* PHP-8.4:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.3:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
Since the ini message handlers already check for basedir, we need to
drop the basedir check from ini_set. Then we also fix the exceptional
case for the empty string: it should bypass the basedir check.
Furthermore, there was a regression introduced with the error_log
"syslog" check in ddfe269a (inverted check), so we fix that as well.
Closes GH-19487
* uri/standard: Move the `parse_url()` URI parser into ext/uri/
Making ext/standard depend on ext/uri/ is a bit iffy (given that it is called
*standard*) and having the parser implementation in ext/uri/ makes it easier to
find and keep in sync.
* uri: Mark local pointers as `const` in uri_parser_php_parse_url.c
* uri: Remove useless explicit cast from void in uri_parser_php_parse_url.c
* uri: Properly prefix symbols in uri_parser_php_parse_url.[ch]
* uri: Remove useless `throw_invalid_uri_exception()` helper in uri_parser_php_parse_url.c
This is modelled similarly to the password registry API.
We have an array to which new handlers can be added, and when a built-in
handler cannot handle the image, we try the handlers in the array.
The standard module is in control of registering a new constant for the
image file type so that no clashes can occur. It also updates the image
file type count constant. As such, the registration may only happen
during module startup.
Instead of using lookup tables, we can use a combination of shifts and
byte swapping to achieve the same thing in less cycles and with less
code.
Benchmark files
---------------
pack1.php:
```php
for ($i = 0; $i < 10_000_000; ++$i) {
pack("J", 0x7FFFFFFFFFFFFFFF);
}
```
pack2.php:
```php
for ($i = 0; $i < 4000000; ++$i) {
pack("nvc*", 0x1234, 0x5678, 65, 66);
}
```
On an i7-4790:
```
Benchmark 1: ./sapi/cli/php pack1.php
Time (mean ± σ): 408.8 ms ± 3.4 ms [User: 406.1 ms, System: 1.6 ms]
Range (min … max): 403.6 ms … 413.6 ms 10 runs
Benchmark 2: ./sapi/cli/php_old pack1.php
Time (mean ± σ): 451.7 ms ± 7.7 ms [User: 448.5 ms, System: 2.0 ms]
Range (min … max): 442.8 ms … 461.2 ms 10 runs
Summary
./sapi/cli/php pack1.php ran
1.11 ± 0.02 times faster than ./sapi/cli/php_old pack1.php
Benchmark 1: ./sapi/cli/php pack2.php
Time (mean ± σ): 239.3 ms ± 6.0 ms [User: 236.2 ms, System: 2.3 ms]
Range (min … max): 233.2 ms … 256.8 ms 12 runs
Benchmark 2: ./sapi/cli/php_old pack2.php
Time (mean ± σ): 271.9 ms ± 3.3 ms [User: 269.7 ms, System: 1.3 ms]
Range (min … max): 267.4 ms … 279.0 ms 11 runs
Summary
./sapi/cli/php pack2.php ran
1.14 ± 0.03 times faster than ./sapi/cli/php_old pack2.php
```
On an i7-1185G7:
```
Benchmark 1: ./sapi/cli/php pack1.php
Time (mean ± σ): 263.7 ms ± 1.8 ms [User: 262.6 ms, System: 0.9 ms]
Range (min … max): 261.5 ms … 268.2 ms 11 runs
Benchmark 2: ./sapi/cli/php_old pack1.php
Time (mean ± σ): 303.3 ms ± 6.5 ms [User: 300.7 ms, System: 2.3 ms]
Range (min … max): 297.4 ms … 318.1 ms 10 runs
Summary
./sapi/cli/php pack1.php ran
1.15 ± 0.03 times faster than ./sapi/cli/php_old pack1.php
Benchmark 1: ./sapi/cli/php pack2.php
Time (mean ± σ): 156.7 ms ± 2.9 ms [User: 154.7 ms, System: 1.7 ms]
Range (min … max): 151.6 ms … 164.7 ms 19 runs
Benchmark 2: ./sapi/cli/php_old pack2.php
Time (mean ± σ): 174.6 ms ± 3.3 ms [User: 171.9 ms, System: 2.3 ms]
Range (min … max): 170.7 ms … 180.4 ms 17 runs
Summary
./sapi/cli/php pack2.php ran
1.11 ± 0.03 times faster than ./sapi/cli/php_old pack2.php
```
Closes GH-18524.
Co-authored-by: divinity76 <divinity76@gmail.com>
* Move glob to main/ from win32/
In preparation to make the Win32 reimplementation the standard
cross-platform one. Currently, it doesn't do that and just passes
through the original glob implementation. We could consider also having
an option to use the standard glob for systems that have a sufficient
one.
* Enable building with win32 glob on non-windows
Kind of broken. We're namespacing the function and struct, but not yet
the GLOB_* defines. There are a lot of places callers check if i.e.
NOMATCH is defined that would likely become redundant.
Currently it also has php_glob and #defines glob php_glob (etc.) - I
suspect doing the opposite and changing the callers would make more
sense, just doing MVP to geet it to build (even if it fails tests).
* Massive first pass at conversion to internal glob
Have not tested yet. the big things are:
- Should be invisible to userland PHP code.
- A lot of :%s/GLOB_/PHP_GLOB_/g; the diff can be noisy as a result,
especially in comments.
- Prefixes everything with PHP_ to avoid conflicts with system glob in
case it gets included transitively.
- A lot of weird shared definitions that were sprawled out to other
headers are now included in php_glob.h.
- A lot of (but not yet all cases) of HAVE_GLOB are removed, since we
can always fall back to php_glob.
- Using the system glob is not wired up yet; it'll need more shim
ifdefs for each flag type than just glob_t/glob/globfree defs.
* Fix inclusion of GLOB_ONLYDIR
This is a GNU extension, but we don't need to implement it, as the GNU
implementation is flawed enough that callers have to manually filter it
anyways; just provide a stub definition for the constant.
We could consideer implementing this properly later. For now, fixes the
basic glob constant tests.
* Remove HAVE_GLOBs
We now always have a glob implementation that works. HAVE_GLOB should
only be used to check if we have a system implementation, for if we
decide to wrap the system implementation instead.
* We don't need to care about being POSIXly correct for internal glob
* Check for reallocarray
Ideally temporary until GH-17433.
* Forgot to move this file from win32/ to main/
* Check for issetugid (BSD function)
* Allow using the system glob with --enable-system-glob
* Style fix after removing ifdef
* Remove empty case for system glob
This resets all basic globals during ctor and just modifies the ones
with a special value. It also switches to using basic_globals_p which
what should be used in this context.
Closes GH-18156
Sending to a TCP/IP address is not an option anymore, and it hasn't been since
before the file was created in this repo in 1999 (257de2b). Based on
php/doc-en@d522d135a1 it appears that this
feature was part of PHP 3 and removed before PHP 4. I tried to track down the
original code to find when it was actually removed but wasn't able to find a
PHP 3 repository.
