* Add behavioural tests for incdec operators
* Add support to ++/-- for objects castable to _IS_NUMBER
* Add str_increment() function
* Add str_decrement() function
RFC: https://wiki.php.net/rfc/saner-inc-dec-operators
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>
This is supported in both the CLI and CGI modes. For CLI this required
little changes.
For CGI, the tricky part was that the options parsing happens inside the
loop. This means that options passed after the -l flag were previously
simply ignored. As we now re-enter the loop we would parse the options
again, and if they are handled but don't set the script name, then CGI
will think you want to read from standard in. To keep the same "don't
parse options" behaviour I simply wrapped the options handling inside an
if.
Closes GH-10024.
Closes GH-10710.
* Deprecate warnings in SQLite3, change returned exception class to SQLite3Exception
RFC: https://wiki.php.net/rfc/sqlite3_exceptions
Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
the old flag check was flawed and would miss some flags, for example:
file(__FILE__, FILE_APPEND);
is invalid, but the old flags error check would miss it: https://3v4l.org/b2W9u
Closes GH-11483
another level of context for pg_last_error/pg_result_error() to include
or not the context in those. PQSHOW_CONTEXT_ERRORS being the default.
Close GH-11395
This adds support for the completed event. Since the read handler could
be entered twice towards the end of the stream we remember what the eof
flag was before reading so we can emit the completed event when the flag
changes to true.
Closes GH-10505.
Fixes GH-11388.
Following https://wiki.php.net/rfc/horizontalreuse which introduced traits,
this should be allowed.
The implementation was refactored in 3f8c729. That commit is the first time
the "final" check appears AFAICT, but no reason was given for why. That
commit seems to have landed in 5.4.11 and the NEWS for that version doesn't
seem to mention something relevant to the behaviour change.
This patch removes the restriction of the final modifier.
Closes GH-11394.
PKCS7_NOOLDMIMETYPE to use Content-Type application/pkcs7-mime
OPENSSL_CMS_OLDMIMETYPE to use Content-Type application/x-pkcs7-mime
SMIME_write_PKCS7 and SMIME_write_CMS are using SMIME_write_ASN1_ex.
The Content-Type application/x-pkcs7-mime is generated with the flag SMIME_OLDMIME (0x400).[^1]
SMIME_write_PKCS7 set SMIME_OLDMIME by default.[^2]
SMIME_write_CMS does not.[^3]
I picked OPENSSL_CMS_OLDMIMETYPE over OPENSSL_CMS_NOOLDMIMETYPE because that's what the flag actually does.
[^1]: 9a2f78e14a/crypto/asn1/asn_mime.c (L248-L251)
[^2]: 9a2f78e14a/crypto/pkcs7/pk7_mime.c (L41-L43)
[^3]: 9a2f78e14a/crypto/cms/cms_io.c (L93)
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
- PGSQL_TRACE_SUPPRESS_TIMESTAMPS.
- PGSQL_TRACE_REGRESS_MODE to have a more verbose and observable
output to check possible regressions.
Close GH-11041
In NEWS, each 'news item' is suffixed with the name of the developer
who implemented the change. When adding entries to UPGRADING, I used
the same format as NEWS, without thinking about it much. However, it
has come to my attention that the standard format for entries in
UPGRADING does not include the developer's name.
We can't increase the refcount of internal classes during request time.
To work around this problem we simply don't refcount aliases anymore and
add a check in the destruction to skip aliases entirely.
There were also some checks which checked for an alias implicitly by
comparing the refcount, these have been replaced by checking the type of
the zval instead.
This fixes the oversight that an anonymous class should be able to be
readonly. Other identifiers such as final and abstract do not make
sense. As we still want nice errors for when users try to use these
modifiers, or use multiple modifiers, we introduce a new function
zend_add_anonymous_class_modifier that will perform verification for
anonymous class modifiers, just like zend_add_class_modifier does for
non-anonymous classes.
