stream_get-line repeatedly calls php_stream_fill_read_buffer until
enough data is accumulated in buffer. However, when stream contains
filters attached to it, then each call to fill buffer essentially
resets buffer read/write pointers and new data is written over old.
This causes stream_get_line to skip parts of data from stream
This patch fixes such behavior, so fill buffer call will append.
To retain legacy behavior I decided to add an option to control request
termination logic. If request_terminate_timeout_track_finished is set,
then request will be tracked for time limits even after
fastcgi_finish_request was called.
This patch depends on the fix provided in BUG 78469 (otherwise php-fpm
workers listening on named pipes on Windows will be erroneously terminated)
(PR #4636)
Add a max_depth option to unserialize and an unserialize_max_depth
ini setting, which can be used to control the depth limit. The
default value is 4096.
This option is intended to prevent stack overflows during the
unserialization of deeply nested structures.
This fixes bug #78549 and addresses oss-fuzz #17581, #17589, #17664,
and #17788.
mb_decode_numericentity() accepts a fourth optional parameter, which is
unused, however. Since this parameter doesn't do any harm, and to avoid
the small BC break, we're keeping this parameter for PHP 7, but adjust
the arginfo.
For PHP 8, we will remove this parameter.
libsodium measures the memory cost in bytes, while password_hash() and
friends expect kibibyte values. We have to properly map between these
scales not only when calling libsodium functions, but also when
checking for allowed values.
We also refactor to rid the code duplication.
When calling free_result_buffers(), also free field metadata and
restore the mempool state to what it was before any allocations
have been made. Remove the mempool save/restore logic for the
inner result set as this is now handled on a higher level.
When stored procedures are called, the "final result set is a status
result that includes no result set". Calling `::nextRowset()` on the
actual last result set should return FALSE, since there is actually no
further result set to be processed.
fcgi_accept_request function is supposed to call a FastCGI implementation's
on_accept hook when entering an "accepting" stage (that is right before
calling "accept"). This hook implementation (fpm_request_accepting) updates
a worker state to an "accepting" state which is effectively an "Idle" state,
and updates counters on the scoreboard of the corresponding pool (idle++,
active--).
But this is not done when listening for client connections on a named pipe on
Windows platform. In that case a combination of
ConnectNamedPipe/WaitForSingleObject is used (to be able to catch in_shutdown
as far as I understand), but it is nonetheless functionally equivalent to
"accept" call. Also by not calling on_hook neither a worker's state is updated
to "accepting" state nor scoreboard counters are updated.
As of PHP 7.3.0, the rules regarding the heredoc and nowdoc closing
identifier have been relaxed. While formerly, the closing identifier
was required to be placed at the beginning of a line and to be
immediately followed by (a semicolon and) a line break, it may now be
preceeded by whitespace, and may be followed by any non-word character.
We adjust the recognition logic respectively.
When storing two temporary variables for delayed __unserialize() calls,
we have to make sure that both fit into the same linked list element.
To that end we introduce the internal API `tmp_var` which allows to
reserve `num` slots in the same list element.
We also fix the `var_dtor_entries` struct definition to use the proper
size, namely `VAR_DTOR_ENTRIES_MAX`.
We must not assume that any file which is not a directory is a regular
file. Therefore we employ `GetFileType()` in this case to properly
distinguish between character special, FIFO special and regular files.
As of Windows 1903, when the OneDrive on-demand feature is enabled, the
OneDrive folder is reported as reparse point by `FindFirstFile()`, but
trying to get information about the reparse point using
`DeviceIoControl()` fails with `ERROR_NOT_A_REPARSE_POINT`. We work
around this problem by falling back to `GetFileInformationByHandle()`
if that happens, but only if the reparse point is reported as cloud
reparse point, and only if PHP is running on Windows 1903 or later.
The patch has been developed in collaboration with ab@php.net.
We should keep an eye on the somewhat quirky OneDrive behavior, since
it might change again in a future Windows release.
In PHP 7.3 shadow properties are no longer duplicated. Make sure we
only release them if the property was defined on the parent class,
which means that it changed from private->shadow, which is where
duplication does happen.
