In 8b3c1a3, this was disallowed to fix#55856, which was a security
issue caused by the /e modifier. The fix that was made was the
"Easier fix" as described in the original report.
With this fix, pattern strings are no longer treated as null terminated,
so null characters can be placed inside and matched against with regex
patterns without security problems, so there is no longer a reason to
give the error. Allowing this is consistent with the behaviour of many
other languages, including JavaScript, and thanks to PCRE2[0], it does
not require manually escaping null characters. Now that we can avoid the
error here without the cost of escaping characters, there is really no
need anymore to stray here from the conventional behaviour.
Currently, null characters are still disallowed before the first
delimiter and in the options section at the end of a regex string, but
these error messages have been updated.
[0] Since PCRE2, pattern strings no longer have to be null terminated,
and raw null characters match as normal.
Closes GH-8114.
Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi()
zend_atol() and zend_atoi() don't just do number parsing.
They also check for a 'K', 'M', or 'G' at the end of the string,
and multiply the parsed value out accordingly.
Unfortunately, they ignore any other non-numerics between the
numeric component and the last character in the string.
This means that numbers such as the following are both valid
and non-intuitive in their final output.
* "123KMG" is interpreted as "123G" -> 132070244352
* "123G " is interpreted as "123 " -> 123
* "123GB" is interpreted as "123B" -> 123
* "123 I like tacos." is also interpreted as "123." -> 123
Currently, in php-src these functions are used only for parsing ini values.
In this change we deprecate zend_atol(), zend_atoi(), and introduce a new
function with the same behavior, but with the ability to report invalid inputs
to the caller. The function's name also makes the behavior less unexpected:
zend_ini_parse_quantity().
Co-authored-by: Sara Golemon <pollita@php.net>
Implements initial stage of accepted RFC to remove them:
https://wiki.php.net/rfc/remove_utf8_decode_and_utf8_encode
Tests relating to SOAP and htmlspecialchars seem to have been
using this entirely unnecessarily, so have been fixed.
Closes GH-8726.
Because the UID= and PWD= values are appended to the SQLDriverConnect
case when credentials are passed, we have to append them to the string
in case users are relying on this behaviour. However, they must be
quoted, or the arguments will be invalid (or possibly more injected).
This means users had to quote arguments or append credentials to the raw
connection string themselves.
It seems that ODBC quoting rules are consistent enough (and that
Microsoft trusts them enough to encode into the .NET BCL) that we can
actually check if the string is already quoted (in case a user is
already quoting because of this not being fixed), and if not, apply the
appropriate ODBC quoting rules.
This is because the code exists in main/, and are shared between
both ODBC extensions, so it doesn't make sense for it to only exist
in one or the other. There may be a better spot for it.
Closes GH-8307.
This allows users to use PECL/zip, which is well maintained and often
brings new features which are not yet available in ext/zip, as drop-in
replacement for the official Windows php-src builds.
Closes GH-8549.
`CURLOPT_XFERINFOFUNCTION` is available as of cURL 7.32.0, and
supersedes `CURLOPT_PROGRESSFUNCTION` which is still supported by
latest cURL, though.
Closes GH-7823.
There are many use-cases where a PHP user is currently using sodium_compat's implementation of this low-level XChaCha20 API. For example, multi-part message processing (in low-memory settings) for a ciphertext that was encrypted with XChaCha20-Poly1305 (rather than the secretstream API).
Adding this function to ext/sodium offers better performance and lowers users' memory usage with the polyfill, and ensures that users coming from other languages that provide libsodium bindings have a more consistent experience with our bindings. This is a win-win.
This patch follows the libsodium precedent of adding functions instead of optional parameters to existing functions. The parameter order is also consistent with the C API.
https://doc.libsodium.org/advanced/stream_ciphers/xchacha20#usage
Closes GH-8276.
As it is now, `IntlTimeZone`, `IntlCalendar` and `IntlDateFormatter`
and some other intl class instances can be serialized, but the
representation is meaningless, and unserialization yields uninitialized/
unusable objects. To prevent users from noticing this too late, we deny
serialization of such objects in the first place.
Closes GH-7945.
