* unserialize: Strictly check for `:{` at object start
* unserialize: Update CVE tests
It's unlikely that the object syntax error contributed to the actual CVE. The
CVE is rather caused by the incorrect object serialization data of the `C`
format. Add a second string without such a syntax error to ensure that path is
still executed as well to ensure the CVE is absent.
* Fix test expectation in gmp/tests/bug74670.phpt
No changes to the input required, because the test actually is intended to
verify the behavior for a missing `}`, it's just that the report position changed.
* NEWS
* UPGRADING
There are two issues to resolve:
1. The FCC is not refetch when trying to unregister a trampoline
2. Comparing the function pointer of trampolines is meaningless as they are reallocated, thus we need to compare the name of the function
Found while working on GH-8294
Closes GH-10033
We need to overwrite the __toString magic method for SplFileObject, similarly to how DirectoryIterator overwrites it
Moreover, the custom cast handler is useless as we define __toString methods, so use the standard one instead.
Closes GH-9912
* Make handling of SplFixedArray properties more consistent
Create a brand new reference counted array every time in SplFixedArray
to be freed by the callers (or return null).
Switch from overriding `get_properties` to overriding `get_properties_for` handler
* Print objects with null hash table like others in print_r
Noticed when working on subsequent commits for SplFixedArray.
Make whether zend_get_properties_for returns null or an empty array
invisible to the end user - it would be always be a non-null array for
user-defined classes.
Always print newlines with `\n\s*(\n\s*)` after objects
Noticed when working on SplFixedArray changes, e.g. in
ext/spl/tests/SplFixedArray__construct_param_null.phpt
Switch the recursion check from the result of `get_properties_for`
(the returned hash table of properties) to just checking for
infinite recursion on the object.
- In order for a native datastructure to correctly implement
`*get_properties_for` for var_export's cycle detection,
it would need to return the exact same array every time prior to this PR.
Prior to this commit, the requirements for cycle detection
would prevent SplFixedArray or similar classes from returning a
temporary array that:
1. Wouldn't be affected by unexpected mutations from error handlers
2. Could be garbage collected instead.
* Emit deprecation warnings when adding dynamic properties to classes during unserialization - this will become an Error in php 9.0.
(Adding dynamic properties in other contexts was already a deprecation warning - the use case of unserialization was overlooked)
* Throw an error when attempting to add a dynamic property to a `readonly` class when unserializing
* Add new serialization methods `__serialize`/`__unserialize` for SplFixedArray to avoid creating deprecated dynamic
properties that would then be added to the backing fixed-size array
* Don't add named dynamic/declared properties (e.g. $obj->foo) of SplFixedArray to the backing array when unserializing
* Update tests to declare properties or to expect the deprecation warning
* Add news entry
Co-authored-by: Tyson Andre <tysonandre775@hotmail.com>
Given that Windows ignores trailing dots and spaces in filenames, we
catch that ourselves to avoid confusion with the respective filenames
without these characters.
Closes GH-9229.
This PR changes the glob stream wrapper so it impacts "glob://"
streamsas well. The idea is to do a check for each found path instead
of the pattern which was not working correctly.
One may argue that `DROP_NEW_LINE` does not make sense in combination
with `READ_CSV`, but without `DROP_NEW_LINE`, `SKIP_EMPTY` does not
skip empty lines at all. We could fix that, but do not for BC reasons.
Instead we no longer drop newlines in `spl_filesystem_file_read_ex()`
when reading CSV, but handle that in `spl_filesystem_file_read_csv()`
by treating lines with only (CR)LF as being empty as well.
Closes GH-7618.
Closes GH-8233
This fix corrects a behavior of `var_export()` that was mostly "hidden" until PHP 8.1 introduced:
* properties with object initializers
* constants containing object references
* default values of class properties containing `enum`s
Since `var_export(..., true)` is mostly used in conjunction with code generation,
and we cannot make assumptions about the generated code being placed in the root
namespace, we must always provide the FQCN of a class in exported code.
For example:
```php
<?php
namespace MyNamespace { class Foo {} }
namespace { echo "<?php\n\nnamespace Example;\n\n" . var_export(new \MyNamespace\Foo(), true) . ';'; }
```
produces:
```php
<?php
namespace Example;
MyNamespace\Foo::__set_state(array(
));
```
This code snippet is invalid, because `Example\MyNamespace\Foo::__set_state()` (which
does not exist) is called.
With this patch applied, the code looks like following (valid):
```php
<?php
namespace Example;
\MyNamespace\Foo::__set_state(array(
));
```
Ref: https://github.com/php/php-src/issues/8232
Ref: https://github.com/Ocramius/ProxyManager/issues/754
Ref: https://externals.io/message/117466
First, we must not free the current line before we call
`spl_filesystem_file_read_csv()`, because then the `current_line` will
not be properly updated. Since the EOF check is superfluous here, we
move that part of the code to the branch for subtypes. This issue has
been introduced by the fix for bug 75917.
Second, we only must increase the `current_line` if we're not reading
ahead. This issue has been introduced by the fix for bug 62004.
Closes GH-8138.
Tim Düsterhus