Move all rebinding checks into one function to make sure they stay
in sync. Normalize return value to be NULL for all rebinding
failures, instead of returning an improperly bound closure in some
cases.
This replaces add_new with update for the RW case. This should not
be problematic for performance, as this branch throws a notice.
Alternatively add_new could also be replaced with add. I went with
update, because it makes $a[0] += 1 behavior the same as
$a[0] = $a[0] + 1.
As it turns out, there is actually no reason to prevent this, it even was a bigger BC break than expected...
Also fixes a memory leak (the Closure leaks) when calling internal functions via Closure by moving it out of leave helper onto caller side for TOP_CODE:
$z = new SplStack; $z->push(20);
$x = (new ReflectionMethod("SplStack", "pop"))->getClosure($z);
var_dump($x());
Now it is completely impossible to rebind a scoped method Closure (only the kind you get from ReflectionMethod::getClosure()) to a foreign scope
Adding a lot of tests to ensure this...
Also, properly return NULL in case the Closure could not be created instead of some crippled unbound Closure
This additionally removes support for binding to an unknown (not in parent hierarchy) scope.
Removing support for cross-scope is necessary for certain compile-time assumptions (like class constants) to prevent unexpected results
This fix is actually made for array acessing bug fix (#70262) which is
discarded since we have another better fix, anyway now seems this is still useful
Note that the UNEXPECTED(zv) was turned into EXPECTED(zv), as zv is mostly set in the context where it is used and usually anyway is checked first with OP*_TYPE == IS_VAR; or maybe just completely remove that (UN)EXPECTED at this place...
We recently added support for "use \Foo\{Bar}". This commit drops
support for the reverse "use Foo\{\Bar}". Those two got mixed up
in the initial implementation.
* PHP-5.6:
update NEWS
fix test
update NEWS
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix#69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
Zend/zend_exceptions.c
ext/date/php_date.c
ext/openssl/openssl.c
ext/phar/phar_internal.h
ext/soap/php_http.c
ext/spl/spl_array.c
ext/spl/spl_dllist.c
ext/spl/spl_observer.c
ext/standard/tests/serialize/bug69152.phpt
sapi/cli/tests/005.phpt
* PHP-5.5:
update NEWS
fix test
update NEWS
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix#69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
ext/soap/php_http.c
ext/spl/spl_observer.c
* PHP-5.4:
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix#69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
.gitignore
ext/date/php_date.c
ext/spl/spl_array.c
ext/spl/spl_observer.c
