ZendPHP November 2024 Releases
ZendPHP Changes
PHP version 8.4.1
Community dropped some extensions from the PHP main sources, extensions are now built from PECL sources, therefore the packaging changes on Linux and IBM i:
-
oci8
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
-
pdo_oci
- to be installed separately as php8.4-zend-pdo-oci (deb) / php84zend-php-pecl-pdo-oci (RPMs). Or: zendphpctl ext install [ --php 8.4 ] pdo_oci
-
pspell
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
-
imap
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
RPM packages rebuilt and re-released 25 Nov 2024 as 8.4.1-1.
Fixed apache libphp and litespeed SAPI build options. Original release was built as ZTS, new build is fixed to be NTS. All loadable extensions are built as non-thread-safe, therefore sapi modules built as ZTS cannot use NTS extension modules.
Community CVE Fixes
PHP version 8.3.14, 8.2.26, 8.1.31 CVE fixes
-
LDAP
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in
ldap_escape
. (CVE-2024-8932)
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in
-
MySQLnd
- Fixed bug GHSA-h35g-vwh6-m678: Leak partial content of the heap through heap buffer over-read. (CVE-2024-8929)
-
PDO DBLIB
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
dblib
quoter causing OOB writes. (CVE-2024-11236)
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
-
PDO Firebird
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
firebird
quoter causing OOB writes. (CVE-2024-11236)
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
-
Streams
- Fixed bug GHSA-c5f2-jwm7-mmq2: Configuring a proxy in a stream context might allow for CRLF injection in URIs. (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43: Single byte overread with
convert.quoted-printable-decode
filter. (CVE-2024-11233)
Backported PHP CVE Fixes
PHP version 7.2.34.21, 7.3.33.13, 7.4.33.8, 8.0.30.4 CVE fixes
-
CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data
Processing in CLI SAPI Interface.
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
-
LDAP
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in
ldap_escape
. (CVE-2024-8932)
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in
-
MySQLnd
- Fixed bug GHSA-h35g-vwh6-m678: Leak partial content of the heap through heap buffer over-read. (CVE-2024-8929)
-
PDO DBLIB
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
dblib
quoter causing OOB writes. (CVE-2024-11236)
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
-
PDO Firebird
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
firebird
quoter causing OOB writes. (CVE-2024-11236)
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
-
Streams
- Fixed bug GHSA-c5f2-jwm7-mmq2: Configuring a proxy in a stream context might allow for CRLF injection in URIs. (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43: Single byte overread with
convert.quoted-printable-decode
filter. (CVE-2024-11233)
Community Changes
PHP version 8.4.1 changes
-
BcMath
- [RFC] Add bcfloor, bcceil and bcround to BCMath.
- Improve performance.
- Adjust bcround()'s $mode parameter to only accept the RoundingMode enum.
- Fixed LONG_MAX in BCMath ext.
- Fixed bcdiv() div by one.
- [RFC] Support object types in BCMath.
- bcpow() performance improvement.
- ext/bcmath: Check for scale overflow.
- [RFC] ext/bcmath: Added bcdivmod.
- Fix GH-15968: Avoid converting objects to strings in operator calculations.
- Fixed bug GH-16265: Added early return case when result is 0.
- Fixed bug GH-16262: Fixed a bug where size_t underflows.
- Fixed GH-16236: Fixed a bug in BcMath\Number::pow() and bcpow() when raising negative powers of 0
-
Core
- Added zend_call_stack_get implementation for NetBSD, DragonFlyBSD, Solaris and Haiku.
- Enabled ifunc checks on FreeBSD from the 12.x releases.
- Changed the type of PHP_DEBUG and PHP_ZTS constants to bool.
- Fixed bug GH-13142: Undefined variable name is shortened when contains \0.
- Fixed bug GH-13178: Iterator positions incorrect when converting packed array to hashed.
- Fixed zend fiber build for solaris default mode (32 bits).
- Fixed zend call stack size for macOs/arm64.
- Added support for Zend Max Execution Timers on FreeBSD.
- Ensure fiber stack is not backed by THP.
- Implement GH-13609: Dump wrapped object in WeakReference class.
- Added sparc64 arch assembly support for zend fiber.
- Fixed GH-13581 no space available for TLS on NetBSD.
- Added fiber Sys-V loongarch64 support.
- Adjusted closure names to include the parent function's name.
- Improve randomness of uploaded file names and files created by tempnam().
- Added gc and shutdown callbacks to zend_mm custom handlers.
- Fixed bug GH-14650: Compute the size of pages before allocating memory.
- Fixed bug GH-11928: The --enable-re2c-cgoto doesn't add the -g flag.