Closes GH-10381
The CSPRNG failing should be rare nowadays, but it *might* happen and without
this patch it's hard for the user to find out why the salt generation failed:
The error message is not actionable.
This patch will automatically set the CSPRNG exception to the `$previous`
exception of the ValueError that is thrown, allowing the developer to determine
the cause of the salt generation failure.
Before:
Fatal error: Uncaught ValueError: Unable to generate salt in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
thrown in php-src/test3.php on line 3
After:
Fatal error: Uncaught Random\RandomException: Cannot open /dev/urandom: No such file or directory in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
Next ValueError: Unable to generate salt in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
thrown in php-src/test3.php on line 3
Allow to bind a socket to a divert port without being concerned
by its address. for ipfw filter purpose (SO_USER_COOKIE constant).
FreeBSD only.
Close GH-10415.
The capital Greek letter sigma (Σ) should be lowercased as σ except
when it appears at the end of a word; in that case, it should be
lowercased as the special form ς.
This rule is included in the Unicode data file SpecialCasing.txt.
The condition for applying the rule is called "Final_Sigma" and is
defined in Unicode technical report 21. The rule is:
• For the special casing form to apply, the capital letter sigma must
be preceded by 0 or more "case-ignorable" characters, preceded by
at least 1 "cased" character.
• Further, capital sigma must NOT be followed by 0 or more
case-ignorable characters and then at least 1 cased character.
"Case-ignorable" characters include certain punctuation marks, like
the apostrophe, as well as various accent marks. There are actually
close to 500 different case-ignorable characters, including accent marks
from Cyrillic, Hebrew, Armenian, Arabic, Syriac, Bengali, Gujarati,
Telugu, Tibetan, and many other alphabets. This category also includes
zero-width spaces, codepoints which indicate RTL/LTR text direction,
certain musical symbols, etc.
Since the rule involves scanning over "0 or more" of such
case-ignorable characters, it may be necessary to scan arbitrarily far
to the left and right of capital sigma to determine whether the special
lowercase form should be used or not. However, since we are trying to
be both memory-efficient and CPU-efficient, this implementation limits
how far to the left we will scan. Generally, we scan up to 63 characters
to the left looking for a "cased" character, but not more.
When scanning to the right, we go up to the end of the string if
necessary, even if it means scanning over thousands of characters.
Anyways, it is almost impossible to imagine that natural text will
include "words" with more than 63 successive apostrophes (for example)
followed by a capital sigma.
Closes GH-8096.
having tigher control on ACK delays, difference is the setting
is `volatile` as it can be turned off by the kernel if not set
explicitally set otherwise on the socket.
Closes GH-10145.
* random: Add Randomizer::nextFloat()
* random: Check that doubles are IEEE-754 in Randomizer::nextFloat()
* random: Add Randomizer::nextFloat() tests
* random: Add Randomizer::getFloat() implementing the y-section algorithm
The algorithm is published in:
Drawing Random Floating-Point Numbers from an Interval. Frédéric
Goualard, ACM Trans. Model. Comput. Simul., 32:3, 2022.
https://doi.org/10.1145/3503512
* random: Implement getFloat_gamma() optimization
see https://github.com/php/php-src/pull/9679/files#r994668327
* random: Add Random\IntervalBoundary
* random: Split the implementation of γ-section into its own file
* random: Add tests for Randomizer::getFloat()
* random: Fix γ-section for 32-bit systems
* random: Replace check for __STDC_IEC_559__ by compile-time check for DBL_MANT_DIG
* random: Drop nextFloat_spacing.phpt
* random: Optimize Randomizer::getFloat() implementation
* random: Reject non-finite parameters in Randomizer::getFloat()
* random: Add NEWS/UPGRADING for Randomizer’s float functionality
* Unserialize: Migrate "Unexpected end of serialized data" to E_WARNING
* Unserialize: Migrate "Error at offset %d of %d bytes" to E_WARNING
* Unserialize: Migrate "%s is returned from __sleep() multiple times" to E_WARNING
* Add NEWS for “Promote unserialize() notices to warning”
to be used in conjunction with SO_REUSPORT, giving a greater control
over how we bind a socket instead of the round robin workflow, we do
instead attach to the processor id as :
- we assign the processor_id to A in the BPF filter.
