CVE-2014-3538 was fixed upstream, but the old patch was still kept in
the PHP port. This patch causes performance regressions when PCRE JIT is
not enabled. This is fixed by applying the relevant original code from
the newer libmagic, which makes the old patch obsolete as the
CVE-2014-3538 tests still pass.
The pcre2_jit_compile_8 sysmbol is always available, even JIT might be
not. If JIT is not enabled explicitly and is enabled in the PHP runtime,
this will lead to a malfunction. This approach ensures JIT is indeed
available on the given platform. For cross compilation this might get
complicated, as it would require an explicit processor architecture and
PCRE2 version check.
Another solution for this case is to run pcre2_config at runtime. That
however would require more condition checks that would impact
architectures where JIT is available.
If the callback set via `xml_set_external_entity_ref_handler()` returns
a falsy value, parsing is supposed to stop and the error number set to
`XML_ERROR_EXTERNAL_ENTITY_HANDLING`. This is already correctly done
by the libexpat binding, but the libxml2 binding ignores the return
value. We fix this by calling `xmlStopParser()` which is available as
of libxml 2.1.0[1] (PHP-7.1 requires at least libxml 2.6.11 anyway),
and setting the desired `errNo` ourselves.
[1] <http://xmlsoft.org/news.html>
Since we allow ext/xmlrpc to be built against a system libxmlrpc(-epi),
we must not `efree` memory which has been allocated via `malloc`. To
distinguish bundled and system libxmlrpc(-epi) we introduce the macro
`HAVE_XMLRPC_BUNDLED` (analogous to how it is done by ext/gd). We
deliberately keep the ugly `#ifdef`s, instead of tucking them away in
an `XMLRPC_FREE()` macro, to not forget that it is a bad idea to fork
and bundle a library, but to also allow building against an unpatched
system lib.
The `.deps` file(s) was once used by Automake and created to write
dependencies to it. The file creation has been removed via the commit
779c11af21.
The phpize and ./configure script create a redundant .deps file in a
PECL extension directory which might cause confusions why is it used.
Today it is no longer relevant so this redundant artefact can be
removed in the phpize configure script.
We define the `HAVE_TIDYOPTGETDOC` macro unconditionally, since the
Windows PHP SDK ships libtidy 2009/04/06 or newer for a long time.
We do not add a regression test, since 021.phpt already tests
`tidy_get_opt_doc`, but has previously been skipped due to
unavailability of the function.
"auto" is only meaningful in functions which accept an encoding
*list* and support encoding detection. These functions have
explicit checks for "auto". It cannot be used as a standalone
encoding in any meaningful capacity, so I'm dropping it entirely.
Implements 8bit conversions equivalently to iso-8859-1 conversions.
This seems quite dubious to me, but seems to match the previous
behavior.
It might make more sense to map the characters into a private area
instead, so that the 8bit encoding is treated as binary data with
no case conversions (including no case conversions in the ascii
range).
Anatol Belski