php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
37cd00e17026aa680ea1b9b9a2d38978aa1825ea
archived-php-src/NEWS
Christoph M. Becker f698c62361 Fix bug 64823: ZTS GD fails to to find system TrueType font 
First, the `$fontfile` parameter actually supports a semicolon
delimited list of fonts (as documented[1]); thus passing the full
string to `VCWD_REALPATH()` or `php_check_open_basedir()` makes no
sense; we could pass the individual parts, but …

Second, libgd uses an elaborate font detection.  There is a hard-
coded `DEFAULT_PATH` which can be overridden by the environment
variable `GDFONTPATH`.  Semantics are like the `PATH` environment
variable.  If `DEFAULT_PATH` was still exposed (it is no longer as of
libgd 2.1.0[2]), we could take that into account, but …

External libgd can be configured with font-config support, so font
aliases and even lookup patterns are supported.  There is no way to
cater to that upfront.

Thus, we no longer interfere with libgd's font lookup.  Checking the
realpath was already doubtful (we didn't even use the resolved path).
Lifting the open_basedir restriction is a bit more delicate, but the
manual still states that open_basedir would not apply, and more
relevant, not much harm can be done, because libgd only passes the
found font to `FT_New_Face()` which likely fails for any non font files
without any error which could reveal sensitive information.  And the
font file is never written.

It should be noted that this solves lookup of system fonts, does not
change the behavior for absolute font paths, but still does not resolve
issues with relative paths to font files in ZTS environments using
external libgd (our bundled libgd has a workaround for that).  This
particular issue cannot be solved, so users of ZTS builds still need to
add `realpath(.)` to the `GDFONTPATH` as documented in the manual (or
pass absolute paths as `$fontfile`).

[1] <https://www.php.net/imagettftext>
[2] <2a921c80fb>

Closes GH-17366.
2025-01-25 19:27:05 +01:00

143 lines
5.1 KiB
Plaintext
Raw Blame History

PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.5.0alpha1
- COM:
. Fixed property access of PHP objects wrapped in variant. (cmb)
. Fixed method calls for PHP objects wrapped in variant. (cmb)
- Core:
. Fixed bug GH-16665 (\array and \callable should not be usable in
class_alias). (nielsdos)
. Added PHP_BUILD_DATE constant. (cmb)
. Added support for Closures in constant expressions. (timwolla,
Volker Dusch)
. Use `clock_gettime_nsec_np()` for high resolution timer on macOS
if available. (timwolla)
. Implement GH-15680 (Enhance zend_dump_op_array to properly represent
non-printable characters in string literals). (nielsdos, WangYihang)
- Curl:
. Added curl_multi_get_handles(). (timwolla)
. Added curl_share_init_persistent(). (enorris)
- Date:
. Fix undefined behaviour problems regarding integer overflow in extreme edge
cases. (nielsdos, cmb, ilutov)
- DOM:
. Added Dom\Element::$outerHTML. (nielsdos)
. Added Dom\Element::insertAdjacentHTML(). (nielsdos)
- Enchant:
. Added enchant_dict_remove_from_session(). (nielsdos)
- GD:
. Fixed bug #68629 (Transparent artifacts when using imagerotate). (pierre,
cmb)
. Fixed bug #64823 (ZTS GD fails to to find system TrueType font). (cmb)
- Intl:
. Bumped ICU requirement to ICU >= 57.1. (cmb)
. IntlDateFormatter::setTimeZone()/datefmt_set_timezone() throws an exception
with uninitialised classes or clone failure. (David Carlier)
- MySQLnd:
. Added mysqlnd.collect_memory_statistics to ini quick reference.
(hauk92)
- OPcache:
. Fixed ZTS OPcache build on Cygwin. (cmb)
. Added opcache.file_cache_read_only. (Samuel Melrose)
- Output:
. Fixed calculation of aligned buffer size. (cmb)
- PDO_PGSQL:
. Added Iterable support for PDO::pgsqlCopyFromArray. (KentarouTakeda)
. Implement GH-15387 Pdo\Pgsql::setAttribute(PDO::ATTR_PREFETCH, 0) or
Pdo\Pgsql::prepare(…, [ PDO::ATTR_PREFETCH => 0 ]) make fetch() lazy
instead of storing the whole result set in memory (Guillaume Outters)
- PGSQL:
. Added pg_close_stmt to close a prepared statement while allowing
its name to be reused. (David Carlier)
. Added Iterable support for pgsql_copy_from. (David Carlier)
- POSIX:
. Added POSIX_SC_OPEN_MAX constant to get the number of file descriptors
a process can handle. (David Carlier)
. posix_ttyname() sets last_error to EBADF on invalid file descriptors,
posix_isatty() raises E_WARNING on invalid file descriptors,
posix_fpathconf checks invalid file descriptors. (David Carlier)
- Random:
. Moves from /dev/urandom usage to arc4random_buf on Haiku. (David Carlier)
- Reflection:
. Added ReflectionConstant::getExtension() and ::getExtensionName().
(DanielEScherzer)
- Session:
. session_start() throws a ValueError on option argument if not a hashmap
or a TypeError if read_and_close value is not compatible with int.
(David Carlier)
- SOAP:
. Fixed bug #49169 (SoapServer calls wrong function, although "SOAP action"
header is correct). (nielsdos)
- Sockets:
. Added IPPROTO_ICMP/IPPROTO_ICMPV6 to create raw socket for ICMP usage.
(David Carlier)
. Added TCP_FUNCTION_BLK to change the TCP stack algorithm on FreeBSD.
(David Carlier)
. socket_set_option() catches possible overflow with SO_RCVTIMEO/SO_SNDTIMEO
with timeout setting on windows. (David Carlier)
. Added TCP_FUNCTION_ALIAS, TCP_REUSPORT_LB_NUMA, TCP_REUSPORT_LB_NUMA_NODOM,
TCP_REUSPORT_LB_CURDOM, TCP_BBR_ALGORITHM constants.
. socket_create_listen() throws an exception on invalid port value.
(David Carlier)
. socket_bind() throws an exception on invalid port value.
(David Carlier)
. socket_sendto() throws an exception on invalid port value.
(David Carlier)
. socket_addrinfo_lookup throws an exception on invalid hints value types.
(David Carlier)
. socket_addrinfo_lookup throws an exception if any of the hints value
overflows. (David Carlier)
. socket_addrinfo_lookup throws an exception if one or more hints entries
has an index as numeric. (David Carlier)
. socket_set_option with the options MCAST_LEAVE_GROUP/MCAST_LEAVE_SOURCE_GROUP
will throw an exception if its value is not a valid array/object.
(David Carlier)
- Standard:
. Fixed crypt() tests on musl when using --with-external-libcrypt
(Michael Orlitzky).
- Streams:
. Fixed bug GH-16889 (stream_select() timeout useless for pipes on Windows).
(cmb)
- Tests:
. Allow to shuffle tests even in non-parallell mode. (dhuang00)
- Windows:
. Fixed bug GH-10992 (Improper long path support for relative paths). (cmb,
nielsdos)
. Fixed bug GH-16843 (Windows phpize builds ignore source subfolders). (cmb)
- XMLWriter:
. Improved performance and reduce memory consumption. (nielsdos)
- XSL:
. Implement request #30622 (make $namespace parameter functional). (nielsdos)
- Zlib:
. gzfile, gzopen and readgzfile, their "use_include_path" argument
is now a boolean. (David Carlier)
<<< NOTE: Insert NEWS from last stable release here prior to actual release! >>>
Reference in New Issue View Git Blame Copy Permalink