From: Stanislav Malyshev Date: Tue, 20 Nov 2018 19:19:51 +0000 (-0800) Subject: Merge branch 'PHP-7.2' into PHP-7.3 X-Git-Tag: php-7.3.1RC1~69 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=63973d1b3384c236cf8576ba46deb55c0a1dc7ad;p=php Merge branch 'PHP-7.2' into PHP-7.3 * PHP-7.2: Disable rsh/ssh functionality in imap by default (bug #77153) --- 63973d1b3384c236cf8576ba46deb55c0a1dc7ad diff --cc NEWS index 2a91ef2cba,652a6ead8c..b97fe025ea --- a/NEWS +++ b/NEWS @@@ -15,28 -17,10 +15,32 @@@ PH . Fixed bug #77147 (Fixing 60494 ignored ICONV_MIME_DECODE_CONTINUE_ON_ERROR). (cmb) + - IMAP: + . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via + mailbox parameter). (Stas) + +- MBstring: + . Fixed bug #77165 (mb_check_encoding crashes when argument given an empty + array). (Nikita) + +- PGSQL: + . Fixed bug #77047 (pg_convert has a broken regex for the 'TIME WITHOUT + TIMEZONE' data type). (Andy Gajetzki) + +- SOAP: + . Fixed bug #77141 (Signedness issue in SOAP when precision=-1). (cmb) + +08 Nov 2018 PHP 7.3.0RC5 + +- Core: + . Fixed bug #76825 (Undefined symbols ___cpuid_count). (Laruence, cmb) + . Fixed bug #77110 (undefined symbol zend_string_equal_val in C++ build). + (Remi) + +- Fileinfo: + . Fixed bug #77095 (slowness regression in 7.2/7.3 (compared to 7.1)). + (Anatol) + - ODBC: . Fixed bug #77079 (odbc_fetch_object has incorrect type signature). (Jon Allen) diff --cc UPGRADING index 8df033036a,52968a3857..bef3d3056b --- a/UPGRADING +++ b/UPGRADING @@@ -19,143 -19,92 +19,149 @@@ PHP 7.3 UPGRADE NOTE 1. Backward Incompatible Changes ======================================== -- Core: - . gettype() will now return "resource (closed)" instead of "unknown type" for - closed resources. - . is_object() will now return true for objects of class - __PHP_Incomplete_Class. - . Support for Netware operating systems has been removed. - . Casting arrays to objects (with (object) or settype()) will now convert - integer keys to string property names. This fixes the behaviour of previous - versions, where integer keys would become inaccessible properties with - integer names. - . Casting objects to arrays (with (array) or settype()), and retrieving - object properties in an array with get_object_vars(), will now convert - numeric string property names (that is, property names of the format - /^(0|(-?[1-9][0-9]*))$/ where PHP_INT_MIN <= n <= PHP_INT_MAX) to integer - keys. This fixes the behaviour of previous versions, where numeric string - property names would become inaccessible string keys. - . Unqualified references to undefined constants now generate a Warning instead - of a notice. They will generate an Error in a future version of PHP. - (https://wiki.php.net/rfc/deprecate-bareword-strings) - . Minimum supported Windows versions are Windows 7/Server 2008 R2. - . Initial trait property value compatibility check will no longer perform - any casts. (Bug #74269) - . "object" (in any case) can no longer be used as a class name. - -- BCMath: - . The bcmod() function no longer truncates fractional numbers to integers. As - such, its behavior now follows fmod() rather than the `%` operator. For - example `bcmod('4', '3.5')` now returns '0.5' instead of '1'. - -- Hash: - . The hash_hmac(), hash_hmac_file(), hash_pbkdf2() and hash_init() (with - HASH_HMAC) functions no longer accept non-cryptographic hashes. - -- JSON - . The json_decode() option JSON_OBJECT_AS_ARRAY is used if the second - parameter (assoc) is null. Previously JSON_OBJECT_AS_ARRAY was always - ignored. - -- Session: - . Removed register_globals related code and "!" can be used as $_SESSION key name. - . Session is made to manage session status correctly and prevents invalid operations. - Only inappropriate codes are affected by this change. If you have problems with this, - it means you have problem in your code. - . Functions are made to set or return correct session status. - session_start(), session_status(), session_regenerate_id() - . Functions are made to return bool from null. These functions have void parameter - and void parameter is checked. - session_unset(), session_write_close()/session_commit(), session_abort(), - session_reset() - . Functions prohibit invalid operations with regard to session status and - HTTP header status, returns correct bool return value. - session_start(), session_set_cookie_params(), session_name(), session_module_name(), - session_set_save_handler(), session_regenerate_id(), session_cache_limiter(), - session_cache_expire(), session_unset(), session_destroy(), - session_write_close()/session_commit(), session_reset() - . INI value change by ini_set() returns update status correctly. Invalid INI modifications - are checked and made to fail. - session.name, session.save_path, session.cookie_lifetime, session.cookie_path, - session.cookie_domain, session.cookie_httponly, session.cookie_secure, - session.use_cookies, session.use_only_cookies, session.use_strict_mode, - session.referer_check, session.cache_limiter, session.cache_expire, - session.lazy_write, session.save_handler, session.serialize_handler, - session.gc_probability, session.gc_divior, session.gc_maxlifetime, - . Some E_ERRORs are changed to E_WARNING since session status is managed correctly. - session_start() - . Session no longer initialize $_SESSION for invalid and useless session. - session_start() - . When headers are already sent and try to set new INI values, session_name(), - session_module_name(), session_save_path(), session_cache_limiter() and - session_cache_expire() are no longer works. Older PHPs accepts new values even - if new values will not be effective. - This new corrected behavior may affect command line mode CLI scripts that manage - sessions. Use