This removes an incorrect optimization (I think this code used to be
necessary to properly handle references in the Serializable based
implementation, but now this code just avoids an array duplication
in a way that is not sound).
For objects with destructors, we will now only call the destructor
in the initial GC run, and remove any nested data. The object is
marked purple so it will be considered a root for the next GC run,
at which point it will be fully destroyed, if possible.
GC counts change on a number of tests, as the objects now get
destroyed later.
The fix for bug #78241 assumed that `time_t` would always be 64bit, but
actually is 32bit for x86. We therefore enforce 64bit arithmetic to
avoid wrapping.
(cherry picked from commit bf242d58e7)
When the strip tags state machine has been flattened, an if statement
has mistakenly been treated as else if. We fix this, and also simplify
a bit right away.
As of MariaDB 10.0.2, the server reports a fake version number as work-
around for replication issues[1]. We apply the same "fix" as in the
MariaDB client to cater to this.
[1] <c50ee6c23d (diff-5b45fa673c88c06a9651c7906364f592)>
The smart branch logic assumed b->start refers to the old offsets,
while b->start was already adjusted to the new offsets at this
point. Delay the change until later.
When performing a constant visibility check during compilation we
might be dealing with unlinked classes and as such should account
for the possibility of unresolved parents.
Even if we know the file size, we still need to read in a loop in
case the read call returns an incomplete result.
This was less of an issue previously because we did not use the
"one large read" approach for non-plain stream wrappers.
epoll event backend does not guarantee that child input/output events
are reported before SIGCHILD due to finished worker. While a bunch of
events received by epoll is being processed, child-related structures
may be removed before dispatching of an I/O event for the same child.
The result may be attempt to access to memory region allocated for
another purpose, segfault of the master process, and unavailable web
sites.
Postpone processing of SIGCHILD events till other events in the same
bunch are processed.
Fix Bug #62418 php-fpm master process crashes
Fix Bug #65398 Race condition between SIGCHLD and child stdout/stderr event leads to segfault
Fix Bug #75112 php-fpm crashing, hard to reproduce
Fix Bug #77114 php-fpm master segfaults in fpm_event_epoll_wait/fpm_event_fire
Fix Bug #77185 Use-after-free in FPM master event handling
Using mmap() is unsafe under concurrent modification. If the file
is truncated, access past the end of the file may occur, which will
generate a SIGBUS error. Even if the length does not change, the
contents may, which is a situation that the lexer certainly is not
prepared to deal with either.
Reproduce with test.php:
<?php
file_put_contents(__DIR__ . '/test.tpl',
'AAA<?php $string = "' .
str_repeat('A', mt_rand(1, 256 * 1024)) .
'"; ?>BBB' . "\r\n");
require_once __DIR__ . '/test.tpl';
And:
for ((n=0;n<100;n++)); do sapi/cli/php test.php & done
Instead of handling shebang lines by adjusting the file pointer in
individual SAPIs, move the handling into the lexer, where this is
both a lot simpler and more robust. Whether the shebang should be
skipped is controlled by CG(skip_shebang) -- we might want to do
that in more cases.
This fixed bugs #60677 and #78066.
New opcache directives have been added recently which are returned
if using `ini_get_all('zend opcache')` but are not listed in the
directives if using `opcache_get_configuration()`. This fix adds
those missing directives as well as if `opcache.mmap_base` is used
instead of `opcache.lockfile_path`. Also adds a test to ensure the
directives match with both methods of fetching.
The fix for bug #78241 assumed that `time_t` would always be 64bit, but
actually is 32bit for x86. We therefore enforce 64bit arithmetic to
avoid wrapping.
When cleaning nops in the dfa pass, we were always keeping the
smart branch inhibiting nop that occurs directly before the jump
instruction. However, as we skip unreachable blocks entirely, it
may happen that we need to keep a nop that occurs further back,
prior to the unreachable blocks. Account for that case now.
We should really do something about the smart branch situation,
this is very fragile...
