This changes default for fastcgi.script_path_encoded INI to have
default behavior without a BC break. There has been already issue
about this in RC so it is very likely that it could have much bigger
impact so it's better to be safe.
* main: Ignore `register_argc_argv` when `SG(request_info).argc` is available
* sapi: Remove hardcoded `register_argc_argv` for CLI SAPIs
This INI is ignored since the previous commit, which makes the hardcoded
setting obsolete.
* main: Deprecate deriving $_SERVER['argc'] and $_SERVER['argv'] from the query string
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_the_register_argc_argv_ini_directive
* main: Adjust deprecation message for `register_argc_argv`
* NEWS/UPGRADING
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#remove_disable_classes_ini_setting
This took longer to merge than expected but the initial motivation from 2 years ago still applied:
As described in the email to the PHP internals list [1] this feature is fundamentally broken and pointless.
Only internal classes can be disable which brings the following observation. On a minimal build of PHP, with only the mandatory extensions enabled, there are 148 classes/interfaces/traits defined. [2]
Other than the SPL ones (and even then), disabling any of these classes will cause issues within the engine.
Moreover, the SPL ones are not a security concern.
Therefore, any other class that can be disabled must come from an extension that can be disabled altogether. And "disabling" a class from an extension without disabling said extension will render it useless anyway.
If a hosting provided is concerned about an extension, then it should not enable it in the first place. Not break it ad hoc.
Considering the above, I cannot see how this functionality was ever useful.
This is in stark contrast to the disable_functions INI setting, which can be used to selectively remove functionality of an extension without breaking it overall.
What makes this setting particularly broken is that it does not unregister the class, it only overwrites the create CE handler to emit a warning and purge the properties and function hashtables. This leads to various use after free, segfaults, and broken expectations for the engine and extensions which define said classes. On top of that, it is possible to actually instantiate such a class (and even classes which actually disallow this like ext/imap) in userland, and pass it to function that are typed against said class without raising a TypeError. However, when trying to do anything with said object stuff is going to explode in countless ways.
[1] https://news-web.php.net/php.internals/120896
[2] https://gist.github.com/Girgias/63d55ba1e50b580412b004046daed02b
This removes the --enable-opcache/--disable-opcache configure switch. OPcache
is now always builtin. The default value of opcache.enable and
opcache.enable_cli is unchanged.
RFC: https://wiki.php.net/rfc/make_opcache_required
Closes GH-18961.
Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
This changes make FPM always decode SCRIPT_FILENAME when Apache
ProxyPass or ProxyPassMatch is used. It also introduces a new INI
option fastcgi.script_path_encoded that allows using the previous
behavior of not decoding the path. The INI is introduced because
there is a chance that some users could use encoded file paths in
their file system as a workaround for the previous behavior.
Close GH-17896
A follow-up of 9ee9c0e674.
The mbstring extension is added as ZEND_MOD_OPTIONAL dependency at
runtime, so INI directives configuration order here is no longer
relevant and can be done in any way.
Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.
OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors
continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached
EOL in 2018.
Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of
conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere.
- Debian buster: 1.1.1[^2]
- Ubuntu 20.04: 1.1.1[^3]
- CentOS/RHEL 7: 1.0.2
- RHEL 8/Rocky 8/EL 8: 1.1.1
- Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well)
RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely
bump the minimum OpenSSL version.
[^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html
[^2]: https://packages.debian.org/buster/libssl-dev
[^3]: https://packages.ubuntu.com/focal/libssl-dev
* Remove ext/imap — it has been moved to PECL
https://pecl.php.net/package/imap
* Remove files related to IMAP
* Remove IMAP CI files and set up
* Also disable IMAP on Circle CI
* Update CREDITS file
* Remove IMAP entry from CODEOWNERS
* Revert "Remove files related to IMAP"
This reverts commit a05ffd6c97.
* Mark IMAP is being removed
* Revert "Remove IMAP CI files and set up"
This reverts commit 82e5ba9910.
* Revert "Also disable IMAP on Circle CI"
This reverts commit e83827b0b2.
* Don't try to build imap extension with CI
* Restore test setup files
* Remove mention of imap in labeler, EXTENSIONS, and sample php.ini files
This feature has been broken at least since the tracing JIT and inheritance
cache have been introduced. The attempted fix (GH-10798) was too complex. We
have thus decided to remove this feature for now.
Closes GH-11832
There are only very narrow circumstances under which this option has
been reported to provide 1% performance gain due to reduction of TLB
misses. In many setups, this option only increases memory usage, and
will actually decrease performance. To avoid this, let's leave it
disabled by default, and let it be an explicit decision to enable it.
For a discussion, see https://github.com/php/php-src/pull/10301
Closes GH-10336
When this INI option is enabled, it reverts the line separator for
headers and message to LF which was a non conformant behavior in PHP 7.
It is done because some non conformant MTAs fail to parse CRLF line
separator for headers and body.
This is used for mail and mb_send_mail functions.
This is a re-application of the original match against master.
The patch was originally applied to master, then reverted from
there, incorrectly applied to PHP-8.0, reverted from there due
to ABI break, and now lands on master again. We can only hope
that it does not get reverted again ;)