See #80828 and the internals@ mailing list discussion at
https://externals.io/message/116543
Use libavifinfo's AvifInfoGetFeaturesStream() in php_handle_avif() to
get the width, height, bit depth and channel count from an AVIF
payload. Implement stream reading/skipping functions and data struct.
Use libavifinfo's AvifInfoIdentifyStream() in php_is_image_avif().
Update the expected features read from "test1pix.avif" in
getimagesize.phpt.
Closes GH-7711.
Most notably, this affects some Windows specific error messages, which
are no longer in the default language of the system, to better match
error messages provided by PHP which are not localized anyway.
This also affects the com_dotnet extension, where it could fix some
DCOM related issues. Furthermore, the constant `LOCALE_NEUTRAL` is
added, which can be used for `variant_cmp()`.
Closes GH-7613.
The purpose of mbstring is for working with Unicode and legacy text
encodings; but Base64, QPrint, etc. are not text encodings and don't
really belong in mbstring. PHP already contains separate implementations
of Base64, QPrint, and HTML entities. It will be better to eventually
remove these non-encodings from mbstring.
Regarding HTML entities... there is a bit more to say. mbstring's
implementation of HTML entities is different from the other built-in
implementation (htmlspecialchars and htmlentities). Those functions
convert <, >, and & to HTML entities, but mbstring does not.
It appears that the original author of mbstring intended for something
to be done with <, >, and &. He used a table to identify which
characters should be converted to HTML entities, and </>/& all have a
special value in that table. However, nothing ever checks for that
special value, so the characters are passed through unconverted.
This seems like a very useless implementation of HTML entities. The most
important characters which need to be expressed as entities in HTML
documents are those three!
This deprecates all callables that are accepted by
call_user_func($callable) but not by $callable(). In particular:
"self::method"
"parent::method"
"static::method"
["self", "method"]
["parent", "method"]
["static", "method"]
["Foo", "Bar::method"]
[new Foo, "Bar::method"]
RFC: https://wiki.php.net/rfc/deprecate_partially_supported_callables
Closes GH-7446.
Since Curl 7.72.0, it supports a new parameter
called `CURLINFO_EFFECTIVE_METHOD`, which returns the effect method
in HTTP(s) requests. This is similar to `CURLINFO_EFFECTIVE_URL`.
- https://curl.se/libcurl/c/CURLINFO_EFFECTIVE_METHOD.html
This adds support for CURLINFO_EFFECTIVE_URL if ext/curl is built
with libcurl >= 7.72.0 (0x074800).
Closes GH-7595.
public function clearError(): void {}
public function getStreamIndex(int $index, int $flags = 0) {}
public function getStreamName(string $name, int $flags = 0) {}
ZipArchive::getStream is kept for BC
See https://github.com/pierrejoye/php_zip/issues/20
This reverts commit ac34648cf6.
As pointed out on GH-6783, the new format doesn't match any of
the specified formats. Previously the constant generated
Thursday, 14-Jul-2005 22:30:41 BST
which is obsolete. Now it generates
Thu, 14-Jul-2005 22:30:41 BST
which is not specified at all. The correct version would be:
Thu, 14 Jul 2005 22:30:41 BST
Reverting the change for now.
Switch default cipher for openssl_pkcs7_encrypt() and
openssl_cms_encrypt() from RC2-40 to AES-128-CBC.
The RC2-40 cipher is considered insecure and is not loaded by
default in OpenSSL 3, which means that these functions will
always fail with default arguments.
As the used algorithm is embedded in the result (which makes this
different from the openssl_encrypt() case) changing the default
algorithm should be safe.
Closes GH-7357.
Propagating lossless conversion from libgd to our bundled gd.
Changing "quantization" to "quality" as in libgd.
Adding test.
IMG_WEBP_LOSSLESS is only defined, if lossless WebP encoding is
supported by the libgd used.
Closes GH-7348.
All other private keys are exported in PKCS#8 format, while EC
keys use traditional format. Switch them to use PKCS#8 format as
well.
As the OpenSSL docs say:
> PEM_write_bio_PrivateKey_traditional() writes out a private key
> in the "traditional" format with a simple private key marker and
> should only be used for compatibility with legacy programs.
