch also removes the so called modelines for Vim. Modelines allow Vim editor specifically to set some editor configuration such as syntax highlighting, indentation style and tab width to be set in the first line or the last 5 lines per file basis. Since the php test files have syntax highlighting already set in most editors properly and EditorConfig takes care of the indentation settings, this patch removes these as well for the Vim 6.0 and newer versions. With the removal of local variables for certain editors such as Emacs and Vim, the footer is also probably not needed anymore when creating extensions using ext_skel.php script. Additionally, Vim modelines for setting php syntax and some editor settings has been removed from some *.phpt files. All these are mostly not relevant for phpt files neither work properly in the middle of the file.
show more ...
|
#
0cf7de1c |
| 30-Jan-2019 |
Zeev Suraski |
Remove yearly range from copyright notice
|
Revision tags: php-7.3.2RC1, php-5.6.40, php-7.1.26, php-7.3.1, php-7.2.14 |
|
#
27e9c05e |
| 26-Dec-2018 |
Nikita Popov |
Remove preg_options param from pcre_get_compiled_regex() This parameter is always zero and not necessary to call pcre2_match. I'm leaving the parameter behind on the _ex() variant,
Remove preg_options param from pcre_get_compiled_regex() This parameter is always zero and not necessary to call pcre2_match. I'm leaving the parameter behind on the _ex() variant, so the preg_flags are still accessible in some way.
show more ...
|
Revision tags: php-7.2.14RC1, php-7.3.1RC1, php-5.6.39, php-7.1.25, php-7.2.13, php-7.0.33, php-7.3.0, php-7.1.25RC1, php-7.2.13RC1, php-7.3.0RC6, php-7.1.24, php-7.2.12, php-7.3.0RC5, php-7.1.24RC1, php-7.2.12RC1, php-7.3.0RC4 |
|
#
bfaba831 |
| 11-Oct-2018 |
Nikita Popov |
Remove HASH_OF uses in ext/filter It turns out that all of these places ultimately only accept arrays, not objects, so we can use Z_ARRVAL_P everywhere. Also add _deref in a few
Remove HASH_OF uses in ext/filter It turns out that all of these places ultimately only accept arrays, not objects, so we can use Z_ARRVAL_P everywhere. Also add _deref in a few places where the hash lookup result is directly type-checked.
show more ...
|
Revision tags: php-7.1.23, php-7.2.11, php-7.3.0RC3, php-7.1.23RC1, php-7.2.11RC1, php-7.3.0RC2, php-5.6.38, php-7.1.22, php-7.3.0RC1, php-7.2.10, php-7.0.32, php-7.1.22RC1, php-7.3.0beta3, php-7.2.10RC1, php-7.1.21, php-7.2.9, php-7.3.0beta2, php-7.1.21RC1, php-7.3.0beta1, php-7.2.9RC1 |
|
#
a5e80b22 |
| 25-Jul-2018 |
Peter Kokot |
Fix typos in code comments
|
Revision tags: php-5.6.37, php-7.1.20, php-7.3.0alpha4, php-7.0.31, php-7.2.8, php-7.1.20RC1, php-7.2.8RC1, php-7.3.0alpha3 |
|
#
8d3f8ca1 |
| 03-Jul-2018 |
Peter Kokot |
Remove unused Git attributes ident The $Id$ keywords were used in Subversion where they can be substituted with filename, last revision number change, last changed date, and last use
Remove unused Git attributes ident The $Id$ keywords were used in Subversion where they can be substituted with filename, last revision number change, last changed date, and last user who changed it. In Git this functionality is different and can be done with Git attribute ident. These need to be defined manually for each file in the .gitattributes file and are afterwards replaced with 40-character hexadecimal blob object name which is based only on the particular file contents. This patch simplifies handling of $Id$ keywords by removing them since they are not used anymore.
show more ...
|
#
c0407d95 |
| 16-Jul-2018 |
Christoph M. Becker |
Deprecate explicit use of FILTER_FLAG_SCHEME|HOST_REQUIRED As of PHP 5.2.1 FILTER_VALIDATE_URL implies FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED, which makes these constant
Deprecate explicit use of FILTER_FLAG_SCHEME|HOST_REQUIRED As of PHP 5.2.1 FILTER_VALIDATE_URL implies FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED, which makes these constants useless at best, if not even misleading. Therefore we deprecate the explicit use of these constants for FILTER_VALIDATE_URL, to pave the way for their eventual removal. See <https://wiki.php.net/rfc/deprecations_php_7_3#filter_flag_scheme_required_and_filter_flag_host_required>.
show more ...
|
Revision tags: php-7.3.0alpha2, php-7.1.19, php-7.2.7, php-7.1.19RC1, php-7.3.0alpha1, php-7.2.7RC1 |
|
#
5eb1f92f |
| 28-May-2018 |
Dmitry Stogov |
Use zend_string_release_ex() instread of zend_string_release() in places, where we sure about string persistence.
