Fix GH-14978 (The xmlreader extension phpize build).
Throw Error exception when encountering recursion during comparison, rather than fatal error.
Added missing cstddef include for C++ builds.
Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
Fixed bug GH-15240 (Infinite recursion in trait hook).
Fixed bug GH-15140 (Missing variance check for abstract set with asymmetric type).
Fixed bug GH-15181 (Disabled output handler is flushed again).
Passing E_USER_ERROR to trigger_error() is now deprecated.
Fixed bug GH-15292 (Dynamic AVX detection is broken for MSVC).
Using "_" as a class name is now deprecated.
Exiting a namespace now clears seen symbols.
The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
Fixed bug GH-15438 (Hooks on constructor promoted properties without visibility are ignored).
Fixed bug GH-15419 (Missing readonly+hook incompatibility check for readonly classes).
resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw: - TypeError for invalid offset types - ValueError for an empty string - ValueError if the integer index does not fit in a signed 32 bit integer
ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null
Added the new Grapheme function grapheme_str_split.
Added IntlDateFormatter::parseToCalendar.
Added SpoofChecker::setAllowedChars to set unicode chars ranges.
The mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
The mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed a SQL "KILL" command can be used instead.
The mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed a SQL "FLUSH" command can be used instead.
Passing explicitly the $mode parameter to mysqli_store_result() has been deprecated. As the MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function it has also been deprecated.
Fixed bug #44383 (PHP DateTime not converted to xsd:datetime).
Fixed bug GH-11941 (soap with session persistence will silently fail when "session" built as a shared object).
Passing an int to SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided flatten the array returned by get_defined_functions().
The SOAP_FUNCTIONS_ALL constant is now deprecated.
Fixed bug #61525 (SOAP functions require at least one space after HTTP header colon).
Added the SOCK_CONN_DGRAM/SOCK_DCCP netbsd constants.
Added multicast group support for ipv4 on FreeBSD.
Added the TCP_SYNCNT constant for Linux to set number of attempts to send SYN packets from the client.
Added the SO_EXCLBIND constant for exclusive socket binding on illumos/solaris.
Updated the socket_create_listen backlog argument default value to SOMAXCONN.
Added the SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOs and FreeBSD.
Added SO_LINGER_SEC for macOs, true equivalent of SO_LINGER in other platforms.
Add close-on-exec on socket created with socket_accept on unixes.
Added IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
Added SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to the newly created sockets.
Added SO_BINDTOIFINDEX to bind a socket to an interface index.
Sodium:
Add support for AEGIS-128L and AEGIS-256.
Enable AES-GCM on aarch64 with the ARM crypto extensions.
SPL:
Implement SeekableIterator for SplObjectStorage.
The SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
Passing a non-empty string for the $escape parameter of: - SplFileObject::setCsvControl() - SplFileObject::fputcsv() - SplFileObject::fgetcsv() is now deprecated.
Standard:
Implement GH-12188 (Indication for the int size in phpinfo()).
Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
Fix GH-12252 (round(): Validate the rounding mode).
Increase the default BCrypt cost to 12.
Fixed bug GH-12592 (strcspn() odd behaviour with NUL bytes and empty mask).
Removed the deprecated inet_ntoa call support.
Cast large floats that are within int range to int in number_format so the precision is not lost.
Add support for 4 new rounding modes to the round() function.
debug_zval_dump() now indicates whether an array is packed.
Changed return type of long2ip to string from string|false.
Fix GH-12143 (Extend the maximum precision round can handle by one digit).
Added the http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
Add php_base64_encode_ex() API.
Implemented "Raising zero to the power of negative number" RFC.
Added array_find(), array_find_key(), array_all(), and array_any().
Change highlight_string() and print_r() return type to string|true.
Fix references in request_parse_body() options array.
Add RoundingMode enum.
Unserializing the uppercase 'S' tag is now deprecated.
Enables crc32 auxiliary detection on OpenBSD.
Passing a non-empty string for the $escape parameter of: - fputcsv() - fgetcsv() - str_getcsv() is now deprecated.
The str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behaviour to be identical to that of fputcsv() and fgetcsv().
php_uname() now throws ValueErrors on invalid inputs.