output buffer just like web applications to resolve problems on - CLI scripts. - -- Standard: - . Sequences generated by mt_rand() and rand() for a specific seed may differ - from PHP 7.1 on 64-bit machines. This change was necessary to resolve a - modulo bias bug in the implementation. - -- IMAP: - Starting with 7.2.13, rsh/ssh logins are disabled by default. Use - imap.enable_insecure_rsh if you want to enable them. Note that the IMAP - library does not filter mailbox names before passing them to rsh/ssh - command, thus passing untrusted data to this function with rsh/ssh enabled - is insecure. +Core: + . The ext_skel utility has been completely redesigned with new options and + some old options removed. This is now written in PHP and has no external + dependencies. + . Support for BeOS has been dropped. + . Exceptions thrown due to automatic conversion of warnings into exceptions + in EH_THROW mode (e.g. some DateTime exceptions) no longer populate + error_get_last() state. As such, they now work the same way as manually + thrown exceptions. + . TypeError now reports wrong types as `int` and `bool` instead of `integer` + and `boolean`. + . Due to the introduction of flexible heredoc/nowdoc syntax (see New Features + section), doc strings that contain the ending label inside their body may + cause syntax errors or change in interpretation. For example in + + $str = <<offsetGet("123") will be called instead + of $obj->offsetGet(123). This matches existing behavior for non-literals. + The behavior of arrays is not affected in any way, they continue to + implicitly convert integeral string keys to integers. + . In PHP, static properties are shared between inheriting classes, unless the + static property is explicitly overridden in a child class. However, due to + an implementation artifact it was possible to separate the static properties + by assigning a reference. This loophole has been fixed. + + class Test { + public static $x = 0; + } + class Test2 extends Test { } + + Test2::$x = &$x; + $x = 1; + + var_dump(Test::$x, Test2::$x); + // Previously: int(0), int(1) + // Now: int(1), int(1) + + . References returned by array and property accesses are now unwrapped as + part of the access. This means that it is no longer possible to modify the + reference between the access and the use of the accessed value: + + $arr = [1]; + $ref =& $arr[0]; + var_dump($arr[0] + ($arr[0] = 2)); + // Previously: int(4), Now: int(3) + + This makes the behavior of references and non-references consistent. Please + note that reading and writing a value inside a single expression remains + undefined behavior and may change again in the future. + + . Argument unpacking stopped working with Traversables with non-integer keys. + The following code worked in PHP 7.0-7.2 by accident. + + function foo(...$args) { + var_dump($args); + } + function gen() { + yield 1.23 => 123; + } + foo(...gen()); + + Now it generates an exception. + +BCMath: + . All warnings thrown by BCMath functions are now using PHP's error handling. + Formerly some warnings have directly been written to stderr. + . bcmul() and bcpow() now return numbers with the requested scale. Formerly, + the returned numbers may have omitted trailing decimal zeroes. + ++IMAP: ++ rsh/ssh logins are disabled by default. Use imap.enable_insecure_rsh if you want ++ to enable them. Note that the IMAP library does not filter mailbox names before ++ passing them to rsh/ssh command, thus passing untrusted data to this function ++ with rsh/ssh enabled is insecure. ++ +MBString: + . Due to added support for named captures, mb_ereg_*() patterns using named + captures will behave differently. In particular named captures will be part + of matches and mb_ereg_replace() will interpret additional syntax. See + "New Features" section for more information. + +mysqli: + . Prepared statements now properly report the fractional seconds for DATETIME/ + TIME/TIMESTAMP columns with decimals specifier (e.g. TIMESTAMP(6) when using + microseconds). Formerly, the fractional seconds part was simply omitted from + the returned values. + +PDO/MySQL: + . Prepared statements now properly report the fractional seconds for DATETIME/ + TIME/TIMESTAMP columns with decimals specifier (e.g. TIMESTAMP(6) when using + microseconds). Formerly, the fractional seconds part was simply omitted from + the returned values. + Please note that this only affects the usage of PDO_MYSQL with emulated + prepares turned off (e.g. using the native preparation functionality). + Statements using connections having PDO::ATTR_EMULATE_PREPARES=true (which + is the default) were not affected by the bug fixed and have already been + getting the proper fractional seconds values from the engine. + +Reflection: + . Reflection export to string now uses `int` and `bool` instead of `integer` + and `boolean`. + +SPL: + . If an SPL autoloader throws an exception, following autoloaders will not be + executed. Previously all autoloaders were executed and exceptions were + chained. + +SimpleXML: + . Mathematic operations involving SimpleXML objects will now treat the text as + an integer or float, whichever is more appropriate. Previously values were + treated as integers unconditionally. + +Standard: + . Undefined variables passed to compact() will now be reported as a notice. + . getimagesize() and related functions now report the mime type of BMP images + as image/bmp instead of image/x-ms-bmp, since the former has been registered + with the IANA (see RFC 7903). + . stream_socket_get_name() will now return IPv6 addresses wrapped in brackets. + For example "[::1]:1337" will be returned instead of "::1:1337". ======================================== 2. New Features