- Added the #[\Deprecated] attribute.
- Fixed GH-11389: Allow suspending fibers in destructors.
- Fixed bug GH-14801: Fix build for armv7.
- Implemented property hooks RFC.
- Fix GH-14978: The xmlreader extension phpize build.
- Throw Error exception when encountering recursion during comparison, rather than fatal error.
- Added missing cstddef include for C++ builds.
- Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
- Fixed bug GH-15240: Infinite recursion in trait hook.
- Fixed bug GH-15140: Missing variance check for abstract set with asymmetric type.
- Fixed bug GH-15181: Disabled output handler is flushed again.
- Passing E_USER_ERROR to trigger_error() is now deprecated.
- Fixed bug GH-15292: Dynamic AVX detection is broken for MSVC.
- Using "_" as a class name is now deprecated.
- Exiting a namespace now clears seen symbols.
- The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
- Fixed bug GH-15438: Hooks on constructor promoted properties without visibility are ignored.
- Fixed bug GH-15419: Missing readonly+hook incompatibility check for readonly classes.
- Fixed bug GH-15187: Various hooked object iterator issues.
- Fixed bug GH-15456: Crash in get_class_vars() on virtual properties.
- Fixed bug GH-15501: Windows HAVE_
_H macros defined to 1 or undefined. - Implemented asymmetric visibility for properties.
- Fixed bug GH-15644: Asymmetric visibility doesn't work with hooks.
- Implemented lazy objects RFC.
- Fixed bug GH-15686: Building shared iconv with external iconv library.
- Fixed missing error when adding asymmetric visibility to unilateral virtual property.
- Fixed bug GH-15693: Unnecessary include in main.c bloats binary.
- Fixed bug GH-15731: AllowDynamicProperties validation should error on enums.
- Fixed bug GH-16040: Use-after-free of object released in hook.
- Fixed bug GH-16026: Reuse of dtor fiber during shutdown.
- Fixed bug GH-15999: zend_std_write_property() assertion failure with lazy objects.
- Fixed bug GH-15960: Foreach edge cases with lazy objects.
- Fixed bug GH-16185: Various hooked object iterator issues.
- Fixed bug OSS-Fuzz #371445205: Heap-use-after-free in attr_free.
- Fixed missing error when adding asymmetric visibility to static properties.
- Fixed bug OSS-Fuzz #71407: Null-dereference WRITE in zend_lazy_object_clone.
- Fixed bug GH16574: Incorrect error "undefined method" messages.
- Fixed bug GH16577:
EG(strtod_state).freelist
leaks withopcache.preload
. - Fixed bug GH16574: Incorrect error "undefined method" messages.
- Fixed bug GH16577:
EG(strtod_state).freelist
leaks withopcache.preload
. - Fixed bug GH16615: Assertion failure in
zend_std_read_property
. - Fixed bug GH16342: Added
ReflectionProperty::isLazy()
. - Fixed bug GH16725: Incorrect access check for non-hooked properties in hooked object iterator.
-
Curl
- Deprecated the
CURLOPT_BINARYTRANSFER
constant. - Bumped required libcurl version to 7.61.0.
- Added
feature_list
key to thecurl_version()
return value. - Added constants
CURL_HTTP_VERSION_3
(libcurl 7.66) andCURL_HTTP_VERSION_3ONLY
(libcurl 7.88) as options forCURLOPT_HTTP_VERSION
. - Added
CURLOPT_TCP_KEEPCNT
to set the number of probes to send before dropping the connection. - Added
CURLOPT_PREREQFUNCTION
Curl option to set a custom callback after the connection is established but before the request is performed. - Added
CURLOPT_SERVER_RESPONSE_TIMEOUT
, which was formerly known asCURLOPT_FTP_RESPONSE_TIMEOUT
. - The
CURLOPT_DNS_USE_GLOBAL_CACHE
option is now silently ignored. - Added
CURLOPT_DEBUGFUNCTION
as a Curl option. - Fixed bug GH16359: Crash with
curl_setopt* CURLOPT_WRITEFUNCTION
without null callback. - Fixed bug GH16723:
CURLMOPT_PUSHFUNCTION
issues.
- Deprecated the
-
Date
- Added
DateTime[Immutable]::createFromTimestamp
. - Added
DateTime[Immutable]::[get|set]Microsecond
. - Constants
SUNFUNCS_RET_TIMESTAMP
,SUNFUNCS_RET_STRING
, andSUNFUNCS_RET_DOUBLE
are now deprecated. - Fixed bug GH13773:
DatePeriod
not taking into account microseconds for end date.
- Added
-
DBA
- Passing
null
orfalse
todba_key_split()
is deprecated.