Add support for readonly properties, for which only a single
initializing assignment from the declaring scope is allowed.
RFC: https://wiki.php.net/rfc/readonly_properties_v2
Closes GH-7089.
Deprecate automatically converting "false" into an empty array
on write operands. Autovivification continues to be supported
for "null" values, as well as undefined/uninitialized values.
RFC: https://wiki.php.net/rfc/autovivification_false
Closes GH-7131.
Co-authored-by: Tyson Andre <tysonandre775@hotmail.com>
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
Support acquiring a Closure to a callable using the syntax
func(...), $obj->method(...), etc. This is essentially a
shortcut for Closure::fromCallable().
RFC: https://wiki.php.net/rfc/first_class_callable_syntax
Closes GH-7019.
Co-Authored-By: Nikita Popov <nikita.ppv@gmail.com>
These are deprecated in favor of date()/DateTime::format() (for
locale-indendent formatting) and IntlDateFormatter::format()
(for locale-dependent formatting).
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Instead use ssl stream context options instead. The direct
equivalent would be crypto_method, but min_proto_version /
max_proto_version are recommended instead.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Add support for new expressions inside parameter default values,
static variable initializers, global constant initializers and
attribute arguments.
RFC: https://wiki.php.net/rfc/new_in_initializers
Closes GH-7153.
There's a subtlety here regarding filter.default_flags. The RFC
stated that no separate deprecation warning will be emitted for
it, on the premise that it is only meaningful if filter.default
is set. However, it turns out that even FILTER_UNSAFE_RAW (which
is the "no-op filter") can be combined with stripping flags.
However, this is compensated by the fact that this doesn't actually
work when setting filter.default=unsafe_raw and non-default
filter.default_flags -- the flags are simply ignored in that case.
So everything works out in the end.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
The DB connection should be provided in all cases as the first argument.
The overloaded function signatures will be removed in the future.
Warn about this change.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Static trait members may only be accessed through a class in which
the trait is used, not directly on the trait.
A complication here is that we should not store static
methods/properties for which a deprecation is triggered in a
cache slot. As the check for this is simple and cheap, I'm handling
this in the cache slot population code in the VM. The alternative
would be to pass the cache slot down into the fetching code.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Deprecate mhash(), mhash_keygen_s2k(), mhash_count(),
mhash_get_block_size() and mhash_get_hash_name() in favor of the
normal hash_*() functions.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
With this patch, it is no longer required to call
`ReflectionProperty#setAccessible()` or
`ReflectionMethod#setAccessible()` with `true`.
If a userland consumer already got to the point of accessing
object/class information via reflection, it makes little sense
for `ext/reflection` to disallow accessing `private`/`protected`
symbols by default.
After this patch, calling `ReflectionProperty#setAccessible(true)`
or `ReflectionMethod#setAccessible(true)` on newly instantiated
`ReflectionProperty` or `ReflectionMethod` respectively will have
no effect.
RFC: https://wiki.php.net/rfc/make-reflection-setaccessible-no-op
Closes GH-5412.
Adds support for the following options beginning with version 7.71.0:
CURLOPT_ISSUERCERT_BLOB
CURLOPT_PROXY_ISSUERCERT
CURLOPT_PROXY_ISSUERCERT_BLOB
CURLOPT_PROXY_SSLCERT_BLOB
CURLOPT_PROXY_SSLKEY_BLOB
CURLOPT_SSLCERT_BLOB
CURLOPT_SSLKEY_BLOB
Closes GH-7194.
Currently, argument unpacking and named arguments cannot be mixed
at all. This relaxes the restriction to allow
foo(...$args, named: $arg). The variant foo(named: $arg, ...$args)
is still forbidden, because we can't ensure that positional
parameters come before named parameters in that case (without more
intrusive changes). Effectively this just enforces a required style,
as the order of unpack and named args doesn't matter for the cases
where both could be well-defined.
ML discussion: https://externals.io/message/114589
Closes GH-7009.
* phpdbg-no-remote:
The remote functionality is not being used. It significantly complicates current code and makes it harder to add new features.
This commit drops all remote related functionality.