|
Revision tags: php-7.1.18, php-7.2.6, php-7.2.6RC1, php-7.1.18RC1, php-5.6.36, php-7.2.5, php-7.1.17, php-7.0.30, php-7.1.17RC1, php-7.2.5RC1, php-5.6.35, php-7.0.29, php-7.2.4, php-7.1.16, php-7.1.16RC1, php-7.2.4RC1 |
|
#
aed1e358 |
| 11-Mar-2018 |
Christoph M. Becker |
Implement #51368: php_filter_float does not allow custom thousand separators A set of hard-coded thousand separator characters (presently, `',.`) is somewhat limited (users may prefer ot
Implement #51368: php_filter_float does not allow custom thousand separators A set of hard-coded thousand separator characters (presently, `',.`) is somewhat limited (users may prefer other separators, such as spaces or underscores), as well as somewhat too liberal (arbitrary combinations of different thousand separators are presently possible). Therefore we introduce a `thousand` option analogous to `decimal`, which allows to define the desired thousand separators as non-empty string, defaulting to `',.`. While we easily could support empty strings here as well, that would not make much sense, since this behavior can more easily be accomplished by not setting the `FILTER_FLAG_ALLOW_THOUSAND` flag in the first place.
show more ...
|
Revision tags: php-7.1.15, php-5.6.34, php-7.2.3, php-7.0.28, php-7.2.3RC1, php-7.1.15RC1, php-7.1.14, php-7.2.2, php-7.1.14RC1, php-7.2.2RC1, php-7.1.13, php-5.6.33, php-7.2.1, php-7.0.27 |
|
#
a6519d05 |
| 02-Jan-2018 |
Xinchen Hui |
year++
|
#
7a7ec01a |
| 02-Jan-2018 |
Xinchen Hui |
year++
|
#
ccd4716e |
| 02-Jan-2018 |
Xinchen Hui |
year++
|
Revision tags: php-7.2.1RC1, php-7.1.13RC1, php-7.0.27RC1, php-7.2.0, php-7.1.12, php-7.0.26 |
|
#
20d930d8 |
| 14-Nov-2017 |
Anatol Belski |
Fix remaining signedness warnings
|
Revision tags: php-7.1.12RC1, php-7.2.0RC6, php-7.0.26RC1, php-7.1.11, php-5.6.32, php-7.2.0RC5, php-7.0.25 |
|
#
a5bc5aed |
| 12-Oct-2017 |
Anatol Belski |
Patch core for PCRE2 support RFC https://wiki.php.net/rfc/pcre2-migration
|
Revision tags: php-7.1.11RC1, php-7.2.0RC4, php-7.0.25RC1, php-7.1.10, php-7.2.0RC3, php-7.0.24, php-7.2.0RC2, php-7.1.10RC1, php-7.0.24RC1, php-7.1.9, php-7.2.0RC1, php-7.0.23, php-7.1.9RC1, php-7.2.0beta3, php-7.0.23RC1 |
|
#
513b0093 |
| 06-Aug-2017 |
Xinchen Hui |
Refactor php_url struct to save memory dup in common cases
|
Revision tags: php-7.1.8, php-7.2.0beta2, php-7.0.22, php-7.1.8RC1, php-7.2.0beta1, php-7.0.22RC1, php-5.6.31, php-7.0.21, php-7.1.7, php-7.2.0alpha3, php-7.1.7RC1, php-7.0.21RC1, php-7.2.0alpha2 |
|
#
40ecad34 |
| 19-Jun-2017 |
Dmitry Stogov |
Fixed wrong usage of old ZPP API.
|
Revision tags: php-7.1.6, php-7.2.0alpha1, php-7.0.20, php-7.1.6RC1, php-7.0.20RC1, php-7.1.5, php-7.0.19, php-7.0.19RC1, php-7.1.5RC1, php-7.1.4, php-7.0.18, php-7.1.4RC1, php-7.0.18RC1, php-7.1.3, php-7.0.17, php-7.1.3RC1, php-7.0.17RC1, php-7.1.2, php-7.0.16, php-7.0.16RC1, php-7.1.2RC1, php-5.6.30, php-7.0.15, php-5.6.30RC1, php-7.1.1RC1, php-7.0.15RC1 |
|
#
dac6c639 |
| 04-Jan-2017 |
Sammy Kaye Powers |
Update copyright headers to 2017
|
#
478f119a |
| 04-Jan-2017 |
Sammy Kaye Powers |
Update copyright headers to 2017
|
#
9e29f841 |
| 02-Jan-2017 |
Sammy Kaye Powers |
Update copyright headers to 2017
|