- Passing
-
Debugging
- Fixed bug GH15923: GDB: Python Exception
: exceptions must derive from
BaseException
.
- Fixed bug GH15923: GDB: Python Exception
-
DOM
- Added
DOMNode::compareDocumentPosition()
- Implemented #53655: Improve speed of
DOMNode::C14N()
on large XML documents. - Fixed cloning attribute with namespace disappearing namespace.
- Implemented DOM HTML5 parsing and serialization RFC.
- Fixed
DOMElement->prefix
with empty string creating bogus prefix. - Handled OOM more consistently.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added
DOMXPath::quote()
static method. - Implemented opt-in ext/dom spec compliance RFC.
- Fixed bug #79701:
getElementById
does not correctly work with duplicate definitions. - Implemented "New extdom features in PHP 8.4" RFC.
- Fixed bug GH14698: Segfault on DOM node dereference.
- Improved support for template elements.
- Fixed trampoline leak in XPath callables.
- Throws instead of silently failing when creating a too long text node in
(DOM)ParentNode
and(DOM)ChildNode
. - Fixed bug GH15192: Segmentation fault in DOM extension (html5_serializer).
- Deprecated
DOM_PHP_ERR
constant. - Removed
DOMImplementation::getFeature()
. - Fixed bug GH15331:
Element::$substitutedNodeValue
test failed. - Fixed bug GH15570: Segmentation fault (access null pointer) in
ext/dom/html5_serializer.c
. - Fixed bug GH13988: Storing
DOMElement
consumes 4 times more memory in PHP 8.1 than in PHP 8.0. - Fixed XML serializer errata:
xmlns=""
serialization should be allowed. - Fixed bug GH15910: Assertion failure in
ext/dom/element.c
. - Fixed unsetting of DOM properties.
- Fixed bug GH16190: Using reflection to call
Dom\Node::__construct
causes assertion failure. - Fixed edge case in DOM parsing decoding.
- Fixed bug GH16465: Heap buffer overflow in
DOMNode->getElementByTagName
. - Fixed bug GH16594: Assertion failure in DOM > before.
- Added
-
Fileinfo
- Updated to
libmagic
5.45. - Fixed bug #65106: PHP fails to compile
ext/fileinfo
.
- Updated to
-
FPM
- Implemented GH12385: Flush headers without body when calling
flush()
. - Added DragonFlyBSD system to the list which sets
FPM_BACKLOG_DEFAULT
toSOMAXCONN
. -
/dev/poll
events.mechanism for Solaris/Illumos setting has been retired. - Added memory peak to the scoreboard/status page.
- Implemented GH12385: Flush headers without body when calling
-
FTP
- Removed the deprecated
inet_ntoa
call support. - Fixed bug #63937: Upload speed 10 times slower with PHP.
- Removed the deprecated
-
GD
- Fixed parameter numbers and missing alpha check for
imagecolorset()
. -
imagepng
,imagejpeg
,imagewep
, andimageavif
now throw an exception on invalid quality parameter. - Checked overflow/underflow for
imagescale
andimagefilter
. - Added
gdImageClone
to bundled libgd.
- Fixed parameter numbers and missing alpha check for
-
Gettext
-
bind_textdomain_codeset
,textdomain
, andd(*)gettext
functions now throw an exception on empty domain.
-
-
GMP
- The
GMP
class is now final and cannot be extended anymore. - RFC: Changed GMP bool cast behavior.
- The
-
Hash
- Changed return type of
hash_update()
totrue
. - Added
HashContext::__debugInfo()
.
- Changed return type of
-
IMAP
- Moved to PECL.
-
Intl
- Added
IntlDateFormatter::PATTERN
constant. - Fixed
Numberformatter::__construct
when the locale is invalid, now throws an exception. - Added
NumberFormatter::ROUND_TOWARD_ZERO
and::ROUND_AWAY_FROM_ZERO
as aliases for::ROUND_DOWN
and::ROUND_UP
. - Added
NumberFormatter::ROUND_HALFODD
. - Added
PROPERTY_IDS_UNARY_OPERATOR
,PROPERTY_ID_COMPAT_MATH_START
, andPROPERTY_ID_COMPAT_MATH_CONTINUE
constants. - Added
IntlDateFormatter::getIanaID
/intltz_get_iana_id
method/function. - Set to C++17 standard for ICU 74 and onwards.
-
resourcebundle_get()
,ResourceBundle::get()
, and accessing offsets on aResourceBundle
object now throw:-
TypeError
for invalid offset types. -
ValueError
for an empty string. -
ValueError
if the integer index does not fit in a signed 32-bit integer.
