When the superglobals are eagerly initialized, but "S" is not contained
in `variables_order`, `TRACK_VARS_SERVER` is created as empty array
with refcount > 1. Since this hash table may later be modified, a flag
is set which allows such COW violations for assertions. However, when
`register_argc_argv` is on, the so far uninitialized hash table is
updated with `argv`, what causes the hash table to be initialized, what
drops the allow-COW-violations flag. The following update with `argc`
then triggers a refcount violation assertion.
Since we consider `HT_ALLOW_COW_VIOLATION` a hack, we do not want to
keep the flag during hash table initialization, so we initialize the
hash table right away after creation for this code path.
Closes GH-15930.
We need to avoid signed integer overflows which are undefined behavior.
We catch that, and set `offset` to `ZEND_LONG_MAX` (which is also the
largest value of `zend_off_t` on all platforms). Of course, that seek
may fail, but even if it succeeds, the stream is no longer readable,
but that matches the current behavior for offsets near `ZEND_LONG_MAX`.
Closes GH-15989.
multipart/form-data boundaries larger than the read buffer result in erroneous
parsing, which violates data integrity.
Limit boundary size, as allowed by RFC 1521:
Encapsulation boundaries [...] must be no longer than 70 characters, not
counting the two leading hyphens.
We correctly parse payloads with boundaries of length up to
FILLUNIT-strlen("\r\n--") bytes, so allow this for BC.
This effectively inlines the behaviour of php_mkdir_ex() which is a deprecated API from at least 17 years ago, and also fixes some of the return values.
This also removes a dependency on ext/standard
We need to avoid signed integer overflows which are undefined behavior.
We catch that, and set `offset` to `ZEND_LONG_MAX` (which is also the
largest value of `zend_off_t` on all platforms). Of course, after such
a seek a stream is no longer readable, but that matches the current
behavior for offsets near `ZEND_LONG_MAX`.
Closes GH-15989.
This was first reported as a leak in GH-15026, but was mistakingly
believed to be a false positive. Then an assertion was added and it got
triggered in GH-15908. This fixes the leak. Upon merging into master the
assertion should be removed as well.
Closes GH-15924.
First we refactor to have only a single usage of `PHP_GAI_STRERROR()`
left; then we drop the macro in favor of calling the different
functions conditionally in an ad-hoc style.
This is necessary because the return value of `php_win32_error_to_msg`
needs to be freed by the caller.
The error messages are no more inline with other error messages, since
`gai_strerror()` apparently always appends a period and a space.
We also properly configure IPv4/v6 on Windows. Since WSPiApi.h has been
created in 2000, so we can safely assume that it is available everywhere
nowadays. Furthermore, `gai_strerror()` is available regardless of
whether there is IPv6 support.
A common convention is to name internal C header files as `*_int.h`.
Since a couple of these are actually installed, we add comments that
this is not supposed to happen, (a) to avoid installing further
internal headers, and (b) to pave the way to fix this in the next major
PHP version.
Somewhat special is php_gmp_int.h, where "int" is meant as abbreviation
for "interface".
Another common convention is appending `_priv` or `_private`, but since
there have not been any issues regarding these headers so far, we
refrain from adding respective comments to these headers.
Anyhow, it might be a good idea to introduce some common naming
convention for such internal/private headers.
We also add zend_map_ptr_static, so that we do not incur the overhead of constantly recreating the internal run_time_cache pointers on each request.
This mechanism might be extended for mutable_data of internal classes too.
We're reasonably sure that appending the NUL is not an OOB write, since
the memory stream implementation uses `zend_string` APIs instead of
fiddling with the buffer.
We don't add a regression test because that would require to set up
something in the zend_test extension, and regressions are supposed
to be caught by external consumers of this API, such as mailparse.
Closes GH-15648.
* main/network: Use more appropriate types
And check directly against 0 for success for functions not returning a zend_result
* Remove redundant declaration in file.h
Not sure why it even is here
* Show build provider information in "php -v"
Vendors such as distributions can set the `PHP_BUILD_PROVIDER`
variable, that gets printed in phpinfo. However, I find that users check
`php -v` more often than phpinfo to see what PHP they're running. The
problem with this is that it does not show that build provider
information.
This change makes the build provider information printed on an
additional line of the version information.
* Put on same line so it works with or without env var
Unbreaks build without PHP_BUILD_PROVIDER set.
* change wording in provider version text
better grammatically; many different possibilities here though
* Unify SAPI version printing
This makes it so that all of the SAPIs share the same code for printing
version information. This is useful in case of any future changes to the
version information, such as i.e. adding build provider to the output.
* Make include for php_print_version explicit
* Preserve phpdbg version and output channel
php_printf doesn't have same semantics, as phpdbg_out could be on a
different output than stdout/err. Also add the phpdbg version (in case
it differs from PHP's, to keep similar output before this PR)
* remove size variables
we don't use them and CI doesn't like unused variables
* Fix format string insecurity
