History log of /PHP-8.4/NEWS (Results 151 – 175 of 14193)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 63e1ebe7 01-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames()

A namespace without a prefix is by definition always the "xmlns"
namespace.

Closes GH-16155.


# f8b925b6 30-Sep-2024 Gina Peter Banyard

NEWS entries for LDAP bug fixes


# a551b99b 25-Sep-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-15168: stack overflow in json_encode()

The JSON encoder is recursive, and it's far from easy to make it
iterative. Add a cheap stack limit check to prevent a segfault.
This us

Fix GH-15168: stack overflow in json_encode()

The JSON encoder is recursive, and it's far from easy to make it
iterative. Add a cheap stack limit check to prevent a segfault.
This uses the PHP_JSON_ERROR_DEPTH error code that already talks about
the stack depth. Previously this was only used for the $depth argument.

Closes GH-16059.

show more ...


# 332b067c 17-Sep-2024 David Carlier

Fix GH-15937: stream timeout option overflow.

close GH-15942


# a1cc0918 30-Sep-2024 Tim Düsterhus

reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures (#16129)

* reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inN

reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures (#16129)

* reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures

Fixes GH-16122

* reflection: Clean up implementation of `ReflectionFunctionAbstract::inNamespace()`

* reflection: Clean up implementation of `ReflectionFunctionAbstract::getNamespaceName()`

show more ...


# 19bba837 28-Sep-2024 Gina Peter Banyard

ext/ldap: Fix GH-16101 (Segfaults in php_ldap_do_search() when LDAPs is not a list)

Closes GH-16102


# dce0d976 25-Sep-2024 Jakub Zelenka

Fix stub for openssl_csr_new


# 706bcdbc 18-Sep-2024 Ilija Tovilo

Fix printing backtrace of fake generator frame

Fixes GH-15851
Closes GH-15952


# 15a0c3a9 18-Sep-2024 Ilija Tovilo

Fix failed assertion when promoting Serialize deprecation to exception

Fixes GH-15907
Closes GH-15951


# fcbcf2f2 26-Sep-2024 Ben Ramsey

PHP-8.1 is now for PHP 8.1.31-dev


# d5035a70 23-Sep-2024 Jakub Zelenka

[skip ci] Fix typo in NEWS

Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>


# 8d87bc3e 23-Sep-2024 Jakub Zelenka

Update NEWS with security fixes info


# 87d59d7f 16-Sep-2024 Christoph M. Becker

Fix GH-15905: Assertion failure for TRACK_VARS_SERVER

When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empt

Fix GH-15905: Assertion failure for TRACK_VARS_SERVER

When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empty array
with refcount > 1. Since this hash table may later be modified, a flag
is set which allows such COW violations for assertions. However, when
`register_argc_argv` is on, the so far uninitialized hash table is
updated with `argv`, what causes the hash table to be initialized, what
drops the allow-COW-violations flag. The following update with `argc`
then triggers a refcount violation assertion.

Since we consider `HT_ALLOW_COW_VIOLATION` a hack, we do not want to
keep the flag during hash table initialization, so we initialize the
hash table right away after creation for this code path.

Closes GH-15930.

show more ...


# f4c45ee3 25-Sep-2024 Gina Peter Banyard

ext/ldap: Fix GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch())

We check that the "attrib" and "modtype" keys are present in each array.
If not we throw a ValueErro

ext/ldap: Fix GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch())

We check that the "attrib" and "modtype" keys are present in each array.
If not we throw a ValueError, in line with what other validation failure cases do.

Closes GH-16057

show more ...


# 12844f96 25-Sep-2024 Ilija Tovilo

Fix use-after-free of object released in hook

Fixes GH-16040
Closes GH-16058


# fdd6ba62 25-Sep-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding

zend_array_dup_ht_iterators() loops over the hash table iterators and
can call zend_hash_iterator_add

Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding

zend_array_dup_ht_iterators() loops over the hash table iterators and
can call zend_hash_iterator_add(). zend_hash_iterator_add() can resize
the array causing a crash in zend_array_dup_ht_iterators().

We solve this by refetching the iter pointer after an add happened.

Closes GH-16060.

show more ...


# 043b9e1f 25-Sep-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16039: Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c

dom_object_get_node() can fail if we don't have a user object
associated.

Closes GH-16056.


# daba40c6 23-Sep-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16009: Segmentation fault with frameless functions and undefined CVs

The frameless function handlers do not update the op variables when
handling the result is undefined. In this

Fix GH-16009: Segmentation fault with frameless functions and undefined CVs

The frameless function handlers do not update the op variables when
handling the result is undefined. In this case this causes propagating
an UNDEF value into a temporary, which results in an extra undefined
variable warning for a temporary in this case.

The original issue also reports a crash in some cases, which is also
fixed by this patch.

Closes GH-16012.

show more ...


# 47451776 24-Sep-2024 Saki Takamachi

[skip ci] Prepare NEWS for PHP 8.4.0RC2


# c5b258fe 24-Sep-2024 Saki Takamachi <34942839+SakiTakamachi@users.noreply.github.com>

Fix GH-15968: Avoid converting objects to strings in operator calculations. (#16021)


# 654b787e 24-Sep-2024 Bob Weinand

Add API to exempt function from being traced in JIT (#15559)

Internally accessible via zend_jit_blacklist_function / externally via opcache_jit_blacklist.
The functionality currently onl

Add API to exempt function from being traced in JIT (#15559)

Internally accessible via zend_jit_blacklist_function / externally via opcache_jit_blacklist.
The functionality currently only affects tracing JIT, but may be extended to other JIT modes in future.

show more ...


# f35ad560 03-Feb-2024 David Carlier

GH-12940 ext/pdo_pgsql: using PQclosePrepared to free statement resources.

