[ci skip] NEWS for GH-16004

[ci skip] NEWS for GH-16026

Fix GH-16151: Assertion failure in ext/dom/parentnode/tree.c

Unfortunately, old DOM allows attributes to be used as parent nodes.
Only text nodes and entities are allowed as children for

Fix GH-16151: Assertion failure in ext/dom/parentnode/tree.c

Unfortunately, old DOM allows attributes to be used as parent nodes.
Only text nodes and entities are allowed as children for these types of
nodes, because that's the constraint DOM and libxml give us.

Closes GH-16156.

show more ...

Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames()

A namespace without a prefix is by definition always the "xmlns"
namespace.

Closes GH-16155.

ext/pgsql: pgsql_copy_from to support iterable.

inspired from the Pdo\Pgsql new feature GH-15893.

close GH-16124

NEWS entries for LDAP bug fixes

Fix GH-15168: stack overflow in json_encode()

The JSON encoder is recursive, and it's far from easy to make it
iterative. Add a cheap stack limit check to prevent a segfault.
This us

Fix GH-15168: stack overflow in json_encode()

The JSON encoder is recursive, and it's far from easy to make it
iterative. Add a cheap stack limit check to prevent a segfault.
This uses the PHP_JSON_ERROR_DEPTH error code that already talks about
the stack depth. Previously this was only used for the $depth argument.

Closes GH-16059.

show more ...

Implement request #30622: make $namespace parameter functional

This parameter never actually did anything and was forgotten about.
We solve this by detecting when we have a $namespace ar

Implement request #30622: make $namespace parameter functional

This parameter never actually did anything and was forgotten about.
We solve this by detecting when we have a $namespace argument
(that won't conflict with the name argument) and creating a Clark
notation name out of it.

Closes GH-16123.

show more ...

Optimize in-memory XMLWriter

We're currently using a libxml buffer, which requires copying the buffer
to zend_strings every time we want to output the string. Furthermore,
its use of

Optimize in-memory XMLWriter

We're currently using a libxml buffer, which requires copying the buffer
to zend_strings every time we want to output the string. Furthermore,
its use of the system allocator instead of ZendMM makes it not count
towards the memory_limit and hinders performance.

This patch adds a custom writer such that the strings are written to a
smart_str instance, using ZendMM for improved performance, and giving
the ability to not copy the string in the common case where flush has
empty set to true.

Closes GH-16120.

show more ...

Fix #49169: SoapServer calls wrong function, although "SOAP action" header is correct

Although the original reproducer no longer exists, I was able to cook up
something similar.
The

Fix #49169: SoapServer calls wrong function, although "SOAP action" header is correct

Although the original reproducer no longer exists, I was able to cook up
something similar.
The problem is that there are two ways ext-soap currently looks up
functions:
1) By matching the exact function name; but this doesn't work if the
function name is not in the body.
2) By matching the parameter names.

Neither of these work when we don't have the function name in the body,
and when the parameter names are not unique. That's where we can use the
"SOAPAction" header to distinguish between different actions. This header
should be checked first and be matched against the "soapAction"
attribute in the WSDL. We keep the existing fallbacks such that the
chance of a BC break is minimized.
Note that since #49169 a potential target namespace is ignored right
now.

Closes GH-15970.

show more ...

Fix GH-15937: stream timeout option overflow.

close GH-15942

reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures (#16129)

* reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inN

reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures (#16129)

* reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures

Fixes GH-16122

* reflection: Clean up implementation of `ReflectionFunctionAbstract::inNamespace()`

* reflection: Clean up implementation of `ReflectionFunctionAbstract::getNamespaceName()`

show more ...

ext/pgsql: adding pg_close_stmt.

up to postgresql 17, when done with a prepared statement, we could
release it with DEALLOCATE sql command which is fine ; until we want
to implement

ext/pgsql: adding pg_close_stmt.

up to postgresql 17, when done with a prepared statement, we could
release it with DEALLOCATE sql command which is fine ; until we want
to implement a cache solution based on statement ids.

Since PostgreSQL 17, PQclosePrepared uses internally the `close` protocol
allowing to reuse the statement name while still freeing it.
Since the close protocol implementation had been added on libpq within
this release, no way to reimplement it.

close GH-14584

show more ...

Fix / implement GH-15287: add a lazy fetch to Pdo\PgSql

Make Pdo\PgSql accept Pdo::setAttribute(PDO::ATTR_PREFETCH, 0) to enter libpq's single row mode.
This avoids storing the whole res

Fix / implement GH-15287: add a lazy fetch to Pdo\PgSql

Make Pdo\PgSql accept Pdo::setAttribute(PDO::ATTR_PREFETCH, 0) to enter libpq's single row mode.
This avoids storing the whole result set in memory before being able to call the first fetch().

close GH-15750

show more ...

ext/ldap: Fix GH-16101 (Segfaults in php_ldap_do_search() when LDAPs is not a list)

Closes GH-16102

Fix stub for openssl_csr_new

ext/random: haiku supports arc4random api too.

close GH-16095

ext/pdo_pgsql: Expanding COPY input from an array to an iterable

close GH-15893

Fix printing backtrace of fake generator frame

Fixes GH-15851
Closes GH-15952

Fix failed assertion when promoting Serialize deprecation to exception

Fixes GH-15907
Closes GH-15951

PHP-8.1 is now for PHP 8.1.31-dev

[skip ci] Fix typo in NEWS

Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Update NEWS with security fixes info

Fix GH-15905: Assertion failure for TRACK_VARS_SERVER

When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empt

Fix GH-15905: Assertion failure for TRACK_VARS_SERVER

When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empty array
with refcount > 1. Since this hash table may later be modified, a flag
is set which allows such COW violations for assertions. However, when
`register_argc_argv` is on, the so far uninitialized hash table is
updated with `argv`, what causes the hash table to be initialized, what
drops the allow-COW-violations flag. The following update with `argc`
then triggers a refcount violation assertion.

Since we consider `HT_ALLOW_COW_VIOLATION` a hack, we do not want to
keep the flag during hash table initialization, so we initialize the
hash table right away after creation for this code path.

Closes GH-15930.

show more ...

ext/ldap: Fix GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch())

We check that the "attrib" and "modtype" keys are present in each array.
If not we throw a ValueErro

ext/ldap: Fix GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch())

We check that the "attrib" and "modtype" keys are present in each array.
If not we throw a ValueError, in line with what other validation failure cases do.

Closes GH-16057

show more ...