From: Christoph M. Becker Date: Tue, 29 Sep 2020 10:11:48 +0000 (+0200) Subject: Merge branch 'PHP-7.3' into PHP-7.4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2bceb4bedc70b3375de66e7130eaf53a88a30e9c;p=php Merge branch 'PHP-7.3' into PHP-7.4 * PHP-7.3: [ci skip] Fix version --- 2bceb4bedc70b3375de66e7130eaf53a88a30e9c diff --cc UPGRADING index 40a768d6ba,6f9b87c660..354e4fac02 --- a/UPGRADING +++ b/UPGRADING @@@ -21,366 -19,252 +21,366 @@@ PHP 7.4 UPGRADE NOTE 1. Backward Incompatible Changes ======================================== -Core: - . The ext_skel utility has been completely redesigned with new options and - some old options removed. This is now written in PHP and has no external - dependencies. - . Support for BeOS has been dropped. - . Exceptions thrown due to automatic conversion of warnings into exceptions - in EH_THROW mode (e.g. some DateTime exceptions) no longer populate - error_get_last() state. As such, they now work the same way as manually - thrown exceptions. - . TypeError now reports wrong types as `int` and `bool` instead of `integer` - and `boolean`. - . Due to the introduction of flexible heredoc/nowdoc syntax (see New Features - section), doc strings that contain the ending label inside their body may - cause syntax errors or change in interpretation. For example in - - $str = <<prop[0] = $val` missed this warning. + . Previously get_declared_classes() always returned parent classes before + child classes. This is no longer the case. No particular order is guaranteed + for the get_declared_classes() return value. + +- BCMath: + . BCMath functions will now warn if a non well-formed number is passed, such + as "32foo". The argument will be interpreted as zero (as before). + +- Curl: + . Attempting to serialize a CURLFile class will now generate an exception. + Previously the exception was only thrown on unserialization. + . Using CURLPIPE_HTTP1 is deprecated, and is no longer supported as of cURL + 7.62.0. + . The $version parameter of curl_version() is deprecated. If any value not + equal to the default CURLVERSION_NOW is passed, a warning is raised and the + parameter is ignored. + +- Date: + . Calling var_dump() or similar on a DateTime(Immutable) instance will no + longer leave behind accessible properties on the object. + . Comparison of DateInterval objects (using ==, < and so on) will now generate + a warning and always return false. Previously all DateInterval objects were + considered equal, unless they had properties. + +DOM: + . As of PHP 7.4.4, the value of the $childNodes property of DOMDocument, + DOMNode, DOMProcessingInstruction, DOMComment, DOMText, DOMCdataSection and + DOMNotation is now an empty DOMNodeList instead of NULL, according to the + W3C and WHATWG standards and the PHP manual. + +- Intl: + . The default parameter value of idn_to_ascii() and idn_to_utf8() is now + INTL_IDNA_VARIANT_UTS46 instead of the deprecated INTL_IDNA_VARIANT_2003. + +- MySQLi: + . The embedded server functionality has been removed. It was broken since + at least PHP 7.0. + . The undocumented mysqli::$stat property has been removed in favor of + mysqli::stat(). + +- Openssl: + . The openssl_random_pseudo_bytes() function will now throw an exception in + error situations, similar to random_bytes(). In particular, an Error is + thrown if the number of requested bytes is less than *or equal to* zero, + and an Exception is thrown if sufficient randomness cannot be gathered. + The $crypto_strong output argument is guaranteed to always be true if the + function does not throw, so explicitly checking it is not necessary. + RFC: http://php.net/manual/de/function.openssl-random-pseudo-bytes.php + +- Pcntl: + . The $restart_syscalls flag for pcntl_signal() will now be respected for + SIGALARM. Previously it was hardcoded to false. To reduce the backwards + compatibility impact, the default for SIGALARM will remain false however. + +- PCRE: + . When PREG_UNMATCHED_AS_NULL mode is used, trailing unmatched capturing + groups will now also be set to null (or [null, -1] if offset capture is + enabled). This means that the size of the $matches will always be the same. + +- PEAR: + . Installation of PEAR (including PECL) is no longer enabled by default. It + can be explicitly enabled using --with-pear. This option is deprecated and + may be removed in the future. + +- PDO: + . Attempting to serialize a PDO or PDOStatement instance will now generate + an Exception rather than a PDOException, consistent with other internal + classes which do not support serialization. + +- Reflection: + . Reflection objects will now generate an exception if an attempt is made + to serialize them. Serialization for reflection objects was never + supported and resulted in corrupted reflection objects. It has been + explicitly prohibited now. + . The signature of the ReflectionMethod::getClosure() method changed to + account for existing behavior with static methods: + Before: ReflectionMethod::getClosure($object) + After: ReflectionMethod::getClosure($object = null) + The new signature is also (LSP) compatible with older PHP versions. - . Array accesses of type $obj["123"], where $obj implements ArrayAccess and - "123" is an integer string literal will no longer result in an implicit - conversion to integer, i.e., $obj->offsetGet("123") will be called instead - of $obj->offsetGet(123). This matches existing behavior for non-literals. - The behavior of arrays is not affected in any way, they continue to - implicitly convert integeral string keys to integers. - . In PHP, static properties are shared between inheriting classes, unless the - static property is explicitly overridden in a child class. However, due to - an implementation artifact it was possible to separate the static properties - by assigning a reference. This loophole has been fixed. - - class Test { - public static $x = 0; +- SAPI: - . Starting with 7.4.12, incoming cookie names are not url-decoded. This was never ++ . Starting with 7.4.11, incoming cookie names are not url-decoded. This was never + required by the standard, outgoing cookie names aren't encoded and this leads + to security issues (CVE-2020-7070). + +- SPL: + . Calling get_object_vars() on an ArrayObject instance will now always return + the properties of the ArrayObject itself (or a subclass). Previously it + returned the values of the wrapped array/object unless the STD_PROP_LIST + flag was specified. Other affected operations are: + + * ReflectionObject::getProperties() + * reset(), current(), etc. Use Iterator methods instead. + * Potentially others working on object properties as a list. + * Other internal functions that iterate over an array, but which + previously silently accepted an ArrayObject as well; eg curl_setopt() + when used with an option that expects an array. + + (array) casts are *not* affected. They will continue to return either the + wrapped array, or the ArrayObject properties, depending on whether the + STD_PROP_LIST flag is used. + . SplPriorityQueue::setExtractFlags() will throw an exception if zero is + passed. Previously this would generate a recoverable fatal error on the + next extraction operation. + . ArrayObject, ArrayIterator, SplDoublyLinkedList and SplObjectStorage now + support the __serialize() + __unserialize() mechanism in addition to the + Serializable interface. This means that serialization payloads created on + older PHP versions can still be unserialized, but new payloads created by + PHP 7.4 will not be understood by older versions. + +- Standard: + . The "o" serialization format has been removed. As it is never produced by + PHP, this may only break unserialization of manually crafted strings. + . Password hashing algorithm identifiers are now nullable strings rather + than integers. + + * PASSWORD_DEFAULT was int 1; now is null in PHP <7.4.3 and string '2y' afterwards + * PASSWORD_BCRYPT was int 1; now is string '2y' + * PASSWORD_ARGON2I was int 2; now is string 'argon2i' + * PASSWORD_ARGON2ID was int 3; now is string 'argon2id' + + Applications correctly using the constants PASSWORD_DEFAULT, + PASSWORD_BCRYPT, PASSWORD_ARGON2I, and PASSWORD_ARGON2ID will continue to + function correctly. + . htmlentities() will now throw a notice (instead of a strict standards + warning) if it is used with an encoding for which only basic entity + substitution is supported, in which case it is equivalent to + htmlspecialchars(). + . fread() and fwrite() will now return false if the operation failed. + Previously an empty string or 0 was returned. EAGAIN/EWOULDBLOCK are not + considered failures. + . fread() and fwrite() on plain files will now throw a notice on failure, + such as when trying to write to a read-only file resource. + . The stream_read() and stream_write() methods on stream wrappers now + interpret "false" as a failure return values. If no data is available, but + no error occurred, an empty string should be returned instead. + . round(-0.0) will now return -0.0 rather than +0.0. + +- Tokenizer: + . token_get_all() will now emit a T_BAD_CHARACTER token for unexpected + characters instead of leaving behind holes in the token stream. + +======================================== +2. New Features +======================================== + +- Core: + . Added support for typed properties. For example: + + class User { + public int $id; + public string $name; } - class Test2 extends Test { } - Test2::$x = &$x; - $x = 1; + This will enforce that $user->id can only be assigned integers and + $user->name can only be assigned strings. For more information see the + RFC: https://wiki.php.net/rfc/typed_properties_v2 - var_dump(Test::$x, Test2::$x); - // Previously: int(0), int(1) - // Now: int(1), int(1) + . Added support for arrow functions with implicit by-value scope binding. + For example: - . References returned by array and property accesses are now unwrapped