-
-
ResourceBundle::get()
now has a tentative return type of:ResourceBundle|array|string|int|null
. - Added the new Grapheme function
grapheme_str_split
. - Added
IntlDateFormatter::parseToCalendar
. - Added
SpoofChecker::setAllowedChars
to set Unicode character ranges.
- Added
-
LDAP
- Added
LDAP_OPT_X_TLS_PROTOCOL_MAX
/LDAP_OPT_X_TLS_PROTOCOL_TLS1_3
constants.
- Added
-
LibXML
- Added
LIBXML_RECOVER
constant. -
libxml_set_streams_context()
now throws immediately on an invalid context instead of at the use site. - Added
LIBXML_NO_XXE
constant.
- Added
-
MBString
- Added
mb_trim
,mb_ltrim
, andmb_rtrim
. - Added
mb_ucfirst
andmb_lcfirst
. - Updated Unicode data tables to Unicode 15.1.
- Fixed bug GH15824:
mb_detect_encoding()
: Argument$encodings
contains invalid encoding"UTF8"
. - Updated Unicode data tables to Unicode 16.0.
- Added
-
Mysqli
- The
mysqli_ping()
function andmysqli::ping()
method are now deprecated, as the reconnect feature was removed in PHP 8.2. - The
mysqli_kill()
function andmysqli::kill()
method are now deprecated. If this functionality is needed, a SQL"KILL"
command can be used instead. - The
mysqli_refresh()
function andmysqli::refresh()
method are now deprecated. If this functionality is needed, a SQL"FLUSH"
command can be used instead. - Passing explicitly the
$mode
parameter tomysqli_store_result()
has been deprecated. - As the
MYSQLI_STORE_RESULT_COPY_DATA
constant was only used in conjunction with this function, it has also been deprecated.
- The
-
MySQLnd
- Fixed bug GH13440: PDO quote bottleneck.
- Fixed bug GH10599: Apache crash on Windows when using a self-referencing anonymous function inside a class with an active MySQLi connection.
-
Opcache
- Added large shared segments support for FreeBSD.
- If JIT is enabled, PHP will now exit with a fatal error on startup in case of JIT startup initialization issues.
- Increased the maximum value of
opcache.interned_strings_buffer
to 32767 on 64-bit architectures. - Fixed bug GH13834: Applying nonzero offset 36 to null pointer in
zend_jit.c
. - Fixed bug GH14361: Deep recursion in
zend_cfg.c
causes segfault. - Fixed bug GH14873: PHP 8.4
min
function fails on typed integer. - Fixed bug GH15490: Building of call graph modifies preloaded symbols.
- Fixed bug GH15178: Assertion in tracing JIT on hooks.
- Fixed bug GH15657: Segmentation fault in
dasm_x86.h
. - Added
opcache_jit_blacklist()
function. - Fixed bug GH16009: Segmentation fault with frameless functions and undefined CVs.
- Fixed bug GH16186: Assertion failure in
Zend/zend_operators.c
. - Fixed bug GH16572: Incorrect result with reflection in low-trigger JIT.
- Fixed bug GH16839: Error on building Opcache JIT for Windows ARM64.
-
OpenSSL
- Fixed bug #80269: OpenSSL sets Subject wrong with
extraattribs
parameter. - Implemented request #48520:
openssl_csr_new
allows multiple values in DN. - Introduced new
serial_hex
parameter toopenssl_csr_sign
. - Added
X509_PURPOSE_OCSP_HELPER
andX509_PURPOSE_TIMESTAMP_SIGN
constants. - Bumped minimum required OpenSSL version to 1.1.1.
- Added compile-time option
--with-openssl-legacy-provider
to enable legacy provider. - Added support for Curve25519 + Curve448 based keys.
- Fixed bug GH13343:
openssl_x509_parse
should not allow omitted seconds in UTC times. - Bumped minimum required OpenSSL version to 1.1.0.
- Implemented GH13514:
PASSWORD_ARGON2
from OpenSSL 3.2.
- Fixed bug #80269: OpenSSL sets Subject wrong with
-
Output
- Clear output handler status flags during handler initialization.
- Fixed bug with
url_rewriter.hosts
not used byoutput_add_rewrite_var()
.
-
PCNTL
- Added
pcntl_setns
for Linux. - Added
pcntl_getcpuaffinity
/pcntl_setcpuaffinity
. - Updated
pcntl_get_signal_handler
signal ID upper limit to be more in line with platform limits. - Added
pcntl_getcpu
for Linux/FreeBSD/Solaris/Illumos. - Added
pcntl_getqos_class
/pcntl_setqos_class
for macOS. - Added
SIGCKPT
/SIGCKPTEXIT
constants for DragonFlyBSD. - Added FreeBSD's
SIGTRAP
handling topcntl_siginfo_to_zval
. - Added POSIX
pcntl_waitid
. - Fixed bug GH16769:
pcntl_sigwaitinfo
aborts on signal value as reference.
