Fix #78814: strip_tags allows / in tag name => whitelist bypass
When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `<`, or immediately before the closing
`>`.
If we're constructing extended-length paths (i.e. paths prefixed with
`\\?\`), we have to replace all forward slashes with backward slashes,
because the former are not supported by Windows for extended-length
paths.
The more efficient and likely cleaner alternative solution would be to
cater to this in `php_win32_ioutil_normalize_path_w()` by always
replacing forward slashes, but that might break existing code. It
might be sensible to change that for `master`, though.
Partially revert "Adapt test cases for Oniguruma 6.9.4"
This partially reverts commit c55d09c2f547634b577aa5aeaa1438d772bc29d1,
because `MB_ONIGURUMA_VERSION` is only available as of PHP 7.4.0, so
that change made no sense for PHP-7.3; we keep it for PHP-7.4, though.
We also stick with the modification to bug78633.phpt.
Apparently, bug 78633 has now really been fixed; the former fix only
catered to the buffer overflow, but yielded a wrong result. Also,
the order of the named captures has been fixed.
Tyson Andre [Wed, 20 Nov 2019 00:12:56 +0000 (19:12 -0500)]
Handle reallocated root buffer during GC destroy phase (v2)
We no longer protect GC during the destroy phase, so we need to
deal with buffer reallocation.
Note that the implementation of spl_SplObjectStorage_free_storage
will call the destructor of SplObjectStorage, and free the instance properties,
which I think is what caused the root buffer to be reallocated.
(`current` is a pointer for an index within the root buffer?)
Fix #78849: GD build broken with -D SIGNED_COMPARE_SLOW
Apparently, this has not been tested for a long time, and might be a
refactoring relict. Anyhow, we have to pass the context to
`GIFNextPixel` as well.
Adam Harvey [Wed, 20 Nov 2019 23:33:04 +0000 (15:33 -0800)]
Make the UPGRADING note about ArrayObject more explicit.
We noticed the BC break when testing `curl_setopt()`, and hadn't interpreted
this note as affecting internal functions in general, so this adds a sub-bullet
to note that.
This overlaps a bit with the previous bullet, but since I don't know exactly
which operations were in mind at the time, I've elected to preserve them both.
Bits are cheap.
Maksim Nikulin [Mon, 21 Oct 2019 07:23:29 +0000 (14:23 +0700)]
Do not let PHP-FPM children miss SIGTERM, SIGQUIT
Postpone signal delivery while spawning children.
Prevent the following case:
- Reload (reexec) is in progress.
- New master is forking to start enough children for pools
where `pm` is not `on-demand`.
- Another `SIGUSR2` is received by the master process.
- Master process switches to reloading state.
- Some child has not set its own signal handlers.
- `SIGQUIT` and `SIGTERM` sent by master process are caught
by signal handler set by master process and so they are ignored.
- A child is running, it has no reason to finish
Before pull request #4465 this scenario could cause deadlock,
however with 0ed6c37140 reload finishes after `SIGKILL`.
Use sigprocmask() around fork() to avoid race of delivery signal to children
and setting of own signal handlers.
Opcache stores `opline->handler`s in shared memory. These pointers are
invalid, if the main PHP DLL is loaded at another base address due to
ASLR. We therefore store the address of `execute_ex` in the mmap base
file, and check on startup whether it matches its current address. If
not, we fall back on the file cache if enabled, and bail out otherwise.
This still does not address cases where the opline handler is located
inside of another DLL (e.g. for some profilers, debuggers), but there
seems to be no general solution for now.
We use the portable {TMP} instead of the hard-coded /tmp, and skip
mysqli_debug_append.phpt on Windows, because unlinking the trace file
while the connection is still open won't work there.
Nikita Popov [Tue, 5 Nov 2019 11:13:46 +0000 (12:13 +0100)]
Fixed bug #78775
Clear the OpenSSL error queue before performing SSL stream operations.
As we don't control all code that could possibly be using OpenSSL,
we can't rely on the error queue being empty.
Time flies, so obviously the reported uptime may differ a bit (as
already occasionally noticed on CI); we cater to that by allowing a
delay of up to one second.
This was reported to cause issues for as yet unknown reasons in
bug #78769. As this was intended as code cleanup, revert this from
7.4 at least. May reapply it to master later.
Nikita Popov [Mon, 4 Nov 2019 10:01:56 +0000 (11:01 +0100)]
Fixed bug #78774
The string held by the zend_type may be released if the property
type gets resolved to a CE. I initially wanted to fix this by
storing a zend_type* instead (so the property type resolution
propagates to the ReflectionType), but decided against this in
light of upcoming union types support, where we also need to
represent parts of the union, and will not have a single zend_type*
we can reference.
projects / php / log