- then returns A.
in other words, a more modern version of SO_INCOMING_CPU (ie can have a per
worker notion we do not use here).
Closes#8062
- Remove `k` typo that was accidentally added in a headline separator.
- Remove premature hard break after very short line length.
- Remove dots at the end of constant lists (not used in 8.2).
Add libxml_get_external_entity_loader(), which returns the currently
installed external entity loader, i.e. the value which was passed to
libxml_set_external_entity_loader() or null if no loader was installed
and the default entity loader will be used.
This allows libraries to save and restore the loader, controlling entity
expansion without interfering with the rest of the application.
Add macro Z_PARAM_FUNC_OR_NULL_WITH_ZVAL(). This allows us to get the
zval for a callable parameter without duplicating callable argument
parsing.
The saved zval keeps the object needed for fcc/fci alive, simplifying
memory management.
Fixes#76763.
This function works in exactly the same way as openssl_cipher_iv_length
but for a key length. This is especially useful to make sure that the
right key length is provided to openssl_encrypt and openssl_decrypt.
In addtion the change also updates implementation of
openssl_cipher_iv_length and adds a test for it.
* Add Random\Random{Error,Exception} and Random\BrokenRandomEngineError
* Throw BrokenRandomEngineError
* Throw RandomException on seeding failure
* Throw RandomException when CSPRNG fails
* Remove unused include from ext/random/engine_combinedlcg.c
* Remove unused include from ext/random/engine_secure.c
* Remove unused include from ext/random/random.c
* [ci skip] Add ext/random Exception hierarchy to NEWS
* [ci skip] Add the change of Exception for random_(int|bytes) to UPGRADING
This removes the inconsistent and incorrectly working open basedir check
on pattern in glob. It means that an empty array will be returned even
if the whole pattern is outside the open basedir restriction.
This PR changes the glob stream wrapper so it impacts "glob://"
streamsas well. The idea is to do a check for each found path instead
of the pattern which was not working correctly.
Implements https://wiki.php.net/rfc/partially-supported-callables-expand-deprecation-notices
so that uses of "self" and "parent" in is_callable() and callable
type constraints now raise a deprecation notice, independent of the
one raised when and if the callable is actually invoked.
A new flag is added to the existing check_flags parameter of
zend_is_callable / zend_is_callable_ex, for use in internal calls
that would otherwise repeat the notice multiple times. In particular,
arguments to internal function calls are checked first based on
arginfo, and then again during ZPP, so the former suppresses the
deprecation notice.
Some existing tests which raised this deprecation have been updated
to avoid the syntax, but the existing version retained for maximum
regression coverage until it is made an error.
With thanks to Juliette Reinders Folmer for the RFC and initial
investigation.
Closes GH-8823.
We add support for creating `VT_ERROR` variants via `__construct()`,
and allow casting to int via `variant_cast()` and `variant_set_type()`.
We do not, however, allow type conversion by other means, to avoid
otherwise easily introduced type confusion. VB(A) also only allows
explicit type conversion.
We also introduce `DISP_E_PARAMNOTFOUND` which might be the most
important `scode` for this purpose, since this allows to skip optional
parameters in method calls.
Closes GH-8886.
In 8b3c1a3, this was disallowed to fix#55856, which was a security
issue caused by the /e modifier. The fix that was made was the
"Easier fix" as described in the original report.
With this fix, pattern strings are no longer treated as null terminated,
so null characters can be placed inside and matched against with regex
patterns without security problems, so there is no longer a reason to
give the error. Allowing this is consistent with the behaviour of many
other languages, including JavaScript, and thanks to PCRE2[0], it does
not require manually escaping null characters. Now that we can avoid the
error here without the cost of escaping characters, there is really no
need anymore to stray here from the conventional behaviour.