- Added
-
PCRE
- Upgraded bundled
pcre2lib
to version 10.43. - Added
/r
modifier. - Upgraded bundled
pcre2lib
to version 10.44. - Fixed GH16189: Underflow on offset argument.
- Fixed UAF issues with PCRE after request shutdown.
- Upgraded bundled
-
PDO
- Fixed
setAttribute
andgetAttribute
. - Implemented PDO driver-specific subclasses RFC.
- Added support for PDO driver-specific SQL parsers.
- Fixed bug GH14792: Compilation failure on
pdo_*
extensions. -
mysqlnd
supportsER_CLIENT_INTERACTION_TIMEOUT
. - The internal header
php_pdo_int.h
is no longer installed; it is not supposed to be used by PDO drivers. - Fixed bug GH16167: Prevent mixing PDO subclasses with different DSN.
- Fixed bug GH16314:
"Pdo\Mysql object is uninitialized"
when opening a persistent connection.
- Fixed
-
PDO_DBLIB
- Fixed
setAttribute
andgetAttribute
. - Added class
Pdo\DbLib
.
- Fixed
-
PDO_Firebird
- Fixed
setAttribute
andgetAttribute
. - Added transaction isolation level and mode settings to
pdo_firebird
. - Added class
Pdo\Firebird
. - Added
Pdo\Firebird::ATTR_API_VERSION
. - Added
getApiVersion()
and removed it fromgetAttribute()
. - Supported Firebird 4.0 datatypes.
- Supported proper formatting of time zone types.
- Fixed GH15604: Always make input parameters nullable.
- Fixed
-
PDO_MYSQL
- Fixed
setAttribute
andgetAttribute
. - Added class
Pdo\Mysql
. - Added custom SQL parser.
- Fixed GH15949:
PDO_MySQL
not properly quotingPDO_PARAM_LOB
binary data.
- Fixed
-
PDO_ODBC
- Added class
Pdo\Odbc
.
- Added class
-
PDO_PGSQL
- Fixed GH12423: DSN credentials being prioritized over the
user
/password
PDO constructor arguments. - Fixed native float support with
pdo_pgsql
query results. - Added class
Pdo\Pgsql
. - Retrieve the memory usage of the query result resource.
- Added
Pdo\Pgsql::setNoticeCallBack
method to receive DB notices. - Added custom SQL parser.
- Fixed GH15986: Double free due to
Pdo\Pgsql::setNoticeCallback()
. - Fixed GH12940: Using
PQclosePrepared
when available instead of theDEALLOCATE
command to free statement resources. - Removed
PGSQL_ATTR_RESULT_MEMORY_SIZE
constant as it is provided by the new PDO subclass asPdo\Pgsql::ATTR_RESULT_MEMORY_SIZE
.
- Fixed GH12423: DSN credentials being prioritized over the
-
PDO_SQLITE
- Added class
Pdo\Sqlite
. - Fixed bug #81227:
PDO::inTransaction
reports false when in a transaction. - Added custom SQL parser.
- Added class
-
PHPDBG
- Array out of bounds and stack overflow handled for segfault handler on Windows.
- Fixed bug GH16041: Support stack limit in
phpdbg
.
-
PGSQL
- Added the possibility to have no conditions for
pg_select
. - Persistent connections support the
PGSQL_CONNECT_FORCE_RENEW
flag. - Added
pg_result_memory_size
to get the query result memory usage. - Added
pg_change_password
to alter a user's password. - Added
pg_put_copy_data
/pg_put_copy_end
to sendCOPY
commands and signal the end of theCOPY
. - Added
pg_socket_poll
to poll on the connection. - Added
pg_jit
to get information on server JIT support. - Added
pg_set_chunked_rows_size
to fetch results per chunk.
-pg_convert
/pg_insert
/pg_update
/pg_delete
: Regular expressions are now cached.
- Added the possibility to have no conditions for
-
Phar
- Fixed bug GH12532: PharData created from zip has incorrect timestamp.
-
POSIX
- Added POSIX_SC_CHILD_MAX and POSIX_SC_CLK_TCK constants.
- Updated posix_isatty to set the error number on file descriptors.
-
PSpell
- Moved to PECL.
-
Random
- Fixed bug GH15094: php_random_default_engine() is not C++ conforming.
- lcg_value() is now deprecated.
