php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-22 07:28:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
123,504 Commits 549 Branches 1,485 Tags
716de0cff539f46294ef70fe75d548cd66766370
Commit Graph

123504 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jakub Zelenka 716de0cff5 Introduce max_multipart_body_parts INI 
This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed.
 2023-02-14 10:21:23 +00:00
Jakub Zelenka e45850c195 Fix repeated warning for file uploads limit exceeding 2023-02-14 10:21:07 +00:00
Stanislav Malyshev b5ccaaf613 Update NEWS 2023-02-12 21:04:31 -07:00
Niels Dossche ec10b28d64 Fix array overrun when appending slash to paths 
Fix it by extending the array sizes by one character. As the input is
limited to the maximum path length, there will always be place to append
the slash. As the php_check_specific_open_basedir() simply uses the
strings to compare against each other, no new failures related to too
long paths are introduced.
We'll let the DOM and XML case handle a potentially too long path in the
library code.
 2023-02-12 20:56:19 -07:00
Stanislav Malyshev af2ddc6426 Update NEWS 2023-02-12 20:53:06 -07:00
Tim Düsterhus a92acbad87 crypt: Fix possible buffer overread in php_crypt() 2023-02-12 20:46:51 -07:00
Tim Düsterhus c840f71524 crypt: Fix validation of malformed BCrypt hashes 
PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
by including a `$` character within the characters that represent the salt.

Hashes that are affected by the “PHP Hack” may erroneously validate any
password as valid when used with `password_verify` and when comparing the
return value of `crypt()` against the input.

The PHP Hack exists since the first version of PHP’s own crypt_blowfish
implementation that was added in 1e820eca02.

No clear reason is given for the PHP Hack’s existence. This commit removes it,
because BCrypt hashes containing a `$` character in their salt are not valid
BCrypt hashes.
 2023-02-12 20:46:44 -07:00
Gabriel Caruso 255e08ac56 Revert "Make build work with newer OpenSSL" 
This reverts commit 5f90134bb6.
 2023-01-03 13:00:44 -03:00
Gabriel Caruso c2737b40d7 [ci skip] Next release will be 8.0.28 2023-01-03 11:39:21 -03:00
Gabriel Caruso 4ce48e9a39 [ci skip] Prepare for PHP 8.0.27 GA 2023-01-03 11:36:20 -03:00
Christoph M. Becker cf5dac07d2 Skip newly added test on 32bit platforms 
That bug didn't affect 32bit platforms, and besides, it is rather
unlikely that allocating a 2GB string works on such platforms.
 2022-12-19 16:04:29 +01:00
Stanislav Malyshev 05c35137cd Add NEWS 2022-12-18 23:24:53 -07:00
Stanislav Malyshev 5f90134bb6 Make build work with newer OpenSSL 2022-12-18 22:52:30 -07:00
Christoph M. Becker 921b6813da Fix #81740: PDO::quote() may return unquoted string 
`sqlite3_snprintf()` expects its first parameter to be `int`; we need
to avoid overflow.
 2022-12-18 22:41:43 -07:00
Petr Sumbera 72da2b02e2 php-fpm: fix Solaris port events.mechanism 
Closes GH-9959.
 2022-11-22 18:01:15 +00:00
George Wang 4bdfce6c1a Use __atomic_xxxx() instead of __sync_xxxx() for lsapi. 2022-11-20 19:30:07 -05:00
Ilija Tovilo cdc0a8b06b Add wordpress to community build 
Closes GH-9942
 2022-11-17 11:33:19 +01:00
Jakub Zelenka db2d32f476 Introduce TEST_FPM_EXTENSION_DIR for FPM tests with shared extensions 2022-11-13 19:04:43 +00:00
Ilija Tovilo da54664186 [skip ci] Skip function JIT in nightly for ASAN 
This avoids the 6h timeout.
 2022-11-11 19:57:00 +01:00
Sara Golemon ac508301c9 Bump for 8.0.27 2022-11-08 22:10:29 +00:00
Christoph M. Becker 4c35d6440b Don't skip test on Windows due to missing ext/posix 
ext/posix is not available on Windows, but there is no need to check
for root (i.e. elevated privileges) on this platform, either.

Closes GH-9886.
 2022-11-07 15:01:25 +01:00
Arnaud Le Blanc 1d67e34c49 [ci skip] NEWS 2022-11-04 15:58:07 +01:00
Arnaud Le Blanc 5d1f3e047c Fix generator memory leaks when interrupted during argument evaluation (#9756) 2022-11-04 15:55:55 +01:00
Ilija Tovilo 75970077b0 Migrate i386 to GitHub actions 
Closes GH-9856
 2022-11-03 14:34:54 +01:00
Christoph M. Becker d1c9ff5642 Fix potential NULL pointer dereference Windows shm*() functions 
`shm_get()` (not to be confused with `shmget()`) returns `NULL` if
reallocation fails; we need to cater to that when calling the function.