Currently, null characters are still disallowed before the first
delimiter and in the options section at the end of a regex string, but
these error messages have been updated.
[0] Since PCRE2, pattern strings no longer have to be null terminated,
and raw null characters match as normal.
Closes GH-8114.
Add zend_ini_parse_quantity() and deprecate zend_atol(), zend_atoi()
zend_atol() and zend_atoi() don't just do number parsing.
They also check for a 'K', 'M', or 'G' at the end of the string,
and multiply the parsed value out accordingly.
Unfortunately, they ignore any other non-numerics between the
numeric component and the last character in the string.
This means that numbers such as the following are both valid
and non-intuitive in their final output.
* "123KMG" is interpreted as "123G" -> 132070244352
* "123G " is interpreted as "123 " -> 123
* "123GB" is interpreted as "123B" -> 123
* "123 I like tacos." is also interpreted as "123." -> 123
Currently, in php-src these functions are used only for parsing ini values.
In this change we deprecate zend_atol(), zend_atoi(), and introduce a new
function with the same behavior, but with the ability to report invalid inputs
to the caller. The function's name also makes the behavior less unexpected:
zend_ini_parse_quantity().
Co-authored-by: Sara Golemon <pollita@php.net>
Implements initial stage of accepted RFC to remove them:
https://wiki.php.net/rfc/remove_utf8_decode_and_utf8_encode
Tests relating to SOAP and htmlspecialchars seem to have been
using this entirely unnecessarily, so have been fixed.
Closes GH-8726.
Because the UID= and PWD= values are appended to the SQLDriverConnect
case when credentials are passed, we have to append them to the string
in case users are relying on this behaviour. However, they must be
quoted, or the arguments will be invalid (or possibly more injected).
This means users had to quote arguments or append credentials to the raw
connection string themselves.
It seems that ODBC quoting rules are consistent enough (and that
Microsoft trusts them enough to encode into the .NET BCL) that we can
actually check if the string is already quoted (in case a user is
already quoting because of this not being fixed), and if not, apply the
appropriate ODBC quoting rules.
This is because the code exists in main/, and are shared between
both ODBC extensions, so it doesn't make sense for it to only exist
in one or the other. There may be a better spot for it.
Closes GH-8307.
This allows users to use PECL/zip, which is well maintained and often
brings new features which are not yet available in ext/zip, as drop-in
replacement for the official Windows php-src builds.
Closes GH-8549.
`CURLOPT_XFERINFOFUNCTION` is available as of cURL 7.32.0, and
supersedes `CURLOPT_PROGRESSFUNCTION` which is still supported by
latest cURL, though.
Closes GH-7823.
There are many use-cases where a PHP user is currently using sodium_compat's implementation of this low-level XChaCha20 API. For example, multi-part message processing (in low-memory settings) for a ciphertext that was encrypted with XChaCha20-Poly1305 (rather than the secretstream API).
Adding this function to ext/sodium offers better performance and lowers users' memory usage with the polyfill, and ensures that users coming from other languages that provide libsodium bindings have a more consistent experience with our bindings. This is a win-win.
This patch follows the libsodium precedent of adding functions instead of optional parameters to existing functions. The parameter order is also consistent with the C API.
https://doc.libsodium.org/advanced/stream_ciphers/xchacha20#usage
Closes GH-8276.
As it is now, `IntlTimeZone`, `IntlCalendar` and `IntlDateFormatter`
and some other intl class instances can be serialized, but the
representation is meaningless, and unserialization yields uninitialized/
unusable objects. To prevent users from noticing this too late, we deny
serialization of such objects in the first place.
Closes GH-7945.
See #80828 and the internals@ mailing list discussion at
https://externals.io/message/116543
Use libavifinfo's AvifInfoGetFeaturesStream() in php_handle_avif() to
get the width, height, bit depth and channel count from an AVIF
payload. Implement stream reading/skipping functions and data struct.
Use libavifinfo's AvifInfoIdentifyStream() in php_is_image_avif().