-
Readline
- Fixed readline_info, rl_line_buffer_length/rl_len globals on update.
- Fixed bug #51558: Shared readline build fails.
- Fixed UAF with readline_info().
-
Reflection
- Implement GH12908: Show attribute name/class in ReflectionAttribute dump.
- Make
ReflectionGenerator::getFunction()
legal after generator termination. - Added
ReflectionGenerator::isClosed()
. - Fixed bug GH15718: Segfault on
ReflectionProperty::get{Hook,Hooks}()
on dynamic properties. - Fixed bug GH15694:
ReflectionProperty::isInitialized()
is incorrect for hooked properties. - Add missing
ReflectionProperty::hasHook[s]()
methods. - Add missing
ReflectionProperty::isFinal()
method. - Fixed bug GH16122: The return value of
ReflectionFunction::getNamespaceName()
andReflectionFunction::inNamespace()
for closures is incorrect. - Fixed bug GH16162: No
ReflectionProperty::IS_VIRTUAL
. - Fixed the name of the second parameter of
ReflectionClass::resetAsLazyGhost()
.
-
Session
- INI settings
session.sid_length
andsession.sid_bits_per_character
are now deprecated. - Emit warnings for nonpositive values of
session.gc_divisor
and negative values ofsession.gc_probability
. - Fixed bug GH16590: UAF in
session_encode()
.
- INI settings
-
SimpleXML
- Fix signature of
simplexml_import_dom()
.
- Fix signature of
-
SNMP
- Removed the deprecated
inet_ntoa
call support.
- Removed the deprecated
-
SOAP
- Add support for clark notation for namespaces in class map.
- Mitigate #51561: SoapServer with an extended class and using sessions lost the
setPersistence()
. - Fixed bug #49278:
SoapClient::__getLastResponseHeaders
returns NULL if WSDL operation has no output. - Fixed bug #44383: PHP
DateTime
not converted toxsd:datetime
. - Fixed bug GH11941: Soap with session persistence will silently fail when "session" is built as a shared object.
- Passing an int to
SoapServer::addFunction()
is now deprecated. If all PHP functions need to be provided, flatten the array returned byget_defined_functions()
. - The
SOAP_FUNCTIONS_ALL
constant is now deprecated. - Fixed bug #61525: SOAP functions require at least one space after HTTP header colon.
- Implement request #47317:
SoapServer::__getLastResponse()
.
-
Sockets
- Removed the deprecated
inet_ntoa
call support. - Added the
SO_EXCLUSIVEADDRUSE
windows constant. - Added the
SOCK_CONN_DGRAM/SOCK_DCCP
NetBSD constants. - Added multicast group support for IPv4 on FreeBSD.
- Added the
TCP_SYNCNT
constant for Linux to set the number of attempts to send SYN packets from the client. - Added the
SO_EXCLBIND
constant for exclusive socket binding on illumos/Solaris. - Updated the
socket_create_listen
backlog argument default value toSOMAXCONN
. - Added the
SO_NOSIGPIPE
constant to control the generation of SIGPIPE for macOS and FreeBSD. - Added
SO_LINGER_SEC
for macOS, true equivalent ofSO_LINGER
in other platforms. - Added
closeonexec
on socket created withsocket_accept
on Unix. - Added
IP_PORTRANGE*
constants for BSD systems to control ephemeral port ranges. - Added
SOCK_NONBLOCK/SOCK_CLOEXEC
constants forsocket_create
andsocket_create_pair
to apply O_NONBLOCK/O_CLOEXEC flags to newly created sockets. - Added
SO_BINDTOIFINDEX
to bind a socket to an interface index.
- Removed the deprecated
-
Sodium
- Add support for AEGIS128L and AEGIS256.
- Enable AESGCM on aarch64 with the ARM crypto extensions.
-
SPL
- Implement
SeekableIterator
forSplObjectStorage
. - The
SplFixedArray::__wakeup()
method has been deprecated as it implements__serialize()
and__unserialize()
which need to be overwritten instead. - Passing a nonempty string for the
$escape
parameter ofSplFileObject::setCsvControl()
,SplFileObject::fputcsv()
,SplFileObject::fgetcsv()
is now deprecated.
- Implement
-
Standard
- Implement GH12188: Indication for the int size in
phpinfo()
. - Partly fix GH12143: Incorrect
round()
result for 0.49999999999999994. - Fix GH12252:
round()
: Validate the rounding mode. - Increase the default BCrypt cost to 12.