Closes GH-9872.
 2022-11-02 14:51:59 +01:00
Derick Rethans 2b5bed904e Updated to version 2022.6 (2022f) 2022-11-02 09:43:37 +00:00
Derick Rethans 4f2955c179 Merge branch 'PHP-7.4' into PHP-8.0 2022-10-31 15:02:56 +00:00
Derick Rethans 004cb82750 Bumb versions 2022-10-31 15:02:21 +00:00
Jakub Zelenka 8229649045 Fix GH-9770: Add small timeout in status-listen test 
This is to allow more time to switch for active to idle in scoreboard as
it seems that Travis is quite short on resources and might not switch it
quickly enough.
 2022-10-30 17:00:40 +00:00
Jakub Zelenka 1c5844aa3e Fix GH-9754: SaltStack hangs when running php-fpm 8.1.11 
SaltStack uses Python subprocess and redirects stderr to stdout which is
then piped to the returned output. If php-fpm starts in daemonized mode,
it should close stderr. However a fix introduced in GH-8913 keeps stderr
around so it can be later restored. That causes the issue reported in
GH-9754. The solution is to keep stderr around only when php-fpm runs in
foreground as the issue is most likely visible only there. Basically
there is no need to restore stderr when php-fpm is daemonized.
 2022-10-30 11:41:33 +00:00
Kamil Tekiela 96049867d8 Add NEWS entry for #9841 
Closes GH-9841
 2022-10-27 18:29:17 +01:00
Kamil Tekiela e713a8e8e5 Add a temporary fix for insufficient buffer size in mysqlnd (#9835) 2022-10-27 18:25:17 +01:00
Kamil Tekiela 5b60370906 mysqli_query throws warning despite using silenced error mode (#9842) 2022-10-27 18:24:28 +01:00
Remi Collet db28ee8fd0 move CVEs in 8.0.25 changelog 2022-10-26 15:27:23 +02:00
Stanislav Malyshev 80ccaa3e36 Merge branch 'PHP-7.4' into PHP-8.0 2022-10-23 18:52:56 -06:00
Stanislav Malyshev 2669ed7d77 Update NEWS 2022-10-23 18:50:53 -06:00
Stanislav Malyshev 1d83a407d1 Merge branch 'PHP-7.4' into PHP-8.0 2022-10-23 18:49:21 -06:00
Christoph M. Becker d50532be91 Fix #81739: OOB read due to insufficient validation in imageloadfont() 
If we swap the byte order of the relevant header bytes, we need to make
sure again that the following multiplication does not overflow.
 2022-10-23 18:41:48 -06:00
Adam Saponara 45e224cf51 Fix GH-9709: Guard against current_execute_data==NULL in is_handle_exception_set 2022-10-23 00:46:05 +01:00
Jakub Zelenka fa1b6ab5db Fix GH-8430: OpenSSL compiled with old disgests does not build 
Specifically no-md2, no-md4 or no-rmd160 were not supported
 2022-10-22 22:11:05 +01:00
Arnaud Le Blanc 845c6b3b3b [ci skip] NEWS 2022-10-22 10:43:11 +02:00
Benoit 994097093c Fix compilation warning 2022-10-22 10:41:02 +02:00
Arnaud Le Blanc 26c7c82d32 Fix crash when memory limit is exceeded during generator initialization 2022-10-22 10:40:28 +02:00
Ilija Tovilo 2b03846576 Merge branch 'PHP-7.4' into PHP-8.0 
* PHP-7.4:
  Revert incorrect PHP-7.4 version constants
 2022-10-21 12:50:51 +02:00
Ilija Tovilo 8b919c3175 Revert incorrect PHP-7.4 version constants 2022-10-21 12:49:50 +02:00
Stanislav Malyshev beff4278a4 Merge branch 'PHP-7.4' into PHP-8.0 2022-10-21 00:04:43 -06:00
Stanislav Malyshev 248f647724 Fix bug #81738 (buffer overflow in hash_update() on long parameter) 2022-10-20 23:57:35 -06:00
Ilija Tovilo d52f0451ad Fix cli server blocking on accept when using multiple workers 
Fixes GH-9400
Closes GH-9693
 2022-10-20 13:03:35 +02:00
Ilija Tovilo 4071e18620 [skip ci] Mark frequently failing hrtime test as XFAIL 2022-10-20 10:59:07 +02:00
Ilija Tovilo 4e8a6554cb Fix failing date test 
INCLUDE_END_DATE has only been introduced in PHP 8.2.
 2022-10-20 10:48:57 +02:00