Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
These tests attempt to test that no memory is leaked for stream calls. However,
it is incorrect to assume the memory will not increase for other reasons, e.g.
when growing resource buffers, for the output buffer, etc. This was discovered
through 9cacc57350 with USE_TRACKED_ALLOC=1, but
this can also fail with USE_ZEND_ALLOC=1 when increasing loop iterations.
real_size is returned by memory_get_usage(true), which previously returned 0.
Discovered in Symfony ConsumeMessagesCommandTest::testRunWithMemoryLimit()
through nightly.
Closes GH-18880
--ignore-platform-reqs may accidentally install versions of dependencies
that no longer support the given PHP version. --ignore-platform-req=php+
will only suppress errors for new PHP version but not change behavior
for older versions. Thanks to Tim for the hint.
Also skip the Laravel build for PHP 8.1, which is no longer supported on
Laravel's default branch.
Use connection ID instead of count to check whether we're using a
persistent connection. This allows the test to be run in parallel with
the other tests, but also protects against the possibility that some
other service connects to the mysql server.
Closes GH-18040
$start and $end use the H:i:s from the current time. If $end happens on
a second boundary, $start + 4 days will include $end, thus performing an
extra iteration. Fix this by setting H:i:s to 00:00:00.
It seems like n === undefined must have worked on older versions of
jscript, but currently it just causes the insertion to silently fail.
This sets n to an empty string, allowing phpize to include the local
config.w32 files.
Due to a deliberate change in libcurl, the expiration is now capped to
at most 400 days. We could solve this by choosing another date roughly
a year in the future, but would need to update the test next year.
This would be especially annoying for security branches.
Another option would be to actually parse the cookie list lines, but
that might not be worth the trouble. Instead we just ignore the exact
timestamp created by libcurl.
[1] <https://github.com/curl/curl/pull/15937>
Closes GH-17709.
Apparently, some ICU versions report "America/Los_Angeles" for the `ZZ`
case, what matches the behavior of ICU 76.1 (on Windows). Possibly,
there has been some bug fix backport on some systems. Anyhow, either
seems fine, so we're not picky about that.
Closes GH-17669.
This is already fixed in higher branches. We'll need to fix this
properly when upgrading to MySQL 8.4, which we should do soon as 8.3 is
already EOL.
Closes GH-17560
Recent hosted GH Windows runners already have MySQL preinstalled, so
there is no particular need to install it again via Chocolatey or other
means.
If we ever need to address more specific needs, we may want to have a
look at <https://github.com/ankane/setup-mysql>.
Closes GH-17561.
Closes GH-17570.
There are two issues: The latest Symfony branches don't support 8.1
anymore. This could ber mitigated by switching to LTS for security
builds. However, there are also some JIT bugs that are hard to backport.
We'll skip these builds on 8.1 instead.
