The intermediate computation can cause a signed integer overflow, but
the input is correctly rejected later on by the check on variable `n`.
Solve this by using an unsigned number.
Closes GH-18312.
We should not early-out with success status if we found an ipv6
hostname, we should keep checking the rest of the conditions.
Because integrating the if-check of the ipv6 hostname in the
"Validate domain" if-check made the code hard to read, I extracted the
condition out to a separate function. This also required to make
a few pointers const in order to have some clean code.
This also fixes skipped tests due to different naming "zend-test"
instead of "zend_test" and "PDO" instead of "pdo":
- ext/dom/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/simplexml/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/xmlreader/tests/libxml_global_state_entity_loader_bypass.phpt
- ext/zend_test/tests/observer_sqlite_create_function.phpt
EXTENSIONS section is used for the Windows build to load the non-static
extensions.
Closes GH-13276
For some reason, FILTER_CALLBACK disables the FILTER_REQUIRE_SCALAR flag that is
normally set by default. While surprising, this is not something we can change.
However, even specifying FILTER_REQUIRE_SCALAR explicitly does not corrently set
this flag. This is because FILTER_CALLBACK zeroes the flags after they have been
populated from the parameters.
We reverse the checks to make explicitly specifying the flag behave as expected.
Closes GH-12203
@cname currently refers to the constant name in C. However, it is not always a (constant) name, but sometimes a function invocation, so naming it as @cvalue would be more appropriate.
Implements https://wiki.php.net/rfc/partially-supported-callables-expand-deprecation-notices
so that uses of "self" and "parent" in is_callable() and callable
type constraints now raise a deprecation notice, independent of the
one raised when and if the callable is actually invoked.
A new flag is added to the existing check_flags parameter of
zend_is_callable / zend_is_callable_ex, for use in internal calls
that would otherwise repeat the notice multiple times. In particular,
arguments to internal function calls are checked first based on
arginfo, and then again during ZPP, so the former suppresses the
deprecation notice.
Some existing tests which raised this deprecation have been updated
to avoid the syntax, but the existing version retained for maximum
regression coverage until it is made an error.
With thanks to Juliette Reinders Folmer for the RFC and initial
investigation.
Closes GH-8823.
smart_str uses an over-allocated string to optimize for append operations. Functions that use smart_str tend to return the over-allocated string directly. This results in unnecessary memory usage, especially for small strings.
The overhead can be up to 231 bytes for strings smaller than that, and 4095 for other strings. This can be avoided for strings smaller than `4096 - zend_string header size - 1` by reallocating the string.
This change introduces `smart_str_trim_to_size()`, and calls it in `smart_str_extract()`. Functions that use `smart_str` are updated to use `smart_str_extract()`.
Fixes GH-8896
`2001:10::/28` is a reserved IPv6 range. But there's a typo in GH-7476,
which caused IPv6 address like `240b:0010::1` will be filtered by the
flag `FILTER_FLAG_NO_RES_RANGE`.
http://www.faqs.org/rfcs/rfc6890.html
Closes GH-7790.
It makes no sense to compare IPv6 address ranges as strings; there are
too many different representation possibilities. Instead, we change
`_php_filter_validate_ipv6()` so that it can calculate the IP address
as integer array. We do not rely on `inet_pton()` which may not be
available everywhere, at least IPv6 support may not, but rather parse
the IP address manually. Finally, we compare the integers.
Note that this patch does not fix what we consider as reserved and
private, respectively, but merely tries to keep what we had so far.
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
Closes GH-7476.
There's a subtlety here regarding filter.default_flags. The RFC
stated that no separate deprecation warning will be emitted for
it, on the premise that it is only meaningful if filter.default
is set. However, it turns out that even FILTER_UNSAFE_RAW (which
is the "no-op filter") can be combined with stripping flags.
However, this is compensated by the fact that this doesn't actually
work when setting filter.default=unsafe_raw and non-default
filter.default_flags -- the flags are simply ignored in that case.
So everything works out in the end.
Part of https://wiki.php.net/rfc/deprecations_php_8_1.
* PHP-8.0:
Update NEWS
Fix#76448: Stack buffer overflow in firebird_info_cb
Fix#76449: SIGSEGV in firebird_handle_doer
Fix#76450: SIGSEGV in firebird_stmt_execute
Fix#76452: Crash while parsing blob data in firebird_fetch_blob
Fix#81122: SSRF bypass in FILTER_VALIDATE_URL
