| #
f9ce5e79 |
| 21-Oct-2024 |
Christoph M. Becker |
Fix GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen
Domain name labels must not end with a hyphen, and that is also true
for the last label. Apparently, this has been overlooked so
Fix GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen
Domain name labels must not end with a hyphen, and that is also true
for the last label. Apparently, this has been overlooked so far.
Closes GH-16540.
show more ...
|
| #
5853cdb7 |
| 20-Aug-2024 |
Gina Peter Bnayard |
Use "must not" instead of "cannot" wording
|
| #
7e0e3cc8 |
| 22-May-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GHSA-w8qr-v226-r27w
We should not early-out with success status if we found an ipv6
hostname, we should keep checking the rest of the conditions.
Because integrating the if-check
Fix GHSA-w8qr-v226-r27w
We should not early-out with success status if we found an ipv6
hostname, we should keep checking the rest of the conditions.
Because integrating the if-check of the ipv6 hostname in the
"Validate domain" if-check made the code hard to read, I extracted the
condition out to a separate function. This also required to make
a few pointers const in order to have some clean code.
show more ...
|
|
Revision tags: php-8.2.0RC1, php-8.1.10, php-8.0.23, php-8.0.23RC1, php-8.1.10RC1, php-8.2.0beta3, php-8.2.0beta2, php-8.1.9, php-8.0.22, php-8.1.9RC1, php-8.2.0beta1, php-8.0.22RC1, php-8.0.21, php-8.1.8, php-8.2.0alpha3, php-8.1.8RC1, php-8.2.0alpha2, php-8.0.21RC1, php-8.0.20, php-8.1.7, php-8.2.0alpha1, php-7.4.30, php-8.1.7RC1, php-8.0.20RC1, php-8.1.6, php-8.0.19, php-8.1.6RC1, php-8.0.19RC1, php-8.0.18, php-8.1.5, php-7.4.29, php-8.1.5RC1, php-8.0.18RC1, php-8.1.4, php-8.0.17, php-8.1.4RC1, php-8.0.17RC1, php-8.1.3, php-8.0.16, php-7.4.28, php-8.1.3RC1, php-8.0.16RC1, php-8.1.2, php-8.0.15 |
|
| #
d8fc05c0 |
| 06-Jan-2022 |
root |
Add FILTER_FLAG_GLOBAL_RANGE to filter Global IPs as per RFC 6890 |
| #
187a0e47 |
| 28-Mar-2022 |
Stanislav Malyshev |
Merge branch 'PHP-8.0' into PHP-8.1
* PHP-8.0:
Don't try to access memory outside string
|
| #
2119ba21 |
| 28-Mar-2022 |
Stanislav Malyshev |
Don't try to access memory outside string |
| #
1c3374c7 |
| 28-Mar-2022 |
Christoph M. Becker |
Merge branch 'PHP-8.0' into PHP-8.1
* PHP-8.0:
Fix signedness confusion in php_filter_validate_domain()
|
| #
771dbdb3 |
| 28-Mar-2022 |
Christoph M. Becker |
Fix signedness confusion in php_filter_validate_domain()
As is, there is the possibility that integer underflow occurs, making
`_php_filter_validate_domain()` succeed for very long domai
Fix signedness confusion in php_filter_validate_domain()
As is, there is the possibility that integer underflow occurs, making
`_php_filter_validate_domain()` succeed for very long domain names.
Cf. <https://pwning.systems/posts/php_filter_var_shenanigans/>.
show more ...
|
| #
414d5620 |
| 14-Feb-2022 |
Stanislav Malyshev |
Merge branch 'PHP-8.0' into PHP-8.1
|
| #
82f1bf1b |
| 31-Jan-2022 |
Christoph M. Becker |
Fix #81708: UAF due to php_filter_float() failing for ints
We must only release the zval, if we actually assign a new zval. |
|
Revision tags: php-8.1.2RC1, php-8.0.15RC1 |
|
| #
a000af6e |
| 19-Dec-2021 |
Christoph M. Becker |
Merge branch 'PHP-8.0' into PHP-8.1
* PHP-8.0:
Fix FILTER_FLAG_NO_RES_RANGE flag
|
| #
3587e13a |
| 19-Dec-2021 |
Yifan Tong |
Fix FILTER_FLAG_NO_RES_RANGE flag
`2001:10::/28` is a reserved IPv6 range. But there's a typo in GH-7476,
which caused IPv6 address like `240b:0010::1` will be filtered by the
flag `
Fix FILTER_FLAG_NO_RES_RANGE flag
`2001:10::/28` is a reserved IPv6 range. But there's a typo in GH-7476,
which caused IPv6 address like `240b:0010::1` will be filtered by the
flag `FILTER_FLAG_NO_RES_RANGE`.
http://www.faqs.org/rfcs/rfc6890.html
Closes GH-7790.
show more ...