The "allowed_classes" option for unserialize() now throws TypeErrors and ValueErrors if it is not an array of class names.
Implemented GH-15685 (improve proc_open error reporting on Windows).
Add support for backed enums in http_build_query().
Fixed bug GH-15982 (Assertion failure with array_find when references are involved).
Fixed parameter names of fpow() to be identical to pow().
Streams:
Implemented GH-15155 (Stream context is lost when custom stream wrapper is being filtered).
Tidy:
Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
Add tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
Windows:
Update the icon of the Windows executables, e.g. php.exe.
Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
DOM:
Fix crashes when entity declaration is removed while still having entity references.
Fix references not handled correctly in C14N.
Fix crash when calling childNodes next() when iterator is exhausted.
Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM:
Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash:
ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)
Intl:
Fixed build regression on systems without C++17 compilers.
MySQLnd:
Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache:
Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML:
Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader:
Fixed bug GH-14183 (XMLReader::open() can't be overridden).
Version 8.3.7
Core:
Fixed zend_call_stack build with Linux/uclibc-ng without thread support.
Fixed bug GH-13772 (Invalid execute_data->opline pointers in observer fcall handlers when JIT is enabled).
Fixed bug GH-13931 (Applying zero offset to null pointer in Zend/zend_opcode.c).
Fixed bug GH-13942 (Align the behavior of zend-max-execution-timers with other timeout implementations).
Fixed bug GH-14003 (Broken cleanup of unfinished calls with callable convert parameters).
Fixed bug GH-14013 (Erroneous dnl appended in configure).
Fixed bug GH-10232 (If autoloading occurs during constant resolution filename and lineno are identified incorrectly).
Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.
JSON:
Added json_validate().
LDAP:
Deprecate calling ldap_connect() with separate hostname and port.
LibXML:
Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2.
MBString:
mb_detect_encoding is better able to identify the correct encoding for Turkish text.
mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." (Alex Dowad)
mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE.
mb_detect_encoding is better able to identify UTF-8 and UTF-16 strings with a byte-order mark.
mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words.
mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader.
Implement mb_str_pad() RFC.
Fixed bug GH-11514 (PHP 8.3 build fails with --enable-mbstring enabled).
Fix use-after-free of mb_list_encodings() return value.
Fixed bug GH-11992 (utf_encodings.phpt fails on Windows 32-bit).
mysqli:
mysqli_fetch_object raises a ValueError instead of an Exception.
Opcache:
Added start, restart and force restart time to opcache's phpinfo section.
Fix GH-9139: Allow FFI in opcache.preload when opcache.preload_user=root.
Made opcache.preload_user always optional in the cli and phpdbg SAPIs.
Allows W/X bits on page creation on FreeBSD despite system settings.
Added memfd api usage, on Linux, for zend_shared_alloc_create_lock() to create an abstract anonymous file for the opcache's lock.
Avoid resetting JIT counter handlers from multiple processes/threads.
Fixed COPY_TMP type inference for references.
OpenSSL:
Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch between mime content types.
Fixed GH-11054: Reset OpenSSL errors when using a PEM public key.
Added support for additional EC parameters in openssl_pkey_new.
PCNTL:
SA_ONSTACK is now set for pcntl_signal.
Added SIGINFO constant.
PCRE:
Update bundled libpcre2 to 10.42.
PGSQL:
pg_fetch_object raises a ValueError instead of an Exception.
pg_cancel use thread safe PQcancel api instead.
pg_trace new PGSQL_TRACE_SUPPRESS_TIMESTAMPS/PGSQL_TRACE_REGRESS_MODE contants support.
Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
Fixed bug GH-14140 (Floating point bug in range operation on Apple Silicon hardware).
DOM:
Fix crashes when entity declaration is removed while still having entity references.
Fix references not handled correctly in C14N.
Fix crash when calling childNodes next() when iterator is exhausted.
Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.
FFI:
Fixed bug GH-14215 (Cannot use FFI::load on CRLF header file with apache2handler).
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM:
Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash:
ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)
Intl:
Fixed build regression on systems without C++17 compilers.
Ini:
Fixed bug GH-14100 (Corrected spelling mistake in php.ini files).
MySQLnd:
Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache:
Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML:
Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader:
Fixed bug GH-14183 (XMLReader::open() can't be overridden).