This backports avif support from upstream libgd into bundled libgd
and exposes the functionality through new imagecreatefromavif()
and imageavif() functions.
Closes GH-7026.
Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>
[namespaces in bundled extensions](https://wiki.php.net/rfc/namespaces_in_bundled_extensions) changes for PSpell.
- Rename `PSpell` class to `\PSpell\Dictionary`
- Rename `PSpellConfig` class to `\PSpell\Config`
- Add entries to `UPGRADING` file.
Related: bd12c94f
This is a re-application of the original match against master.
The patch was originally applied to master, then reverted from
there, incorrectly applied to PHP-8.0, reverted from there due
to ABI break, and now lands on master again. We can only hope
that it does not get reverted again ;)
Followed by the bundled extension namespace RFC, #6925 updated the `IMAPConnection` class to `IMAP\Connection`.
This updates the UPGRADING file to reflect that change.
If Serializable is implemented, require that __serialize() and
__unserialize() are implemented as well, else issue a deprecation
warning.
Also deprecate use of PDO::FETCH_SERIALIZE.
RFC: https://wiki.php.net/rfc/phase_out_serializable
Closes GH-6494.
The never type can be used to indicate that a function never
returns, for example because it always unwinds.
RFC: https://wiki.php.net/rfc/noreturn_type
Closes GH-6761.
fsync is a straightforward wrapper around the same C function
(implemented on Windows API as _commit() with identical signature).
From the man pages:
fsync() transfers ("flushes") all modified in-core data of (i.e.,
modified buffer cache pages for) the file referred to by the file
descriptor fd to the disk device (or other permanent storage
device) so that all changed information can be retrieved even if
the system crashes or is rebooted. This includes writing through
or flushing a disk cache if present. The call blocks until the
device reports that the transfer has completed.
RFC: https://wiki.php.net/rfc/fsync_function
Closes GH-6650.
This PR corrects misspellings identified by the check-spelling action.
The misspellings have been reported at jsoref@b6ba3e2#commitcomment-48946465
The action reports that the changes in this PR would make it happy: jsoref@602417c
Closes GH-6822.
* allow the user to specify a folder where files that can be sent
via LOAD DATA LOCAL can exist
* add mysqli.local_infile_directory for mysqli
(ignored if mysqli.allow_local_infile is enabled)
* add PDO::MYSQL_ATTR_LOCAL_INFILE_DIRECTORY for pdo_mysql
(ignored if PDO::MYSQL_ATTR_LOCAL_INFILE is enabled)
* add related tests
* fixes for building with libmysql 8.x
* small improvement in existing tests
* update php.ini-[development|production] files
Closes GH-6448.
Co-authored-by: Nikita Popov <nikic@php.net>
When a method is inherited, the static variables will now always
use the initial values, rather than the values at the time of
inheritance. As such, behavior no longer depends on whether
inheritance happens before or after a method has been called.
This is implemented by always keeping static_variables as the
original values, and static_variables_ptr as the modified copy.
Closes GH-6705.
Add CURLStringFile class which works similarly to CURLFile, but
uploads a file from a string rather than a file. This avoids the
need to create a temporary file, or use of a data:// stream.
Basic usage:
$file = new CURLStringFile($data, 'filename.txt', 'text/plain');
curl_setopt($curl, CURLOPT_POSTFIELDS, ['file' => $file]);
Closes GH-6456.
This deprecates passing null to non-nullable scale arguments of
internal functions, with the eventual goal of making the behavior
consistent with userland functions, where null is never accepted
for non-nullable arguments.
This change is expected to cause quite a lot of fallout. In most
cases, calling code should be adjusted to avoid passing null. In
some cases, PHP should be adjusted to make some function arguments
nullable. I have already fixed a number of functions before landing
this, but feel free to file a bug if you encounter a function that
doesn't accept null, but probably should. (The rule of thumb for
this to be applicable is that the function must have special behavior
for 0 or "", which is distinct from the natural behavior of the
parameter.)
RFC: https://wiki.php.net/rfc/deprecate_null_to_scalar_internal_arg
Closes GH-6475.