as - part of the access. This means that it is no longer possible to modify the - reference between the access and the use of the accessed value: + $factor = 10; + $nums = array_map(fn($num) => $num * $factor, $nums); - $arr = [1]; - $ref =& $arr[0]; - var_dump($arr[0] + ($arr[0] = 2)); - // Previously: int(4), Now: int(3) + RFC: https://wiki.php.net/rfc/arrow_functions_v2 - This makes the behavior of references and non-references consistent. Please - note that reading and writing a value inside a single expression remains - undefined behavior and may change again in the future. + . Added support for limited return type covariance and argument type + contravariance. The following code will now work: - . Argument unpacking stopped working with Traversables with non-integer keys. - The following code worked in PHP 7.0-7.2 by accident. + class A {} + class B extends A {} - function foo(...$args) { - var_dump($args); + class Producer { + public function method(): A {} } - function gen() { - yield 1.23 => 123; + class ChildProducer extends Producer { + public function method(): B {} } - foo(...gen()); - Now it generates an exception. + Full variance support is only available if autoloading is used. Inside a + single file only non-cyclic type references are possible, because all + classes need to be available before they are referenced. + RFC: https://wiki.php.net/rfc/covariant-returns-and-contravariant-parameters -BCMath: - . All warnings thrown by BCMath functions are now using PHP's error handling. - Formerly some warnings have directly been written to stderr. - . bcmul() and bcpow() now return numbers with the requested scale. Formerly, - the returned numbers may have omitted trailing decimal zeroes. + . Added support for coalesce assign (??=) operator. For example: -DOM: - . As of PHP 7.3.16, the value of the $childNodes property of DOMDocument, - DOMNode, DOMProcessingInstruction, DOMComment, DOMText, DOMCdataSection and - DOMNotation is now an empty DOMNodeList instead of NULL, according to the - W3C and WHATWG standards and the PHP manual. + $array['key'] ??= computeDefault(); + // is roughly equivalent to + if (!isset($array['key'])) { + $array['key'] = computeDefault(); + } -IMAP: - rsh/ssh logins are disabled by default. Use imap.enable_insecure_rsh if you want - to enable them. Note that the IMAP library does not filter mailbox names before - passing them to rsh/ssh command, thus passing untrusted data to this function - with rsh/ssh enabled is insecure. - -MBString: - . Due to added support for named captures, mb_ereg_*() patterns using named - captures will behave differently. In particular named captures will be part - of matches and mb_ereg_replace() will interpret additional syntax. See - "New Features" section for more information. - -mysqli: - . Prepared statements now properly report the fractional seconds for DATETIME/ - TIME/TIMESTAMP columns with decimals specifier (e.g. TIMESTAMP(6) when using - microseconds). Formerly, the fractional seconds part was simply omitted from - the returned values. - -PDO/MySQL: - . Prepared statements now properly report the fractional seconds for DATETIME/ - TIME/TIMESTAMP columns with decimals specifier (e.g. TIMESTAMP(6) when using - microseconds). Formerly, the fractional seconds part was simply omitted from - the returned values. - Please note that this only affects the usage of PDO_MYSQL with emulated - prepares turned off (e.g. using the native preparation functionality). - Statements using connections having PDO::ATTR_EMULATE_PREPARES=true (which - is the default) were not affected by the bug fixed and have already been - getting the proper fractional seconds values from the engine. - -Reflection: - . Reflection export to string now uses `int` and `bool` instead of `integer` - and `boolean`. + RFC: https://wiki.php.net/rfc/null_coalesce_equal_operator -- SAPI: - . Starting with 7.3.23, incoming cookie names are not url-decoded. This was never - required by the standard, outgoing cookie names aren't encoded and this leads - to security issues (CVE-2020-7070). + . Added support for unpacking inside arrays. For example: -SPL: - . If an SPL autoloader throws an exception, following autoloaders will not be - executed. Previously all autoloaders were executed and exceptions were - chained. + $arr1 = [3, 4]; + $arr2 = [1, 2, ...