|
|
Revision tags: php-8.0.14, php-8.1.1, php-7.4.27, php-8.1.1RC1, php-8.0.14RC1, php-7.4.27RC1, php-8.1.0, php-8.0.13, php-7.4.26, php-7.3.33, php-8.1.0RC6, php-7.4.26RC1, php-8.0.13RC1, php-8.1.0RC5, php-7.3.32, php-7.4.25, php-8.0.12, php-8.1.0RC4, php-8.0.12RC1, php-7.4.25RC1, php-8.1.0RC3, php-8.0.11, php-7.4.24, php-7.3.31 |
|
| #
1dcc0ff5 |
| 20-Sep-2021 |
Christoph M. Becker |
Merge branch 'PHP-8.0' into PHP-8.1
* PHP-8.0:
Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing
|
| #
fbc922d5 |
| 20-Sep-2021 |
Christoph M. Becker |
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4:
Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing
|
| #
288c25f7 |
| 20-Sep-2021 |
Christoph M. Becker |
Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing
It makes no sense to compare IPv6 address ranges as strings; there are
too many different representation possibilities.
Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing
It makes no sense to compare IPv6 address ranges as strings; there are
too many different representation possibilities. Instead, we change
`_php_filter_validate_ipv6()` so that it can calculate the IP address
as integer array. We do not rely on `inet_pton()` which may not be
available everywhere, at least IPv6 support may not, but rather parse
the IP address manually. Finally, we compare the integers.
Note that this patch does not fix what we consider as reserved and
private, respectively, but merely tries to keep what we had so far.
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
Closes GH-7476.
show more ...
|
|
Revision tags: php-8.1.0RC2, php-7.4.24RC1, php-8.0.11RC1, php-8.1.0RC1, php-7.4.23, php-8.0.10, php-7.3.30, php-8.1.0beta3, php-8.0.10RC1, php-7.4.23RC1, php-8.1.0beta2, php-8.0.9, php-7.4.22, php-8.1.0beta1, php-7.4.22RC1, php-8.0.9RC1, php-8.1.0alpha3, php-7.4.21, php-7.3.29 |
|
| #
aff36587 |
| 29-Jun-2021 |
Patrick Allaert |
Fixed some spaces used instead of tabs |
|
Revision tags: php-8.0.8 |
|
| #
7bab67c2 |
| 28-Jun-2021 |
Stanislav Malyshev |
Fix warning
(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef) |
| #
4957b7c0 |
| 28-Jun-2021 |
Stanislav Malyshev |
Merge branch 'PHP-8.0'
* PHP-8.0:
Fix warning
|
| #
19001378 |
| 28-Jun-2021 |
Stanislav Malyshev |
Fix warning |
| #
d72e82bf |
| 28-Jun-2021 |
Stanislav Malyshev |
Merge branch 'PHP-8.0'
* PHP-8.0:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #76450: SIGSEGV in
Merge branch 'PHP-8.0'
* PHP-8.0:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #76450: SIGSEGV in firebird_stmt_execute
Fix #76452: Crash while parsing blob data in firebird_fetch_blob
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
show more ...
|
| #
892674ef |
| 28-Jun-2021 |
Stanislav Malyshev |
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #7645
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #76450: SIGSEGV in firebird_stmt_execute
Fix #76452: Crash while parsing blob data in firebird_fetch_blob
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
show more ...
|
| #
2327e3d3 |
| 28-Jun-2021 |
Stanislav Malyshev |
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #7645
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #76450: SIGSEGV in firebird_stmt_execute
Fix #76452: Crash while parsing blob data in firebird_fetch_blob
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
show more ...
|
|
Revision tags: php-8.1.0alpha2, php-7.4.21RC1, php-8.0.8RC1 |
|
| #
a5538c62 |
| 14-Jun-2021 |
Christoph M. Becker |
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
We need to ensure that the password detected by parse_url() is actually
a valid password; we can re-use is_userinfo_valid() for that. |
|
Revision tags: php-8.1.0alpha1, php-8.0.7, php-7.4.20, php-8.0.7RC1, php-7.4.20RC1 |
|
| #
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945)
1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |
show more ...
|
|
Revision tags: php-8.0.6, php-7.4.19, php-7.4.18, php-7.3.28, php-8.0.5, php-8.0.5RC1, php-7.4.18RC1, php-8.0.4RC1, php-7.4.17RC1, php-8.0.3, php-7.4.16, php-8.0.3RC1, php-7.4.16RC1, php-8.0.2, php-7.4.15, php-7.3.27, php-8.0.2RC1, php-7.4.15RC2, php-7.4.15RC1, php-8.0.1, php-7.4.14, php-7.3.26, php-7.4.14RC1, php-8.0.1RC1, php-7.3.26RC1, php-8.0.0, php-7.3.25, php-7.4.13, php-8.0.0RC5, php-7.4.13RC1, php-8.0.0RC4, php-7.3.25RC1, php-7.4.12, php-8.0.0RC3, php-7.3.24, php-8.0.0RC2, php-7.4.12RC1, php-7.3.24RC1, php-7.2.34, php-8.0.0rc1 |
|
| #
5caaf40b |
| 29-Sep-2020 |
George Peter Banyard |
Introduce pseudo-keyword ZEND_FALLTHROUGH
And use it instead of comments |