Update the expected features read from "test1pix.avif" in
getimagesize.phpt.
Closes GH-7711.
Most notably, this affects some Windows specific error messages, which
are no longer in the default language of the system, to better match
error messages provided by PHP which are not localized anyway.
This also affects the com_dotnet extension, where it could fix some
DCOM related issues. Furthermore, the constant `LOCALE_NEUTRAL` is
added, which can be used for `variant_cmp()`.
Closes GH-7613.
The purpose of mbstring is for working with Unicode and legacy text
encodings; but Base64, QPrint, etc. are not text encodings and don't
really belong in mbstring. PHP already contains separate implementations
of Base64, QPrint, and HTML entities. It will be better to eventually
remove these non-encodings from mbstring.
Regarding HTML entities... there is a bit more to say. mbstring's
implementation of HTML entities is different from the other built-in
implementation (htmlspecialchars and htmlentities). Those functions
convert <, >, and & to HTML entities, but mbstring does not.
It appears that the original author of mbstring intended for something
to be done with <, >, and &. He used a table to identify which
characters should be converted to HTML entities, and </>/& all have a
special value in that table. However, nothing ever checks for that
special value, so the characters are passed through unconverted.
This seems like a very useless implementation of HTML entities. The most
important characters which need to be expressed as entities in HTML
documents are those three!
This deprecates all callables that are accepted by
call_user_func($callable) but not by $callable(). In particular:
"self::method"
"parent::method"
"static::method"
["self", "method"]
["parent", "method"]
["static", "method"]
["Foo", "Bar::method"]
[new Foo, "Bar::method"]
RFC: https://wiki.php.net/rfc/deprecate_partially_supported_callables
Closes GH-7446.
Since Curl 7.72.0, it supports a new parameter
called `CURLINFO_EFFECTIVE_METHOD`, which returns the effect method
in HTTP(s) requests. This is similar to `CURLINFO_EFFECTIVE_URL`.
- https://curl.se/libcurl/c/CURLINFO_EFFECTIVE_METHOD.html
This adds support for CURLINFO_EFFECTIVE_URL if ext/curl is built
with libcurl >= 7.72.0 (0x074800).
Closes GH-7595.
public function clearError(): void {}
public function getStreamIndex(int $index, int $flags = 0) {}
public function getStreamName(string $name, int $flags = 0) {}
ZipArchive::getStream is kept for BC
See https://github.com/pierrejoye/php_zip/issues/20
This reverts commit ac34648cf6.
As pointed out on GH-6783, the new format doesn't match any of
the specified formats. Previously the constant generated
Thursday, 14-Jul-2005 22:30:41 BST
which is obsolete. Now it generates
Thu, 14-Jul-2005 22:30:41 BST
which is not specified at all. The correct version would be:
Thu, 14 Jul 2005 22:30:41 BST
Reverting the change for now.
Switch default cipher for openssl_pkcs7_encrypt() and
openssl_cms_encrypt() from RC2-40 to AES-128-CBC.
The RC2-40 cipher is considered insecure and is not loaded by
default in OpenSSL 3, which means that these functions will
always fail with default arguments.
As the used algorithm is embedded in the result (which makes this
different from the openssl_encrypt() case) changing the default
algorithm should be safe.
Closes GH-7357.
Propagating lossless conversion from libgd to our bundled gd.
Changing "quantization" to "quality" as in libgd.
Adding test.
IMG_WEBP_LOSSLESS is only defined, if lossless WebP encoding is
supported by the libgd used.
Closes GH-7348.
All other private keys are exported in PKCS#8 format, while EC
keys use traditional format. Switch them to use PKCS#8 format as
well.
As the OpenSSL docs say:
> PEM_write_bio_PrivateKey_traditional() writes out a private key
> in the "traditional" format with a simple private key marker and
> should only be used for compatibility with legacy programs.
Add support for readonly properties, for which only a single
initializing assignment from the declaring scope is allowed.