$arr1, 5]; + // $arr2 == [1, 2, 3, 4, 5] -SimpleXML: - . Mathematic operations involving SimpleXML objects will now treat the text as - an integer or float, whichever is more appropriate. Previously values were - treated as integers unconditionally. + RFC: https://wiki.php.net/rfc/spread_operator_for_array -Standard: - . Undefined variables passed to compact() will now be reported as a notice. - . getimagesize() and related functions now report the mime type of BMP images - as image/bmp instead of image/x-ms-bmp, since the former has been registered - with the IANA (see RFC 7903). - . stream_socket_get_name() will now return IPv6 addresses wrapped in brackets. - For example "[::1]:1337" will be returned instead of "::1:1337". + . Added support for underscore separators in numeric literals. Some examples: -======================================== -2. New Features -======================================== + 6.674_083e-11; // float + 299_792_458; // decimal + 0xCAFE_F00D; // hexadecimal + 0b0101_1111; // binary + + RFC: https://wiki.php.net/rfc/numeric_literal_separator + + . Support for WeakReferences has been added. + RFC: https://wiki.php.net/rfc/weakrefs + + . Throwing exceptions from __toString() is now permitted. Previously this + resulted in a fatal error. Existing recoverable fatals in string conversions + have been converted to Error exceptions. + RFC: https://wiki.php.net/rfc/tostring_exceptions + +- CURL: + . CURLFile now supports stream wrappers in addition to plain file names, if + the extension has been built against libcurl >= 7.56.0. The streams may + need to be seekable. + +- Filter: + . The FILTER_VALIDATE_FLOAT filter now supports the min_range and max_range + options, with the same semantics as FILTER_VALIDATE_INT. + +- FFI: + . A new extension which provides a simple way to call native functions, access + native variables and create/access data structures defined in C libraries. + RFC: https://wiki.php.net/rfc/ffi + +- GD: + . Added the "scatter" image filter (IMG_FILTER_SCATTER) to apply a scatter + filter to images. This filter has the following prototype: + + imagefilter($im, IMG_FILTER_SCATTER, int $sub, int $plus, array $colors = []); + + The $colors array can be populated with a set of indexed colors to + apply the scatter pixel shifting on. + + Note, the result of this filter is always random. + +- Hash: + . Added "crc32c" hash using Castagnoli's polynomial. This crc32 variant is + used by storage systems, such as iSCSI, SCTP, Btrfs and ext4. + +- Mbstring: + . Added mb_str_split() function, which provides the same functionality as + str_split(), but operating on code points rather than bytes. + RFC: https://wiki.php.net/rfc/mb_str_split + . Added mbstring.regex_retry_limit ini setting defaulting to 1000000. It + limits the amount of backtracking that may be performed during one mbregex + match and thus protects against exponential backtracking attacks (ReDOS). + This setting only takes effect when linking against oniguruma >= 6.8.0. + +- OPcache: + . Support for preloading code has been added. + RFC: https://wiki.php.net/rfc/preload + +- PCRE: + . The preg_replace_callback() and preg_replace_callback_array() functions now + accept an additional $flags argument, with support for the + PREG_OFFSET_CAPTURE and PREG_UNMATCHED_AS_NULL flags. This influences the + format of the matches array passed to the callback function. + +- PDO: + . The username and password can now be specified as part of the PDO DSN for + the mysql, mssql, sybase, dblib, firebird and oci drivers. Previously this + was only supported by the pgsql driver. If a username/password is specified + both in the constructor and the DSN, the constructor takes precedence. + + new PDO("mysql:host=xxx;port=xxx;dbname=xxx;user=xxx;password=xxx"); + +- PDO_OCI: + . PDOStatement::getColumnMeta() is now available + +- PDO_SQLite: + . PDOStatement::getAttribute(PDO::SQLITE_ATTR_READONLY_STATEMENT) allows + checking whether the statement is read-only, i.e. if it doesn't modify + the database. + . PDO::setAttribute(PDO::SQLITE_ATTR_EXTENDED_RESULT_CODES, true) enables the + use of SQLite3 extended result codes in errorInfo(). + +- SQLite3: + . Added SQLite3::lastExtendedErrorCode() to fetch the last extended result + code. + . Added SQLite3::enableExtendedResultCodes($enable = true), which will make + SQLite3::lastErrorCode() return extended result codes. + +- Standard: + . strip_tags() now also accepts an array of allowed tags: Instead of + strip_tags($str, '

') you can now write strip_tags($str, ['a', 'p']). + + . A new mechanism for custom object serialization has been added, which + uses two new magic methods: -Core: - . Implemented flexible heredoc and nowdoc syntax: The closing marker for doc - strings is no longer required to be followed by a semicolon or newline. - Additionally the closing marker may be indented, in which case the - indentation will be stripped from all lines in the doc string. - (RFC: https://wiki.php.net/rfc/flexible_heredoc_nowdoc_syntaxes) - . Array destructuring now supports reference assignments using the syntax - [&$a, [$b, &$c]] = $d. The same is also supported for list(). - (RFC: https://wiki.php.net/rfc/list_reference_assignment) - . instanceof now allows literals as the first operand, - in which case the result is always FALSE. - . A new CompileError exception has been added, from which ParseError inherits. - A small number of compilation errors will now throw a CompileError instead - of generating a fatal error. Currently this only affects