PQclosePrepared allows the statement's name to be reused thus allowing
cache solutions to work properly ; where

GH-12940 ext/pdo_pgsql: using PQclosePrepared to free statement resources.

PQclosePrepared allows the statement's name to be reused thus allowing
cache solutions to work properly ; whereas, for now, the `DEALLOCATE
<statement>` query is used which free entirely the statement's resources.

close GH-13316

show more ...


# 81916758 23-Sep-2024 Christoph M. Becker

Fix GH-15980: Signed integer overflow in main/streams/streams.c

We need to avoid signed integer overflows which are undefined behavior.
We catch that, and set `offset` to `ZEND_LONG_MAX`

Fix GH-15980: Signed integer overflow in main/streams/streams.c

We need to avoid signed integer overflows which are undefined behavior.
We catch that, and set `offset` to `ZEND_LONG_MAX` (which is also the
largest value of `zend_off_t` on all platforms). Of course, that seek
may fail, but even if it succeeds, the stream is no longer readable,
but that matches the current behavior for offsets near `ZEND_LONG_MAX`.

Closes GH-15989.

show more ...


# ba748e7b 24-Sep-2024 Ayesh Karunaratne

ext/curl: Add `CURLOPT_DEBUGFUNCTION` option (GH-15674)

This adds support for `CURLOPT_DEBUGFUNCTION`[^1] Curl option to set a
custom callback that gets called with debug information dur

ext/curl: Add `CURLOPT_DEBUGFUNCTION` option (GH-15674)

This adds support for `CURLOPT_DEBUGFUNCTION`[^1] Curl option to set a
custom callback that gets called with debug information during the
lifetime of a Curl request.

The callback gets called with the `CurlHandle` object, an integer
containing the type of the debug message, and a string containing the
debug message. The callback may get called multiple times with the
same message type during a request.

PHP already uses `CURLOPT_DEBUGFUNCTION` functionality to internally
to expose a Curl option named `CURLINFO_HEADER_OUT`.

However,`CURLINFO_HEADER_OUT` is not a "real" Curl option supported
by libcurl. Back in 2006, `CURLINFO_HEADER_OUT` was added[^2] as
a Curl option by using the debug-callback feature. Git history does
not run that back to show why `CURLINFO_HEADER_OUT` was added as a
Curl option, and why the other debug types (such as
`CURLINFO_HEADER_IN` were not added as Curl options, but this seems
to be a historical artifact when we added features without trying
to be close to libcurl options.

This approach has a few issues:

1. `CURLINFO_HEADER_OUT` is not an actual Curl option supported by
upstream libcurl.

2. All of the Curl options have `CURLOPT_` prefix, and `CURLINFO_HEADER_OUT`
is the only Curl "option" that uses the `CURLINFO` prefix. This exception
is, however, noted[^3] in docs.

3. When `CURLINFO_HEADER_OUT` is set, the `CURLOPT_VERBOSE` is also implicitly
set. This was reported[^4] to bugs.php.net, but the bug is marked as wontfix.

This commit adds support for `CURLOPT_DEBUGFUNCTION`. It extends the existing
`curl_debug` callback to store the header-in information if it encounters
a debug message with `CURLINFO_HEADER_OUT`. In all cases, if a callable
is set, it gets called.

`CURLOPT_DEBUGFUNCTION` intends to replace `CURLINFO_HEADER_OUT` Curl
option as a versatile alternative that can also be used to extract
other debug information such as SSL data, text information messages,
incoming headers, as well as headers sent out (which `CURLINFO_HEADER_OUT`
makes available).

The callables are allowed to throw exceptions, but the return values are
ignored.

`CURLOPT_DEBUGFUNCTION` requires `CURLOPT_VERBOSE` enabled, and setting
`CURLOPT_DEBUGFUNCTION` does _not_ implicitly enable `CURLOPT_VERBOSE`.

If the `CURLOPT_DEBUGFUNCTION` option is set, setting `CURLINFO_HEADER_OUT`
throws a `ValueError` exception. Setting `CURLOPT_DEBUGFUNCTION` _after_
enabling `CURLINFO_HEADER_OUT` is allowed. Technically, it is possible
for both functionality (calling user-provided callback _and_ storing
header-out data) is possible, setting `CURLINFO_HEADER_OUT` is not
allowed to encourage the use of `CURLOPT_DEBUGFUNCTION` function.

This commit also adds the rest of the `CURLINFO_` constants used as
the `type` integer value in `CURLOPT_DEBUGFUNCTION` callback.

---

[^1]: [cur.se - CURLOPT_DEBUGFUNCTION](https://curl.se/libcurl/c/CURLOPT_DEBUGFUNCTION.html)
[^2]: [`5f25d80`](https://github.com/php/php-src/commit/5f25d80d106004692dacb9c01cdc49c7c883a13a)
[^3]: [curl_setopt doc mentioning `CURLINFO_` prefix is intentional](https://www.php.net/manual/en/function.curl-setopt.php#:~:text=prefix%20is%20intentional)
[^4]: [bugs.php.net - `CURLOPT_VERBOSE` does not work with `CURLINFO_HEADER_OUT`](https://bugs.php.net/bug.php?id=65348)

show more ...


# ee95ee72 22-Sep-2024 Christoph M. Becker

Revert "Fix GH-15980: Signed integer overflow in main/streams/streams.c"

This reverts commit 6a04c79e41bcdb8f8a62270b7d25f82698b9c5f0, since the
new test case apparently fails on 64bit L

Revert "Fix GH-15980: Signed integer overflow in main/streams/streams.c"

This reverts commit 6a04c79e41bcdb8f8a62270b7d25f82698b9c5f0, since the
new test case apparently fails on 64bit Linux, so this needs closer
investigation.

show more ...


12345678910>>...568