The actual issue lays in the unserializer code which doesn't honor
the unserialize callback. By contrast, the serialize callback is
respected. This leads to the situation that even if a class has
disabled the serialization explicitly, user could still construct
a vulnerable string which would result bad things when trying
to unserialize.
This conserns also the classes implementing Serializable as well
as some core classes disabling serialize/unserialize callbacks
explicitly (PDO, SimpleXML, SplFileInfo and co). As of now, the
flow is first to call the unserialize callback (if available),
then call __wakeup. If the unserialize callback returns with no
success, no object is instantiated. This makes the scheme used
by internal classes effective, to disable unserialize just assign
zend_class_unserialize_deny as callback.
curl_exec returns an empty string when data is received from a domain that returns zero content. curl_multi_getcontent
returned null. Now it returns an empty string fixing the incosistency
There are situations where mysqlnd dupliates zvals while freeing result
sets. If the memory_limit is reached during this operation the engine
will bailout. This patch makes sure that a later attempt (during
RSHIUTDOWN) won't cause a double free, instead we rely on the engine to
free emalloc()ed memory after bailout.
std_compare_objects immidiately returned 0 if the property tables
of both objects contain NULL at some index. Thus it would report
objects as equal even though properties following after that
differ.
This fixes GD compilation against libfreetype 2.5.1 and later after they made
the rather interesting decision to change their include directory layout in a
point release.
The original suggestion in the bug was to use pkg-config, but my inclination is
to use freetype-config instead: we should be able to get the same configuration
information without actually needing pkg-config installed, since pkg-config is
by no means guaranteed to exist on many Unices and distros, whereas
freetype-config should always be present if a libfreetype build environment is
installed. Let's try it out and see what happens.
Fixes bug #64405 (Use freetype-config for determining freetype2 dir(s)).
if a mode like "rn" was passed to fopen(), then
php_stream_parse_fopen_modes() would assign O_WRONLY to
flags, because O_NONBLOCK tainted flags for the r/w/+ check
These were returned to the general allocation pool by RFC 3330, and hence
shouldn't cause an IP address validation failure due to being reserved. At
least 128.0.0.0/16 is in use on the public Internet today.
Fixes bug #66229 (128.0.0.0/16 isn't reserved any longer).
Passing DOMDocumentFragment to DOMDocument::saveHTML()
produces invalid markup, because a DocumentFragment is just a container
for child nodes and not a real node itself.
previous codes: "#define php_mblen(ptr, len) ((ptr) == NULL ? mbsinit(&BG(mblen_state)):
(int)mbrlen(ptr, len, &BG(mblen_state)))#
it use mbsinit there, seems try to initialize the mblen_state, but:
"This function does not change the state identified by ps. Typical ways
to make the state pointed by ps an initial state are:
memset (ps,0,sizeof(*ps)); // ps points to zero-valued object
"
http://www.cplusplus.com/reference/cwchar/mbsinit/?kw=mbsinit
In context of static accesses like classname::$this, the string
"$this" should not be handled like a $this variable, but as an
identifier for a static variable.
the idea behind ftp_nb_get is for it to be followed by multiple calls
to ftp_nb_continue in order to download a file piece-by-piece.
As such, it's unwise to close the stream used to write the downloaded
data to when the file hasn't been completely downloaded within the first
call to ftp_nb_get.
This regression was added in a93a462dce
and this patch restores the behavior that was seen pre-patch.