compilation errors - that may be thrown by token_get_all() in TOKEN_PARSE mode, but more errors - may be converted in the future. - . Trailing commas in function and method calls are now allowed. - (RFC: https://wiki.php.net/rfc/trailing-comma-function-calls) - -BCMath: - . bcscale() can now also be used as getter to retrieve the current scale in use. - -MBString: - . Support for full case-mapping and case-folding has been added. Unlike simple - case-mapping, full case-mapping may change the length of the string. For - example: - - mb_strtoupper("Straße") - // Produces STRAßE on PHP 7.2 - // Produces STRASSE on PHP 7.3 - - The different casing mapping and folding modes are available through - mb_convert_case(): - - . MB_CASE_LOWER (used by mb_strtolower) - . MB_CASE_UPPER (used by mb_strtoupper) - . MB_CASE_TITLE - . MB_CASE_FOLD - . MB_CASE_LOWER_SIMPLE - . MB_CASE_UPPER_SIMPLE - . MB_CASE_TITLE_SIMPLE - . MB_CASE_FOLD_SIMPLE (used by case-insensitive operations) - - Only unconditional, language agnostic full case-mapping is performed. - . Case-insensitive string operations now use case-folding instead of case- - mapping during comparisons. This means that more characters will be - considered (case insensitively) equal now. - . mb_convert_case() with MB_CASE_TITLE now performs title-case conversion - based on the Cased and CaseIgnorable derived Unicode properties. In - particular this also improves handling of quotes and apostophes. - . Data tables have been updated for Unicode 11. - . Mbstring now correctly supports strings larger than 2GB. - . Performance of the mbstring extension has been significantly improved - across the board. The largest improvements are in case conversion functions. - . mb_ereg_*() functions now support named captures. Matching functions like - mb_ereg() will now return named captures both using their group number and - their name, similar to PCRE: - - mb_ereg('(?\w+)', '国', $matches); - // => [0 => "国", 1 => "国", "word" => "国"]; - - Additionally, mb_ereg_replace() now supports the \k<> and \k'' notations - to reference named captures in the replacement string: - - mb_ereg_replace('\s*(?\w+)\s*', "_\k_\k'word'_", ' foo '); - // => "_foo_foo_" - - \k<> and \k'' can also be used for numbered references, which also works - with group numbers greater than 9. - -readline: - . Support for the completion_append_character and completion_suppress_append - options has been added to readline_info(). These options are only available - if PHP is linked against libreadline (rather than libedit). - -Standard: - . The --with-password-argon2[=dir] configure argument now provides support for - both Argon2i and Argon2id hashes in the password_hash(), password_verify(), - password_get_info(), and password_needs_rehash() functions. Passwords may be - hashed and verified using the PASSWORD_ARGON2ID constant. - Support for both Argon2i and Argon2id in the password_* functions now requires - PHP be linked against libargon2 reference library >= 20161029. - (RFC: https://wiki.php.net/rfc/argon2_password_hash_enhancements). - -LDAP: - . Full support for LDAP Controls has been added to LDAP querying functions - and ldap_parse_result + // Returns array containing all the necessary state of the object. + public function __serialize(): array; + + // Restores the object state from the given data array. + public function __unserialize(array $data): void; + + The new serialization mechanism supersedes the Serializable interface, + which will be deprecated in the future. + + RFC: https://wiki.php.net/rfc/custom_object_serialization + + . A new 'max_depth' option for unserialize(), as well as an + unserialize_max_depth ini setting have been added. These control the + maximum depth of structures permitted during unserialization, and are + intended to prevent stack overflows. The default depth limit is 4096 and + can be disabled by setting unserialize_max_depth=0. + + . array_merge() and array_merge_recursive() may now be called without any + arguments, in which case they will return an empty array. This is useful + in conjunction with the spread operator, e.g. array_merge(...$arrays). + + . proc_open() now accepts an array instead of a string for the command. In + this case the process will be opened directly (without going through a + shell) and PHP will take care of any necessary argument escaping. + + proc_open(['php', '-r', 'echo "Hello World\n";'], $descriptors, $pipes); + + . proc_open() now supports "redirect" and "null" descriptors. For example: + + // Like 2>&1 on the shell + proc_open($cmd, [1 => ['pipe', 'w'], 2 => ['redirect', 1]], $pipes); + // Like 2>/dev/null or 2>nul on the shell + proc_open($cmd, [1 => ['pipe', 'w'], 2 => ['null']], $pipes); + + . password_hash() has argon2i(d) implementations from ext/sodium when PHP is + built without libargon. + + RFC: https://wiki.php.net/rfc/sodium.argon.hash ======================================== 3. Changes in SAPI modules