| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl_pkey_new() fetches various options from the config file --
most of these are optional, and not specifying them is not an error
condition from the perspective of the user. Unfortunately, the
CONF_get_string() API pushes an error when accessing a key that
doesn't exist (_CONF_get_string does not, but that is presumably a
private API). This commit adds a helper php_openssl_conf_get_string()
that automatically clears the error in this case. I've found that
OpenSSL occasionally does the same thing internally:
https://github.com/openssl/openssl/blob/22040fb790c854cefb04bed98ed38ea6357daf83/apps/req.c#L515-L517
Closes GH-6699.
|
|
|
|
| |
If RSA key generation fails, actually report that failure.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to first clean the symtable and then check whether a cache
slot is available for it. Otherwise, it may happen that a destructor
runs while cleaning the table and uses up all the remaining slots
in the cache.
This is particularly insidious because once we overflow the cache,
the first pointer we modify is symtable_cache_ptr, making it hard
to understand what happened after the fact.
Fixes oss-fuzz #30815.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PAM service requires the terminating null to be part
of the communication.
Tested with MariaDB-10.4(pam) and Percona Server 5.7.32(auth_pam_compat).
Also changed MySQL Enterprise test to the server side plugin, authentication_pam
as opposed to the client plugin mysql_clear_password.
Add additional check for pamtest user and pam service file as
all are required for the test.
More importantly, test result should actually succeed.
Thanks Geoff Montee for bug report.
Closes GH-78680.
|
|
|
|
|
|
|
|
| |
We need to always destroy current, not just when iter.data is not
set.
Take this opportunity to clean up the iterator destructor code a
bit, to remove redundant checks and incorrect comments.
|
| |
|
|
|
|
| |
This breaks the build for PHP 8 by default.
|
|
|
|
|
|
|
|
|
| |
Version numbers are not supposed to be localized, so we must not apply
locale dependent parsing with `atof()`.
Using `php_version_compare()` might even be better.
Closes GH-6668.
|
|
|
|
|
|
|
|
| |
We need to handle the case where a CRLF after a Bcc header is not the
beginning of a folding marker, because in that case the Bcc header was
not the last "thing".
Closes GH-6666.
|
| |
|
|
|
|
|
|
|
|
| |
We must not use the locale dependent `atof()`, but instead use the
(hopefully) locale independent `zend_strtod()`, when converting string
representations of floating point numbers which are sent by the server.
Closes GH-6665.
|
|
|
|
|
|
|
| |
SIGTERM is subject to HANDLE_BLOCK_INTERRUPTIONS(), which will
allow code to exit critical sections before it gets terminated.
Closes GH-6493.
|
|\
| |
| |
| |
| | |
* PHP-7.3:
Fix newly introduced compiler warning
|
| |
| |
| |
| | |
(cherry picked from commit ab8177de2c89672e63a7a1ccef4df8f7bf34fbd2)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When Phars are flushed, a new temporary file is created for each entry
which should be compressed, and the `compressed_filesize` is retrieved.
Afterwards, the Phar manifest is written, and only after that the files
are copied to the actual Phar. So for each such entry there is an open
temp file, what easily exceeds the limit.
Therefore, we use a single temporary file for all entries, and store
the start offset in the otherwise unused `header_offset` member. We
ensure that the `cfp` members are properly set to NULL even if flushing
fails, to avoid use after free scenarios.
This solution is based on a suggestion by @lserni[1].
Closes GH-6643.
[1] <https://github.com/box-project/box2/issues/80#issuecomment-77147371>
|
|\ \
| |/
| |
| |
| | |
* PHP-7.3:
7.3.28 is next
|
| | |
|
| |
| |
| |
| | |
Closes GH-6636.
|
| |
| |
| |
| | |
As pointed out on GH-6456.
|
| |
| |
| |
| |
| |
| | |
Move the load_wsdl_ex call into the zend_try that destroys the
docs hash table. The wsdl will be inserted into docs early on,
and will thus be released on subsequent bailout.
|
|\ \
| |/
| |
| |
| | |
* PHP-7.3:
Revert "Updated to version 2021.1 (2021a)"
|
| |
| |
| |
| |
| | |
This reverts commit 491488d21707062fa8e9b9187db3585fb0d347da, since
PHP-7.3 is in security mode, and this does not look security related.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We remove the arbitrary restriction to `INT_MAX`; it is superfluous on
32bit systems where `ZEND_LONG_MAX == INT_MAX` anyway, and not useful
on 64bit systems, where larger files should be readable, if the
`memory_limit` is large enough.
Closes GH-6648.
|
| |
| |
| |
| | |
Now requires PHP 7.4, so use php7.4 to run composer everywhere.
|
| | |
|
|\ \
| |/
| |
| |
| | |
* PHP-7.3:
Fix bug #80672 - Null Dereference in SoapClient
|
| | |
|
| | |
|
| | |
|
|\ \
| |/
| |
| |
| | |
* PHP-7.3:
Rm unneeded function
|
| | |
|
|\ \
| |/
| |
| |
| | |
* PHP-7.3:
Alternative fix for bug 77423
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That bug report originally was about `parse_url()` misbehaving, but the
security aspect was actually only regarding `FILTER_VALIDATE_URL`.
Since the changes to `parse_url_ex()` apparently affect userland code
which is relying on the sloppy URL parsing[1], this alternative
restores the old parsing behavior, but ensures that the userinfo is
checked for correctness for `FILTER_VALIDATE_URL`.
[1] <https://github.com/php/php-src/commit/5174de7cd33c3d4fa591c9c93859ff9989b07e8c#commitcomment-45967652>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The default encoding of filenames in a ZIP archive is IBM Code Page
437. Phar, however, only supports UTF-8 filenames. Therefore we have
to mark filenames as being stored in UTF-8 by setting the general
purpose bit 11 (the language encoding flag).
The effect of not setting this bit for non ASCII filenames can be seen
in popular tools like 7-Zip and UnZip, but not when extracting the
archives via ext/phar (which is agnostic to the filename encoding), or
via ext/zip (which guesses the encoding). Thus we add a somewhat
brittle low-level test case.
Closes GH-6630.
|
| |
| |
| |
| | |
That appears to have been forgotten for a while.
|
| |
| |
| |
| |
| |
| | |
We add the failure reason to the error message.
Closes GH-6638.
|
| | |
|
|\ \
| |/ |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Instead of checking for actually affected libzip versions, we now always
`ZIP_TRUNCATE` empty files unless `ZIP_RDONLY` is set.
Closes GH-6625.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check open_basedir after the fallback to the system's temporary
directory in tempnam().
In order to preserve the current behavior of upload_tmp_dir
(do not check explicitly specified dir, but check fallback),
new flags are added to check open_basedir for explicit dir
and for fallback.
Closes GH-6526.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When extracting compressed files from an uncompressed Phar, we must not
use the direct file pointer, but rather get an uncompressed file
pointer.
We also add a test to show that deflated and stored entries are
properly extracted.
This also fixes #79912, which appears to be a duplicate of #69279.
Co-authored-by: Anna Filina <afilina@gmail.com>
Closes GH-6599.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is mainly to work around https://github.com/curl/curl/issues/6455,
but not building the mime structure for empty hashtables is a general
performance optimization, so we do not restrict it to affected cURL
versions (7.56.0 to 7.75.0).
The minor change to bug79033.phpt is unexpected, but should not matter
in practice.
Closes GH-6606.
|