Fix #69793 - limit what we accept when unserializing exception

Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)

fix merge

fix merge

Merge branch 'PHP-5.6'

* PHP-5.6:
__wakeup doesn't have to be final

Merge branch 'PHP-5.6'

* PHP-5.6:
update NEWS
fix test
update NEWS
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unseriali

Merge branch 'PHP-5.6'

* PHP-5.6:
update NEWS
fix test
update NEWS
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix #69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables

Conflicts:
Zend/zend_exceptions.c
ext/date/php_date.c
ext/openssl/openssl.c
ext/phar/phar_internal.h
ext/soap/php_http.c
ext/spl/spl_array.c
ext/spl/spl_dllist.c
ext/spl/spl_observer.c
ext/standard/tests/serialize/bug69152.phpt
sapi/cli/tests/005.phpt

show more ...

Switch code on thrown TypeError and ParseError to 0, update related tests

Use NULL where possible for exception class

Matches usage of zend_throw_exception()/zend_throw_exception_ex().

Remove need to pass error level

Enable throwing custom exceptions from errors

Switch position of ce in exception ce variable names

Cleanup exception ce API

Removed recently added functions to get Error ce's and marked the old functions
fetching default_exception_ce and error_exception_ce as deprecated.

Introduce ArithmeticError

Use DivisionByZeroError instead of exception for %/intdiv()

Use ZSTR_ API to access zend_string elements (this is just renaming without semantick changes).

Improved zend_string API (Francois Laupretre)

Squashed commit of the following:

commit d96eab8d79b75ac83d49d49ae4665f948d15a804
Author: Francois Laupretre <francois@tekwire.net>

Improved zend_string API (Francois Laupretre)

Squashed commit of the following:

commit d96eab8d79b75ac83d49d49ae4665f948d15a804
Author: Francois Laupretre <francois@tekwire.net>
Date: Fri Jun 26 01:23:31 2015 +0200

Use the new 'ZSTR' macros in the rest of the code.

Does not change anything to the generated code (thanks to compat macros) but cleaner.

commit b3526439104ac7a89a8e0c79dbebf33b22bd01b8
Author: Francois Laupretre <francois@tekwire.net>
Date: Thu Jun 25 13:45:06 2015 +0200

Improve zend_string API

Add missing methods

show more ...

Show exception source in phpdbg

Fix bug when constructing an Error with invalid params

cleanup unused var

preserve the orig class name when extending the ErrorException

dont use function to fetch default exception ce

fix crash when invalid exception arguments passed

Fix #61362: Exception::getTraceAsString and ::__toString scramble Unicode

The logic in smart_str_append_escaped() relies on unsigned values of c, so we
have to declare it as such.

Rename interface macros

Renamed REGISTER_INTERFACE (formerly
REGISTER_ITERATOR_INTERFACE) to
REGISTER_MAGIC_INTERFACE and renamed
REGISTER_ITERATOR_IMPLEMENT to
REGISTER_MAGI

Rename interface macros

Renamed REGISTER_INTERFACE (formerly
REGISTER_ITERATOR_INTERFACE) to
REGISTER_MAGIC_INTERFACE and renamed
REGISTER_ITERATOR_IMPLEMENT to
REGISTER_MAGIC_IMPLEMENT. Both have now been
moved to zend_interfaces.h.

show more ...

Move definition of Throwable to zend_exceptions.h/c

Also moved REGISTER_ITERATOR_INTERFACE macro to
zend_interfaces.h and renamed it to REGISTER_INTERFACE.