- Fixed bug GH12592:
strcspn()
odd behavior with NUL bytes and empty mask. - Removed the deprecated
inet_ntoa
call support. - Cast large floats that are within int range to int in
number_format
so the precision is not lost. - Add support for 4 new rounding modes to the
round()
function. -
debug_zval_dump()
now indicates whether an array is packed. - Fix GH12143: Optimize
round
. - Changed return type of
long2ip
tostring
fromstring|false
. - Fix GH12143: Extend the maximum precision
round
can handle by one digit. - Added the
http_get_last_response_headers()
andhttp_clear_last_response_headers()
that allows retrieving the same content as the magic$http_response_header
variable. - Add
php_base64_encode_ex()
API. - Implemented "Raising zero to the power of a negative number" RFC.
- Added
array_find()
,array_find_key()
,array_all()
, andarray_any()
. - Change
highlight_string()
andprint_r()
return type tostring|true
. - Fix references in
request_parse_body()
options array. - Add
RoundingMode
enum. - Unserializing the uppercase 'S' tag is now deprecated.
- Enables
crc32
auxiliary detection on OpenBSD. - Passing a nonempty string for the
$escape
parameter offputcsv()
,fgetcsv()
,str_getcsv()
is now deprecated. - The
str_getcsv()
function now throwsValueErrors
when the$separator
and$enclosure
arguments are not one byte long, or if the$escape
is not one byte long or the empty string. This aligns the behavior to be identical to that offputcsv()
andfgetcsv()
. -
php_uname()
now throwsValueErrors
on invalid inputs. - The
allowed_classes
option forunserialize()
now throwsTypeErrors
andValueErrors
if it is not an array of class names. - Implemented GH15685: Improve
proc_open
error reporting on Windows. - Add support for backed enums in
http_build_query()
. - Fixed bug GH15982: Assertion failure with
array_find
when references are involved. - Fixed parameter names of
fpow()
to be identical topow()
.
- Implement GH12188: Indication for the int size in
-
Streams
- Implemented GH15155: Stream context is lost when custom stream wrapper is being filtered.
-
Tidy
- Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
- Add
tidyNode::getNextSibling()
andtidyNode::getPreviousSibling()
.
-
Windows
- Update the icon of the Windows executables, e.g.
php.exe
. - Fixed bug GH16199:
GREP_HEADER()
is broken.
- Update the icon of the Windows executables, e.g.
-
XML
- Added
XML_OPTION_PARSE_HUGE
parser option. - Fixed bug #81481:
xml_get_current_byte_index
limited to 32bit numbers on 64bit builds. - The
xml_set_object()
function has been deprecated. - Passing noncallable strings to the
xml_set_*_handler()
functions is now deprecated.
- Added
-
XMLReader
- Declares class constant types.
- Add
XMLReader::fromStream()
,XMLReader::fromUri()
,XMLReader::fromString()
. - Fixed bug GH15123:
var_dump
doesn't actually work onXMLReader
.
-
XMLWriter
- Add
XMLWriter::toStream()
,XMLWriter::toUri()
,XMLWriter::toMemory()
.
- Add
-
XSL
- Implement request #64137:
XSLTProcessor::setParameter()
should allow both quotes to be used. - Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added
XSLTProcessor::$maxTemplateDepth
andXSLTProcessor::$maxTemplateVars
. - Fix trampoline leak in xpath callables.
- Implement request #64137:
-
Zip
- Added ZipArchive::ER_TRUNCATED_ZIP added in libzip 1.11.
Community Fixes
PHP version 8.3.14 fixes
-
CLI
- Fixed bug GH-16373: Shebang is not skipped for router script in
cli-server
started through shebang. - Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data
Processing in CLI SAPI Interface.
- Fixed bug GH-16373: Shebang is not skipped for router script in
-
COM
- Fixed out of bound writes to
SafeArray
data.
- Fixed out of bound writes to
-
Core
- Fixed bug GH-16168:
php 8.1
and earlier crash immediately when compiled withXcode 16 clang
onmacOS 15
. - Fixed bug GH-16371: Assertion failure in
Zend/zend_weakrefs.c:646
. - Fixed bug GH-16515: Incorrect propagation of
ZEND_ACC_RETURN_REFERENCE
for call trampoline. - Fixed bug GH-16509: Incorrect line number in function redeclaration error.
- Fixed bug GH-16508: Incorrect line number in inheritance errors of delayed early bound classes.
- Fixed bug GH-16648: Use-after-free during array sorting.
- Fixed bug GH-16168:
-
Curl
- Fixed bug GH-16302:
CurlMultiHandle
holds a reference toCurlHandle
ifcurl_multi_add_handle
fails.
- Fixed bug GH-16302:
-
Date
- Fixed bug GH-16454: Unhandled INF in
date_sunset()
with tiny$utcOffset
. - Fixed bug GH-14732:
date_sun_info()
fails for non-finite values.