Rename MYSQLI_REFRESH_SLAVE to MYSQLI_REFRESH_REPLICA in line with
upstream change in MySQL. The old name is retained for
backwards-compatibility reasons, and may be deprecated/removed in
the future.
Closes GH-6632.
From libcurl version 7.62.0 and later, it supports DNS-over-HTTPS with
[`CURLOPT_DOH_URL`](https://curl.se/libcurl/c/CURLOPT_DOH_URL.html) option.
This adds integration with the `CURLOPT_DOH_URL` option if libcurl version
is >= 7.62.0 (0x073E00).
For reference, Ubuntu 20.04+ `libcurl4-openssl-dev`-based PHP builds use Curl 7.68.
Closes GH-6612.
This restricts allowed usage of $GLOBALS, with the effect that
plain PHP arrays can no longer contain INDIRECT elements.
RFC: https://wiki.php.net/rfc/restrict_globals_usage
Closes GH-6487.
Return integers and floats as native types if possible. As usual,
the old behavior can be restored by enabling ATTR_STRINGIFY_FETCHES.
Fixes bug #38334.
Instead of requiring the type to be determined in advance by the
describer function and then requiring get_col to return a buffer
of appropriate type, allow get_col to return an arbitrary zval.
See UPGRADING.INTERNALS for a more detailed description of the
change.
This makes the result fetching simpler, more efficient and more
flexible. The general possibility already existed via the special
PDO_PARAM_ZVAL type, but the usage was very inconvenient and/or
inefficient. Now it's possible to easily implement behavior like
"return int if it fits, otherwise string" and to avoid any kind
of complex management of temporary buffers.
This also fixes bug #40913 (our second highest voted bug of all
time, for some reason). PARAM_LOB result bindings will now
consistently return a stream resource, independently of the used
database driver.
I've tried my best to update all PDO drivers for this change, but
some of the changes may be broken, as I cannot test or even build
some of these drivers (in particular PDO dblib and PDO oci).
Fixes are appreciated -- a working CI setup would be even more
appreciated ;)
Besides our general desire to get rid of the legacy resource types,
this is particularly appealing for fileinfo, because there are already
respective objects.
Closes GH-5987.
There doesn't seem to be any compelling reason to implement this
in mysqlnd rather than mysqli. It's just a loop over fetch_into.
This makes the function available under libmysqlclient as well,
and thus fixes bug #79372.
Previously, PDO MySQL only fetched data as native int/float if
native prepared statements were used. This patch updates PDO to
have the same behavior for emulated prepared statements, and thus
removes the largest remaining discrepancy between these two modes.
Note that PDO already has a ATTR_STRINGIFY_FETCHES option to control
whether native types are desired or not. The previous output can
be restored by enabling this option.
Most of the tests make use of that option, because this allows the
tests to work under libmysqlclient as well, which currently always
returns string results (independently of whether native or emulated
PS are used).
This is a larger overhaul of the mysqlnd result set infrastructure:
* Drop support for two different types of buffered results sets
("c" and "zval"). Possibly these made sense at some earlier
time, but now (with minor adjustments) one option is strictly
worse than the other. Buffered result sets already buffer the
full row packets, from which zvals can be decoded. The "zval"
style additionally also buffered the decoded zvals. As result
sets, even buffered ones, are generally only traversed once,
this just ends up wasting memory. Now, a potentially useful
variation here would be to buffer the decoded zvals instead of
the row packets, but that's not what the code was doing.
* To make it really strictly better, pre-allocate the zval row
buffer and reuse it for all rows. Previously the "c" style always
allocated a new buffer for each row.
* The fetch_row API now provides a populated zval[]. The task of
populating an array is deferred to fetch_row_into, which also
avoids duplicating this code in multiple places. The fetch_row_c
API is also implemented on top of fetch_row now, rather than
duplicating large parts of the code.
* The row fetching code for prepared statements and normal result
sets has been mostly merged. These already used the same
infrastructure, but prepared statements used separate row
fetching functions that were nearly the same as the normal ones.
This requires passing the stmt into the result set, rather than
just a flag. The only part that remains separate is reading of
unbuffered results in the presence of PS cursors.
