| 670052c4 | 09-Jan-2024 |
Gabriel Caruso |
PHP 8.0 is EOL.
Following php/web-php#840. |
| 269a9e18 | 03-Aug-2023 |
Ben Ramsey |
PHP-8.0 is now for 8.0.31-dev |
| d8f2584e | 31-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
NEWS
Signed-off-by: Ben Ramsey <ramsey@php.net> |
| 62228a25 | 31-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Disable global state test on Windows
It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-te
Disable global state test on Windows
It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-test.
To add to the Windows trouble, libxml is statically linked in, ext/libxml can
only be built statically but ext/zend-test can be built both statically and
dynamically.
So the regression tests won't work in all possible configurations anyway on Windows.
All of this is no problem on Linux because it just uses dynamic linking
and pkg-config, without any magic.
Signed-off-by: Ben Ramsey <ramsey@php.net>
show more ...
|
| c283c3ab | 15-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Sanitize libxml2 globals before parsing
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains par
Sanitize libxml2 globals before parsing
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.
Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.
Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().
show more ...
|
| 80316123 | 10-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix buffer mismanagement in phar_dir_read()
Fixes GHSA-jqcx-ccgc-xwhv. |
| be71cadc | 22-Jun-2023 |
Remi Collet |
[ci skip] add CVE in NEWS |
| 32c7c433 | 06-Jun-2023 |
Pierrick Charron |
Fix wrong backporting of previous soap patch |
| b720ab99 | 06-Jun-2023 |
Pierrick Charron |
Update NEWS |
| 05724482 | 06-Jun-2023 |
Remi Collet |
Fix GH-11382 add missing hash header for bin2hex |
| ac4254ad | 16-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest
If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest
If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client nonce is intended to protect
against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
and bullet point 2 below.
Tim pointed out that even though it's the MD5 of the nonce that gets sent,
enumerating 31 bits is trivial. So we have still a stack information leak
of 31 bits.
Furthermore, Tim found the following issues:
* The small size of cnonce might cause the server to erroneously reject
a request due to a repeated (cnonce, nc) pair. As per the birthday
problem 31 bits of randomness will return a duplication with 50%
chance after less than 55000 requests and nc always starts counting at 1.
* The cnonce is intended to protect the client and password against a
malicious server that returns a constant server nonce where the server
precomputed a rainbow table between passwords and correct client response.
As storage is fairly cheap, a server could precompute the client responses
for (a subset of) client nonces and still have a chance of reversing the
client response with the same probability as the cnonce duplication.
Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
table size by factor 2 billion, which is infeasible. But precomputing it
for 2^14 cnonces only increases the table size by factor 16k and the server
would still have a 10% chance of successfully reversing a password with a
single client request.
This patch fixes the issues by increasing the nonce size, and checking
the return value of php_random_bytes_throw(). In the process we also get
rid of the MD5 hashing of the nonce.
[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616
Co-authored-by: Tim Düsterhus <timwolla@php.net>
show more ...
|
| 0e45ed77 | 14-Feb-2023 |
Gabriel Caruso |
[ci skip] Next release will be 8.0.29 |
| e86d8704 | 14-Feb-2023 |
Remi Collet |
more config for new FPM tests |
| 937b1e38 | 14-Feb-2023 |
Jakub Zelenka |
Fix missing colon in NEWS |
| eef29d43 | 14-Feb-2023 |
Jakub Zelenka |
Change NEWS for GHSA-54hq-v5wp-fqgv as it is for all SAPIs |
| caaaf759 | 14-Feb-2023 |
Jakub Zelenka |
Fix incorrect character in NEWS |
| 054c7b09 | 14-Feb-2023 |
Jakub Zelenka |
Update NEWS |
| 716de0cf | 19-Jan-2023 |
Jakub Zelenka |
Introduce max_multipart_body_parts INI
This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed. |
| e45850c1 | 19-Jan-2023 |
Jakub Zelenka |
Fix repeated warning for file uploads limit exceeding |
| b5ccaaf6 | 13-Feb-2023 |
Stanislav Malyshev |
Update NEWS |
| ec10b28d | 27-Jan-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix array overrun when appending slash to paths
Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to ap
Fix array overrun when appending slash to paths
Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to append
the slash. As the php_check_specific_open_basedir() simply uses the
strings to compare against each other, no new failures related to too
long paths are introduced.
We'll let the DOM and XML case handle a potentially too long path in the
library code.
show more ...
|
| af2ddc64 | 13-Feb-2023 |
Stanislav Malyshev |
Update NEWS |
| a92acbad | 23-Jan-2023 |
Tim Düsterhus |
crypt: Fix possible buffer overread in php_crypt() |
| c840f715 | 23-Jan-2023 |
Tim Düsterhus |
crypt: Fix validation of malformed BCrypt hashes
PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short t
crypt: Fix validation of malformed BCrypt hashes
PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
by including a `$` character within the characters that represent the salt.
Hashes that are affected by the “PHP Hack” may erroneously validate any
password as valid when used with `password_verify` and when comparing the
return value of `crypt()` against the input.
The PHP Hack exists since the first version of PHP’s own crypt_blowfish
implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.
No clear reason is given for the PHP Hack’s existence. This commit removes it,
because BCrypt hashes containing a `$` character in their salt are not valid
BCrypt hashes.
show more ...
|
| 255e08ac | 03-Jan-2023 |
Gabriel Caruso |
Revert "Make build work with newer OpenSSL"
This reverts commit 5f90134bb69a345c7edb5013e6461e84caa32dbc. |