Version 8.2.19
Core:
Fixed bug GH-13772 (Invalid execute_data->opline pointers in observer fcall handlers when JIT is enabled).
Fixed bug GH-13931 (Applying zero offset to null pointer in Zend/zend_opcode.c).
Fixed bug GH-13942 (Align the behavior of zend-max-execution-timers with other timeout implementations).
Fixed bug GH-14003 (Broken cleanup of unfinished calls with callable convert parameters).
Fixed bug GH-14013 (Erroneous dnl appended in configure).
Fixed bug GH-10232 (If autoloading occurs during constant resolution filename and lineno are identified incorrectly).
Fixed bug GH-11600 (Can't parse time strings which include (narrow) non-breaking space characters).
Fixed bug GH-11854 (DateTime:createFromFormat stopped parsing datetime with extra space).
DOM:
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping <></> depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Updated the mime-type table for the builtin-server.
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction.
Implement built-in web server responding without body to HEAD request on a static resource.
Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource.
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
COM:
Fixed bug GH-8750 (Can not create VT_ERROR variant type).
Core:
Fixed bug #81380 (Observer may not be initialized properly).
Fixed bug GH-7771 (Fix filename/lineno of constant expressions).
Fixed bug GH-7792 (Improve class type in error messages).
Support huge pages on MacOS.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed bug GH-8661 (Nullsafe in coalesce triggers undefined variable warning).
Fixed bug GH-7821 and GH-8418 (Allow arbitrary const expressions in backed enums).
Fixed bug GH-8810 (Incorrect lineno in backtrace of multi-line function calls).
Optimised code path for newly created file with the stream plain wrapper.
Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows.
Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::__toString().
Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929)
PDO DBLIB:
Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236)
PDO Firebird:
Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236)
Streams:
Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234)
Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233)
Version 8.1.30
CGI:
Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection Vulnerability). (CVE-2024-8926)
Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision). (CVE-2024-8927)
FPM:
Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). (CVE-2024-9026)
SAPI:
Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). (CVE-2024-8925)
Version 8.1.29
CGI:
Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
Version 8.1.28
Standard:
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Version 8.1.27
Core:
Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious error handler).
Fixed oss-fuzz #64209 (In-place modification of filename in php_message_handler_for_zend).
Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC).
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping <></> depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Fix wrong comparison in block optimisation pass after opcode update.
Date:
Fixed bug GH-9891 (DateTime modify with unixtimestamp (@) must work like setTimestamp).
Fixed bug GH-10218 (DateTimeZone fails to parse time zones that contain the "+" character).
Fiber:
Fix assertion on stack allocation size.
FPM:
Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
Fixed bug #67244 (Wrong owner:group for listening unix socket).
Hash:
Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
MBString:
Fixed: mb_strlen (and a couple of other mbstring functions) would wrongly treat 0x80, 0xFD, 0xFE, 0xFF, and certain other byte values as the first byte of a 2-byte SJIS character.
Opcache:
Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
Fix access to uninitialized variable in accel_preload().
Fix zend_jit_find_trace() crashes.
Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
Fix undefined behaviour in phpdbg_load_module_or_extension().
Fix NULL pointer dereference in phpdbg_create_conditional_breal().
Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
Fix memory leak in posix_ttyname() (girgias)
Standard:
Fix GH-10187 (Segfault in stripslashes() with arm64).
Fix substr_replace with slots in repl_ht being UNDEF.
TSRM:
Fixed Windows shmget() wrt. IPC_PRIVATE.
XMLWriter:
Fix missing check for xmlTextWriterEndElement (nielsdos)
Version 8.1.14
Core:
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Revert "Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR)"
Version 8.0.5
Core:
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
Dba:
Fixed bug #80817 (dba_popen() may cause segfault during RSHUTDOWN).
DOM:
Fixed bug #66783 (UAF when appending DOMDocument to element).
FFI:
Fixed bug #80847 (CData structs with fields of type struct can't be passed as C function argument).
FPM:
Fixed bug #80024 (Duplication of info about inherited socket after pool removing).
FTP:
Fixed bug #80880 (SSL_read on shutdown, ftp/proc_open).
IMAP:
Fixed bug #80800 (imap_open() fails when the flags parameter includes CL_EXPUNGE).
