Don't automatically convert literal string keys to integers on
array access, as we may be dealing with an ArrayAccess object,
rather than a plain array.
The upgrade to PCRE2 should mostly be transparent to existing code, but
apparently there are some minor differences, which warrant a note in
UPGRADING (and consequently, in the migration guide).
In PHP static properties are shared between inheriting classes,
unless they are explicitly overwritten. However, because this
functionality was implemented using reference, it was possible
to break the implementation by reassigning the static property
reference.
This is fixed by switching the implementation from using references
to using INDIRECTs, which cannot be affected by userland code.
The sole purpose of `PHPDBG_FILE`, `PHPDBG_METHOD`, `PHPDBG_LINENO` and
`PHPDBG_FUNC` has been to be passed as first argument to `phpdbg_break`.
However, this functions is replaced as of PHP 5.6.3 by
`phpdbg_break_file`, `phpdbg_break_method` and 'phpdbg_break_func`,
respectively. Therefore, we're finally removing the useless constants.
- m4 and Windows configure scripts now forces Argon2 reference library version >= 20161029
- Implementation tested against 20161029 and 20171227 for Argon2id support
- Updates Argon2 ext/standard/password/tests to run tests for both Argon2i and Argon2id
I've introduced a new CompileError type, from which ParseError
inherits. These errors are not parse errors in the narrow sense
of the term, even though they happen to be generated during
parsing in our implementation. Additionally reusing the ParseError
class for this purpose would change existing error messages (if
the exception is not caught) from a "Fatal error:" to a "Parse
error:" prefix, and also the error kind from E_COMPILE_ERROR to
E_PARSE.
According to https://wiki.php.net/rfc/image2wbmp, we deprecate
`image2wbmp()`, rename the `$threshold` parameter to `$foreground`, and
remove superfluous code.
RFC: https://wiki.php.net/rfc/flexible_heredoc_nowdoc_syntaxes
* The ending label no longer has to be followed by a semicolon or
newline. Any non-label character is fine.
* The ending label may be indented. The indentation will be stripped
from all lines in the heredoc/nowdoc string.
Lexing of heredoc strings performs a scan-ahead to determine the
indentation of the ending label, so that the correct amount of
indentation can be removed when calculting the semantic values for
use by the parser. This makes the implementation quite a bit more
complicated than we would like :/
A set of hard-coded thousand separator characters (presently, `',.`) is
somewhat limited (users may prefer other separators, such as spaces or
underscores), as well as somewhat too liberal (arbitrary combinations
of different thousand separators are presently possible). Therefore we
introduce a `thousand` option analogous to `decimal`, which allows to
define the desired thousand separators as non-empty string, defaulting
to `',.`. While we easily could support empty strings here as well,
that would not make much sense, since this behavior can more easily be
accomplished by not setting the `FILTER_FLAG_ALLOW_THOUSAND` flag in
the first place.
The existence of the following functions is now guaranteed:
* curl_escape()
* curl_unescape()
* curl_multi_setopt()
libcurl 7.15.5 has been released 11.5 years ago and is available
even in RHEL 5.
This reverts commit c3717d9aec.
The final mitigation of the consequences with spectre should be
discussed more also with the regard to the happenings on the
developments. Right now a preliminary mitigation might be wrong or
suboptimal, thus reverting this.
The recently discovered security flaw Spectre requires a high resolution
timer. To the today's knowledge, PHP can't be used to create an attack for
this flaw. Still some concerns were raised, that there might be impact in
shared hosting environments. This patch adds a possibility to reduce the
timer resolution by an ini setting, thus giving administrators full
control. Especially, as the flaw was also demonstrated by an abuse of
the JS engine in a browser, Firefox reduced several time sources to 20us.
Any programming language, that doesn't compile to JIT, won't be able to
produce an attack vector for Meltdown and Spectre, at least by todays
knowledge. There are also other factors that say that the security
concern on the hrtime feature is to the big part not justified, still we
aim JIT in the future. Thus, adding a possibility to control the timer
resolution is a good and small enough tradeoff for safety and future.
convert_scalar_to_number() will now call cast_object() with an
_IS_NUMBER argument, in which case the cast handler should return
either an integer or floating point number, whichever is more
appropriate.
Previously convert_scalar_to_number() unconditionally converted
objects to integers instead.
Fixes bug #53033.
Fixes bug #54973.
Fixes bug #73108.
The existence of the following functions is now guaranteed:
* curl_reset()
* curl_strerror()
* curl_multi_strerror()
* curl_share_strerror()
libcurl 7.12.1 has been released more than 13 years ago and is
available even in RHEL 4.
