PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
by including a `$` character within the characters that represent the salt.
Hashes that are affected by the “PHP Hack” may erroneously validate any
password as valid when used with `password_verify` and when comparing the
return value of `crypt()` against the input.
The PHP Hack exists since the first version of PHP’s own crypt_blowfish
implementation that was added in 1e820eca02.
No clear reason is given for the PHP Hack’s existence. This commit removes it,
because BCrypt hashes containing a `$` character in their salt are not valid
BCrypt hashes.
* PHP-8.1:
Fix wrong flags check for compression method in phar_object.c
Fix missing check for xmlTextWriterEndElement
Fix substr_replace with slots in repl_ht being UNDEF
The check that was supposed to check whether the array slot was UNDEF
was wrong and never triggered. This resulted in a replacement with the
empty string or the wrong string instead of the correct one. The correct
check pattern can be observed higher up in the function's code.
Closes GH-10323
Signed-off-by: George Peter Banyard <girgias@php.net>
* unserialize: Strictly check for `:{` at object start
* unserialize: Update CVE tests
It's unlikely that the object syntax error contributed to the actual CVE. The
CVE is rather caused by the incorrect object serialization data of the `C`
format. Add a second string without such a syntax error to ensure that path is
still executed as well to ensure the CVE is absent.
* Fix test expectation in gmp/tests/bug74670.phpt
No changes to the input required, because the test actually is intended to
verify the behavior for a missing `}`, it's just that the report position changed.
* NEWS
* UPGRADING
Directly referring to a constant of an undefined throws an exception;
there is not much point in `constant()` raising a fatal error in this
case.
Closes GH-9907.
As of PHP 8.2.0, `zend_module_entry` structures are no longer copied,
so when a module is permanently loaded, and users try to dynamically
load that module again, the structure is corrupted[1], causing a
segfault on shutdown.
We catch that by checking whether any dynamically loaded module is
already loaded, and bailing out in that case without modifying the
`zend_module_entry` structure.
[1] <https://github.com/php/php-src/issues/9589#issuecomment-1263718701>
Closes GH-9689.
As of PHP 8.1.0, the `--EXTENSIONS-- section is properly supported, and
CIs may make use of that (our AppVeyor CI does). Thus it is important
to list required extensions there, since otherwise they may not be
loaded, causing the test to be skipped, or worse, to be borked.
Commit fbe3059 included an unintended change to the test which checks if
dns_get_record populates its additional parameter. This patch reverts
such change.
The issue was not detected by the CIs because their tests run in
the --offline mode, and the test in question needs internet connection.
Closes GH-9625.
* Emit deprecation warnings when adding dynamic properties to classes during unserialization - this will become an Error in php 9.0.
(Adding dynamic properties in other contexts was already a deprecation warning - the use case of unserialization was overlooked)
* Throw an error when attempting to add a dynamic property to a `readonly` class when unserializing
* Add new serialization methods `__serialize`/`__unserialize` for SplFixedArray to avoid creating deprecated dynamic
properties that would then be added to the backing fixed-size array
* Don't add named dynamic/declared properties (e.g. $obj->foo) of SplFixedArray to the backing array when unserializing
* Update tests to declare properties or to expect the deprecation warning
* Add news entry
Co-authored-by: Tyson Andre <tysonandre775@hotmail.com>
Given that Windows ignores trailing dots and spaces in filenames, we
catch that ourselves to avoid confusion with the respective filenames
without these characters.
Closes GH-9229.
While the reason-phrase in a HTTP response status line is usually
short, there is no actual limit specified by the RFCs. As such, we
must not assume that the line fits into the buffer (which is currently
128 bytes large).
Since there is no real need to present the complete status line, we
simply read and discard the rest of a long line.
Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
Closes GH-9319.
