- GH-11958: DNF types in trait properties do not get bound properly
- GH-11883: Memory leak in zend_type_release() for non-arena allocated DNF types
- Internal trait bound to userland class would not be arena allocated
- Property DNF types were not properly deep copied during lazy loading
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: ju1ius <jules.bernable@gmail.com>
Upon resizing, the elements are destroyed from lower index to higher
index. When an element refers to an object with a destructor, it can
refer to a lower (i.e. already destroyed) element, causing a uaf.
Set refcounted zvals to NULL after destroying them to avoid a uaf.
Closes GH-11959.
The tempnam documentation currently states that "Only the first 63
characters of the prefix are used, the rest are ignored". However when
the prefix is 64 characters-long, the current implementation fails to
strip the last character, diverging from the documented behavior. This
patch fixes the implementation so it matches the documented behavior for
that specific case where the prefix is 64 characters long.
Closes GH-11870
Signed-off-by: George Peter Banyard <girgias@php.net>
Commit 0b2e6bc2b0 started caching the directory entry type to improve
performance. Shortly after, we've seen flaky failures of the
buildFromIterator phar test.
When it fails, it's always a value error in the constructor of
RecursiveDirectoryIterator::__construct() with a "no such file or
directory" error. What's happening here is this:
1) A parallel test creates a subdirectory in the current working dir.
2) This test checks hasChildren() on a directory entry, the cached entry
returns "yes" on the subdirectory.
3) The parallel test finishes and removes the subdirectory.
4) The constructor mentioned above is called, causing an exception
because the directory is gone.
This race has always been possible, even before said commit. It's just
that it was very hard to hit before: the expensive stat call made the
race window hard to hit. The race is now easier to hit because of the
caching that is fast.
Since there's many tests that modify the current working directory, it
seems best to mark this as an "all" conflict. We cannot avoid every
TOC-TOU race when working with files with these phar tests.
In particular, mounteddir.phpt caused every conflict I saw on CI, but
there's more tests that create subdirectories in the current working
directory.
Closes GH-11869.
People relied on manually waiting for children, but the fix for GH-11498
broke this. Fixing this in PHP is fundamentally incompatible with doing
the wait loop in userland. This reverts to the old behaviour.
Closes GH-11863.
* PHP-8.1:
Fix GH-10964: Improve `man` page about the built-in server
Fix GH-11438: mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters
https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html
tells us that the nonce used in this authentication method is 20 bytes
long. However, we might receive additional scramble data in
php_mysqlnd_greet_read not used in this method.
On my test setup, I received 21 bytes (20 bytes + '\0'). This resulted
in the xor computation to incorrectly include the NUL byte. Every
password of at least 20 characters therefore failed to authenticate
using this method.
Looking at mysql-server source code also seems to reveal that it always
uses a fixed number of scramble bytes [1].
[1] ea7087d885/sql/auth/sha2_password.cc (L1078-L1079)
Closes GH-11445.
Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>
According to https://www.php.net/manual/en/class.domdocument:
When using json_encode() on a DOMDocument object the result will be
that of encoding an empty object.
But this was broken in 8.1. The output was `{"config": null}`.
That's because the config property is defined with a default value of
NULL, hence it was included. The other properties are not included
because they don't have a default property, and nothing is ever written
to their backing field. Hence, the JSON encoder excludes them.
Similarly, `(array) $doc` would yield the same `config` key in the
array.
Closes GH-11840.
It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-test.
To add to the Windows trouble, libxml is statically linked in, ext/libxml can
only be built statically but ext/zend-test can be built both statically and
dynamically.
So the regression tests won't work in all possible configurations anyway on Windows.
All of this is no problem on Linux because it just uses dynamic linking
and pkg-config, without any magic.
Signed-off-by: Ben Ramsey <ramsey@php.net>
