| c4c45da4 | 27-Sep-2024 |
Ilija Tovilo |
Reduce regex backtracking in phpinfo.phpt
On NixOS, the output of phpinfo() can get very large, causing us to run into the
backtracking limit. Lazy matching for .*/.+ can help reduce bac
Reduce regex backtracking in phpinfo.phpt
On NixOS, the output of phpinfo() can get very large, causing us to run into the
backtracking limit. Lazy matching for .*/.+ can help reduce backtracking.
show more ...
|
| 631bab42 | 26-Sep-2024 |
Ilija Tovilo |
[skip ci] Bump required C standard to C11
Closes GH-16078 |
| 756435a5 | 26-Sep-2024 |
Ilija Tovilo |
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
Fix failed assertion when promoting Serialize deprecation to exception
|
| 5cff4a9b | 26-Sep-2024 |
Ilija Tovilo |
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
Fix failed assertion when promoting Serialize deprecation to exception
|
| 15a0c3a9 | 18-Sep-2024 |
Ilija Tovilo |
Fix failed assertion when promoting Serialize deprecation to exception
Fixes GH-15907
Closes GH-15951 |
| d854a54b | 26-Sep-2024 |
Ben Ramsey |
Merge branch 'PHP-8.3' into PHP-8.4
|
| 6d99ccc2 | 26-Sep-2024 |
Ben Ramsey |
Merge branch 'PHP-8.2' into PHP-8.3
|
| c259c9f3 | 26-Sep-2024 |
Ben Ramsey |
Merge branch 'PHP-8.1' into PHP-8.2
|
| fcbcf2f2 | 26-Sep-2024 |
Ben Ramsey |
PHP-8.1 is now for PHP 8.1.31-dev |
| d5035a70 | 23-Sep-2024 |
Jakub Zelenka |
[skip ci] Fix typo in NEWS
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
| 4bcc7d57 | 23-Sep-2024 |
Jakub Zelenka |
Skip GHSA-9pqp-7h25-4f32 test on Windows |
| 8d87bc3e | 23-Sep-2024 |
Jakub Zelenka |
Update NEWS with security fixes info |
| 4580b8b3 | 12-Sep-2024 |
Jakub Zelenka |
Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be altered |
| c1c14c8a | 18-Jun-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GHSA-94p6-54jq-9mwp
Apache only generates REDIRECT_STATUS, so explicitly check for that
if the server name is Apache, don't allow other variable names.
Furthermore, redirect.so a
Fix GHSA-94p6-54jq-9mwp
Apache only generates REDIRECT_STATUS, so explicitly check for that
if the server name is Apache, don't allow other variable names.
Furthermore, redirect.so and Netscape no longer exist, so
remove those entries as we can't check their server name anymore.
We now also check for the configuration override *first* such that it
always take precedence. This would allow for a mitigation path if
something like this happens in the future.
show more ...
|
| 4b9cd27f | 14-Jun-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GHSA-p99j-rfp4-xqvq
It's no use trying to work around whatever the operating system and Apache
do because we'll be fighting that until eternity.
Change the skip_getopt condition
Fix GHSA-p99j-rfp4-xqvq
It's no use trying to work around whatever the operating system and Apache
do because we'll be fighting that until eternity.
Change the skip_getopt condition such that when we're running in
CGI or FastCGI mode we always skip the argument parsing.
This is a BC break, but this seems to be the only way to get rid of this
class of issues.
show more ...
|
| d65a1e6f | 09-Sep-2024 |
Arnaud Le Blanc |
Fix GHSA-9pqp-7h25-4f32
multipart/form-data boundaries larger than the read buffer result in erroneous
parsing, which violates data integrity.
Limit boundary size, as allowed by
Fix GHSA-9pqp-7h25-4f32
multipart/form-data boundaries larger than the read buffer result in erroneous
parsing, which violates data integrity.
Limit boundary size, as allowed by RFC 1521:
Encapsulation boundaries [...] must be no longer than 70 characters, not
counting the two leading hyphens.
We correctly parse payloads with boundaries of length up to
FILLUNIT-strlen("\r\n--") bytes, so allow this for BC.
show more ...
|
| a37a3d3d | 26-Sep-2024 |
Dmitry Stogov |
Fix FFI prototypes (these functions can't return NULL) (#16075) |
| c7bc91cf | 26-Sep-2024 |
Ilija Tovilo |
[skip ci] Mark one more curl test as xleak |
| 05fce50f | 26-Sep-2024 |
Christoph M. Becker |
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
Fix GH-15905: Assertion failure for TRACK_VARS_SERVER
|
| bf8c01db | 26-Sep-2024 |
Christoph M. Becker |
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
Fix GH-15905: Assertion failure for TRACK_VARS_SERVER
|
| 87d59d7f | 16-Sep-2024 |
Christoph M. Becker |
Fix GH-15905: Assertion failure for TRACK_VARS_SERVER
When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empt
Fix GH-15905: Assertion failure for TRACK_VARS_SERVER
When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empty array
with refcount > 1. Since this hash table may later be modified, a flag
is set which allows such COW violations for assertions. However, when
`register_argc_argv` is on, the so far uninitialized hash table is
updated with `argv`, what causes the hash table to be initialized, what
drops the allow-COW-violations flag. The following update with `argc`
then triggers a refcount violation assertion.
Since we consider `HT_ALLOW_COW_VIOLATION` a hack, we do not want to
keep the flag during hash table initialization, so we initialize the
hash table right away after creation for this code path.
Closes GH-15930.
show more ...
|
| 6f7ec6a7 | 26-Sep-2024 |
Ilija Tovilo |
Remove now unused llvm installation in asan build |
| b14d440a | 26-Sep-2024 |
Ilija Tovilo |
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
Switch asan build to Ubuntu 24.04
|
| 91c06790 | 25-Sep-2024 |
Ilija Tovilo |
Switch asan build to Ubuntu 24.04
Closes GH-16065 |
| 271b9e68 | 25-Sep-2024 |
Ilija Tovilo |
Fix missing libavif-dev in asan nightly
Asan still runs on Ubuntu 20.04, which doesn't contain the libavif-dev package.
Closes GH-16049 |