Retain the field, but always populate it with zero. This was
already the case for PS without length updating.
max_length has nothing lost in the field metadata -- it is a
property of the specific result set, and requires scanning the
whole result set to compute. PHP itself never uses max_length
with mysqlnd, it is only exposed in the raw mysqli API.
Keeping it for just that purpose is not worthwhile given the costs
involved. People who actually need this for some reason can easily
calculate it themselves, while making it obvious that the
calculation requires a full result set scan.
`version_compare()` does a sloppy check for the `$operators` argument
which allows arbitrary abbreviations of the supported operators to be
accepted. This is both undocumented and unexpected, and could lead to
subtle BC breaks, if the order of the comparisions will be changed.
Therefore we change to strict comparisons.
Closes GH-6510.
We already tried this in PHP 7.4, but ran into issues, because
alpine did not support pkg-config for libargon2 (or had a broken
pc file, not sure). The Alpine issue has been resolved in the
meantime, so let's give this another try.
This macro is defined to zero as of PHP 5.0.0, and as the comment
indicates, is no longer relevant. Thus, we remove the definition and
all usages from the core and bundled extensions.
Closes GH-6351.
Remove ldap_control_paged_result and ldap_control_paged_result_response
which have been deprecated in PHP 7.4, in favor of new $controls
parameters for ldap request functions.
Disabling output compression for images has served to fix bug #16109,
where zlib compressed images apparently have caused issues with
Navigator 4. This shouldn't be an issue with somewhat contemporary
browsers. Other than that, this is an arbitrary restriction – why
don't we disable the compression for some other media types as well
(e.g. video/* and audio/*)? All in all, we should leave that decision
to userland.
Closes GH-6198.
`odbc_connect()` should not reuse persistent connections, since that
prohibits multiple concurrent connections, which are occasionally
desireable. We fix that by no longer looking for already cached
connections when `odbc_connect()` is called, and instead creating a new
connection instead.
Closes GH-6223.
One strange feature of SplFixedArray was that it could not be used in nested foreach
loops. If one did so, the inner loop would overwrite the iteration state of the outer
loop.
To illustrate:
$spl = SplFixedArray::fromArray([0, 1]);
foreach ($spl as $a) {
foreach ($spl as $b) {
echo "$a $b";
}
}
Would only print two lines:
0 0
0 1
Use the new InternalIterator feature which was introduced in ff19ec2df3 to convert
SplFixedArray to an Aggregate rather than Iterable. As a bonus, we get to trim down
some ugly code! Yay!
Both of these functions are well-defined when used with a single
array argument -- rejecting this case was an artificial limitation.
This is not useful when called with explicit arguments, but removes
edge-cases when used with argument unpacking:
// OK even if $excludes is empty.
array_diff($array, ...$excludes);
// OK even if $arrays contains a single array only.
array_intersect(...$arrays);
This matches the behavior of functions like array_merge() and
array_push(), which also allow calls with no array or a single
array respectively.
Closes GH-6097.
RC4 is considered insecure, and it's not possible to change the
default of these functions. As such, require the method to be
passed explicitly.
Closes GH-6093.
crypt() without salt generates a weak $1$ MD5 hash. It has been
throwing a notice since 2013 and we provide a much better alternative
in password_hash() (which can auto-generate salts for strong
password hashes), so keeping this is just a liability.
If we do not specify the exact version of the .NET framework to use,
the default CLR is loaded, which is typically CLR 2, which is very old.
Therefore, we introduce a `PHP_INI_SYSTEM` setting, which allows users
to choose the desired .NET framework version. The value of the setting
are the first three parts of the framework's version number, separated
by dots, and prefixed with "v", e.g. "v4.0.30319". If the value of the
INI setting is `NULL` (the default) or an empty string, the default CLR
is used.
Internally, we switch from the most generic `CoCreateInstance()` to
`CorBindToRuntime()` which is implemented in mscoree.dll. To avoid the
hard dependency to that library, we load dynamically.
So this fix is supposed to be fully backwards compatible.
Closes GH-5949
User-defined functions can't have multiple parameters with the same name.
Don't do that for var_dump/debug_zval_dump.
Consistently use array $array to match docs
Fix typo in UPGRADING
Fixes GH-6015
