* PHP-8.1:
Fix wrong flags check for compression method in phar_object.c
Fix missing check for xmlTextWriterEndElement
Fix substr_replace with slots in repl_ht being UNDEF
The check that was supposed to check whether the array slot was UNDEF
was wrong and never triggered. This resulted in a replacement with the
empty string or the wrong string instead of the correct one. The correct
check pattern can be observed higher up in the function's code.
Closes GH-10323
Signed-off-by: George Peter Banyard <girgias@php.net>
* unserialize: Strictly check for `:{` at object start
* unserialize: Update CVE tests
It's unlikely that the object syntax error contributed to the actual CVE. The
CVE is rather caused by the incorrect object serialization data of the `C`
format. Add a second string without such a syntax error to ensure that path is
still executed as well to ensure the CVE is absent.
* Fix test expectation in gmp/tests/bug74670.phpt
No changes to the input required, because the test actually is intended to
verify the behavior for a missing `}`, it's just that the report position changed.
* NEWS
* UPGRADING
This occurs when the handle is different from the current handle (e.g. copy of the .so file), hence the existing test did not catch that particular case.
Directly referring to a constant of an undefined throws an exception;
there is not much point in `constant()` raising a fatal error in this
case.
Closes GH-9907.
As of PHP 8.2.0, `zend_module_entry` structures are no longer copied,
so when a module is permanently loaded, and users try to dynamically
load that module again, the structure is corrupted[1], causing a
segfault on shutdown.
We catch that by checking whether any dynamically loaded module is
already loaded, and bailing out in that case without modifying the
`zend_module_entry` structure.
[1] <https://github.com/php/php-src/issues/9589#issuecomment-1263718701>
Closes GH-9689.
As of PHP 8.1.0, the `--EXTENSIONS-- section is properly supported, and
CIs may make use of that (our AppVeyor CI does). Thus it is important
to list required extensions there, since otherwise they may not be
loaded, causing the test to be skipped, or worse, to be borked.
Commit fbe3059 included an unintended change to the test which checks if
dns_get_record populates its additional parameter. This patch reverts
such change.
The issue was not detected by the CIs because their tests run in
the --offline mode, and the test in question needs internet connection.
Closes GH-9625.