RFC: https://wiki.php.net/rfc/readonly_properties_v2
Closes GH-7089.
Deprecate automatically converting "false" into an empty array
on write operands. Autovivification continues to be supported
for "null" values, as well as undefined/uninitialized values.
RFC: https://wiki.php.net/rfc/autovivification_false
Closes GH-7131.
Co-authored-by: Tyson Andre <tysonandre775@hotmail.com>
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
Support acquiring a Closure to a callable using the syntax
func(...), $obj->method(...), etc. This is essentially a
shortcut for Closure::fromCallable().
RFC: https://wiki.php.net/rfc/first_class_callable_syntax
Closes GH-7019.
Co-Authored-By: Nikita Popov <nikita.ppv@gmail.com>
These are deprecated in favor of date()/DateTime::format() (for
locale-indendent formatting) and IntlDateFormatter::format()
(for locale-dependent formatting).
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Instead use ssl stream context options instead. The direct
equivalent would be crypto_method, but min_proto_version /
max_proto_version are recommended instead.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Add support for new expressions inside parameter default values,
static variable initializers, global constant initializers and
attribute arguments.
RFC: https://wiki.php.net/rfc/new_in_initializers
Closes GH-7153.
There's a subtlety here regarding filter.default_flags. The RFC
stated that no separate deprecation warning will be emitted for
it, on the premise that it is only meaningful if filter.default
is set. However, it turns out that even FILTER_UNSAFE_RAW (which
is the "no-op filter") can be combined with stripping flags.
However, this is compensated by the fact that this doesn't actually
work when setting filter.default=unsafe_raw and non-default
filter.default_flags -- the flags are simply ignored in that case.
So everything works out in the end.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
The DB connection should be provided in all cases as the first argument.
The overloaded function signatures will be removed in the future.
Warn about this change.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Static trait members may only be accessed through a class in which
the trait is used, not directly on the trait.
A complication here is that we should not store static
methods/properties for which a deprecation is triggered in a
cache slot. As the check for this is simple and cheap, I'm handling
this in the cache slot population code in the VM. The alternative
would be to pass the cache slot down into the fetching code.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
Deprecate mhash(), mhash_keygen_s2k(), mhash_count(),
mhash_get_block_size() and mhash_get_hash_name() in favor of the
normal hash_*() functions.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
With this patch, it is no longer required to call
`ReflectionProperty#setAccessible()` or
`ReflectionMethod#setAccessible()` with `true`.
If a userland consumer already got to the point of accessing
object/class information via reflection, it makes little sense
for `ext/reflection` to disallow accessing `private`/`protected`
symbols by default.
After this patch, calling `ReflectionProperty#setAccessible(true)`
or `ReflectionMethod#setAccessible(true)` on newly instantiated
`ReflectionProperty` or `ReflectionMethod` respectively will have
no effect.
RFC: https://wiki.php.net/rfc/make-reflection-setaccessible-no-op
Closes GH-5412.
Adds support for the following options beginning with version 7.71.0:
CURLOPT_ISSUERCERT_BLOB
CURLOPT_PROXY_ISSUERCERT
CURLOPT_PROXY_ISSUERCERT_BLOB
CURLOPT_PROXY_SSLCERT_BLOB
CURLOPT_PROXY_SSLKEY_BLOB
CURLOPT_SSLCERT_BLOB
CURLOPT_SSLKEY_BLOB
Closes GH-7194.
Currently, argument unpacking and named arguments cannot be mixed
at all. This relaxes the restriction to allow
foo(...$args, named: $arg). The variant foo(named: $arg, ...$args)
is still forbidden, because we can't ensure that positional
parameters come before named parameters in that case (without more
intrusive changes). Effectively this just enforces a required style,
as the order of unpack and named args doesn't matter for the cases
where both could be well-defined.
ML discussion: https://externals.io/message/114589
Closes GH-7009.
* phpdbg-no-remote:
The remote functionality is not being used. It significantly complicates current code and makes it harder to add new features.
This commit drops all remote related functionality.
