670052c4 | 09-Jan-2024 |
Gabriel Caruso |
PHP 8.0 is EOL. Following php/web-php#840. |
269a9e18 | 03-Aug-2023 |
Ben Ramsey |
PHP-8.0 is now for 8.0.31-dev |
d8f2584e | 31-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
NEWS Signed-off-by: Ben Ramsey <ramsey@php.net> |
62228a25 | 31-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Disable global state test on Windows It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include path to libxml into the search path. That doesn't happen in zend-te
Disable global state test on Windows It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include path to libxml into the search path. That doesn't happen in zend-test. To add to the Windows trouble, libxml is statically linked in, ext/libxml can only be built statically but ext/zend-test can be built both statically and dynamically. So the regression tests won't work in all possible configurations anyway on Windows. All of this is no problem on Linux because it just uses dynamic linking and pkg-config, without any magic. Signed-off-by: Ben Ramsey <ramsey@php.net>
show more ...
|
c283c3ab | 15-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Sanitize libxml2 globals before parsing Fixes GHSA-3qrf-m4j2-pcrr. To parse a document with libxml2, you first need to create a parsing context. The parsing context contains par
Sanitize libxml2 globals before parsing Fixes GHSA-3qrf-m4j2-pcrr. To parse a document with libxml2, you first need to create a parsing context. The parsing context contains parsing options (e.g. XML_NOENT to substitute entities) that the application (in this case PHP) can set. Unfortunately, libxml2 also supports providing default set options. For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT option will be added to the parsing options every time you create a parsing context **even if the application never requested XML_NOENT**. Third party extensions can override these globals, in particular the substitute entity global. This causes entity substitution to be unexpectedly active. Fix it by setting the parsing options to a sane known value. For API calls that depend on global state we introduce PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS(). For other APIs that work directly with a context we introduce php_libxml_sanitize_parse_ctxt_options().
show more ...
|
80316123 | 10-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix buffer mismanagement in phar_dir_read() Fixes GHSA-jqcx-ccgc-xwhv. |
be71cadc | 22-Jun-2023 |
Remi Collet |
[ci skip] add CVE in NEWS |
32c7c433 | 06-Jun-2023 |
Pierrick Charron |
Fix wrong backporting of previous soap patch |
b720ab99 | 06-Jun-2023 |
Pierrick Charron |
Update NEWS |
05724482 | 06-Jun-2023 |
Remi Collet |
Fix GH-11382 add missing hash header for bin2hex |
ac4254ad | 16-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest If php_random_bytes_throw fails, the nonce will be uninitialized, but still sent to the server. The client
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest If php_random_bytes_throw fails, the nonce will be uninitialized, but still sent to the server. The client nonce is intended to protect against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], and bullet point 2 below. Tim pointed out that even though it's the MD5 of the nonce that gets sent, enumerating 31 bits is trivial. So we have still a stack information leak of 31 bits. Furthermore, Tim found the following issues: * The small size of cnonce might cause the server to erroneously reject a request due to a repeated (cnonce, nc) pair. As per the birthday problem 31 bits of randomness will return a duplication with 50% chance after less than 55000 requests and nc always starts counting at 1. * The cnonce is intended to protect the client and password against a malicious server that returns a constant server nonce where the server precomputed a rainbow table between passwords and correct client response. As storage is fairly cheap, a server could precompute the client responses for (a subset of) client nonces and still have a chance of reversing the client response with the same probability as the cnonce duplication. Precomputing the rainbow table for all 2^31 cnonces increases the rainbow table size by factor 2 billion, which is infeasible. But precomputing it for 2^14 cnonces only increases the table size by factor 16k and the server would still have a 10% chance of successfully reversing a password with a single client request. This patch fixes the issues by increasing the nonce size, and checking the return value of php_random_bytes_throw(). In the process we also get rid of the MD5 hashing of the nonce. [1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 Co-authored-by: Tim Düsterhus <timwolla@php.net>
show more ...
|
0e45ed77 | 14-Feb-2023 |
Gabriel Caruso |
[ci skip] Next release will be 8.0.29 |
e86d8704 | 14-Feb-2023 |
Remi Collet |
more config for new FPM tests |
937b1e38 | 14-Feb-2023 |
Jakub Zelenka |
Fix missing colon in NEWS |
eef29d43 | 14-Feb-2023 |
Jakub Zelenka |
Change NEWS for GHSA-54hq-v5wp-fqgv as it is for all SAPIs |
caaaf759 | 14-Feb-2023 |
Jakub Zelenka |
Fix incorrect character in NEWS |
054c7b09 | 14-Feb-2023 |
Jakub Zelenka |
Update NEWS |
716de0cf | 19-Jan-2023 |
Jakub Zelenka |
Introduce max_multipart_body_parts INI This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of parsed multipart body parts as currently all parts were always parsed. |
e45850c1 | 19-Jan-2023 |
Jakub Zelenka |
Fix repeated warning for file uploads limit exceeding |
b5ccaaf6 | 13-Feb-2023 |
Stanislav Malyshev |
Update NEWS |
ec10b28d | 27-Jan-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix array overrun when appending slash to paths Fix it by extending the array sizes by one character. As the input is limited to the maximum path length, there will always be place to ap
Fix array overrun when appending slash to paths Fix it by extending the array sizes by one character. As the input is limited to the maximum path length, there will always be place to append the slash. As the php_check_specific_open_basedir() simply uses the strings to compare against each other, no new failures related to too long paths are introduced. We'll let the DOM and XML case handle a potentially too long path in the library code.
show more ...
|
af2ddc64 | 13-Feb-2023 |
Stanislav Malyshev |
Update NEWS |
a92acbad | 23-Jan-2023 |
Tim Düsterhus |
crypt: Fix possible buffer overread in php_crypt() |
c840f715 | 23-Jan-2023 |
Tim Düsterhus |
crypt: Fix validation of malformed BCrypt hashes PHP’s implementation of crypt_blowfish differs from the upstream Openwall version by adding a “PHP Hack”, which allows one to cut short t
crypt: Fix validation of malformed BCrypt hashes PHP’s implementation of crypt_blowfish differs from the upstream Openwall version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt by including a `$` character within the characters that represent the salt. Hashes that are affected by the “PHP Hack” may erroneously validate any password as valid when used with `password_verify` and when comparing the return value of `crypt()` against the input. The PHP Hack exists since the first version of PHP’s own crypt_blowfish implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5. No clear reason is given for the PHP Hack’s existence. This commit removes it, because BCrypt hashes containing a `$` character in their salt are not valid BCrypt hashes.
show more ...
|
255e08ac | 03-Jan-2023 |
Gabriel Caruso |
Revert "Make build work with newer OpenSSL" This reverts commit 5f90134bb69a345c7edb5013e6461e84caa32dbc. |