- Fixed bug GH-16454: Unhandled INF in
-
DBA
- Fixed bug GH-16390:
dba_open()
can segfault for "pathless" streams.
- Fixed bug GH-16390:
-
DOM
- Fixed bug GH-16316:
DOMXPath
breaks when not initialized properly. - Add missing hierarchy checks to
replaceChild
. - Fixed bug GH-16336: Attribute intern document mismanagement.
- Fixed bug GH-16338: Null-dereference in
ext/dom/node.c
. - Fixed bug GH-16473:
dom_import_simplexml
stub is wrong. - Fixed bug GH-16533: Segfault when adding attribute to parent that is not an element.
- Fixed bug GH-16535: UAF when using document as a child.
- Fixed bug GH-16593: Assertion failure in
DOM->replaceChild
. - Fixed bug GH-16595: Another UAF in
DOM -> cloneNode
.
- Fixed bug GH-16316:
-
EXIF
- Fixed bug GH-16409: Segfault in
exif_thumbnail
when not dealing with a real file.
- Fixed bug GH-16409: Segfault in
-
FFI
- Fixed bug GH-16397: Segmentation fault when comparing
FFI
object.
- Fixed bug GH-16397: Segmentation fault when comparing
-
Filter
- Fixed bug GH-16523:
FILTER_FLAG_HOSTNAME
accepts ending hyphen.
- Fixed bug GH-16523:
-
FPM
- Fixed bug GH-16628:
FPM
logs are getting corrupted with this log statement.
- Fixed bug GH-16628:
-
GD
- Fixed bug GH-16334:
imageaffine
overflow on matrix elements. - Fixed bug GH-16427: Unchecked
libavif
return values. - Fixed bug GH-16559: UBSan abort in
ext/gd/libgd/gd_interpolation.c:1007
.
- Fixed bug GH-16334:
-
GMP
- Fixed floating point exception bug with
gmp_pow
when using large exposant values. - Fixed bug GH-16411:
gmp_export()
can cause overflow. - Fixed bug GH-16501:
gmp_random_bits()
can cause overflow. - Fixed
gmp_pow()
overflow bug with large base/exponents. - Fixed segfaults and other issues related to operator overloading with
GMP
objects.
- Fixed floating point exception bug with
-
MBstring
- Fixed bug GH-16361:
mb_substr
overflow on start/length arguments.
- Fixed bug GH-16361:
-
Opcache
- Fixed bug GH-16408: Array to string conversion warning emitted in optimizer.
-
OpenSSL
- Fixed bug GH-16357:
openssl
may modify member types of certificate arrays. - Fixed bug GH-16433: Large values for
openssl_csr_sign()
$days
overflow. - Fix various memory leaks on error conditions in
openssl_x509_parse()
.
- Fixed bug GH-16357:
-
PDO ODBC
- Fixed bug GH-16450:
PDO_ODBC
can inject garbage into field values.
- Fixed bug GH-16450:
-
Phar
- Fixed bug GH-16406: Assertion failure in
ext/phar/phar.c:2808
.
- Fixed bug GH-16406: Assertion failure in
-
PHPDBG
- Fixed bug GH-16174: Empty string is an invalid expression for
ev
.
- Fixed bug GH-16174: Empty string is an invalid expression for
-
Reflection
- Fixed bug GH-16601: Memory leak in Reflection constructors.
-
Session
- Fixed bug GH-16385: Unexpected null returned by
session_set_cookie_params
. - Fixed bug GH-16290: Overflow on
cookie_lifetime
ini value.
- Fixed bug GH-16385: Unexpected null returned by
-
SOAP
- Fixed bug GH-16318: Recursive array segfaults soap encoding.
- Fixed bug GH-16429: Segmentation fault access null pointer in
SoapClient
.
-
Sockets
- Fixed bug with overflow
socket_recvfrom
$length
argument.
- Fixed bug with overflow
-
SPL
- Fixed bug GH-16337: Use-after-free in
SplHeap
. - Fixed bug GH-16464: Use-after-free in
SplDoublyLinkedList::offsetSet()
. - Fixed bug GH-16479: Use-after-free in
SplObjectStorage::setInfo()
. - Fixed bug GH-16478: Use-after-free in
SplFixedArray::unset()
. - Fixed bug GH-16588: UAF in
Observer->serialize
. - Fix GH-16477: Segmentation fault when calling
__debugInfo()
after failedSplFileObject::__constructor
. - Fixed bug GH-16589: UAF in
SplDoublyLinked->serialize()
. - Fixed bug GH-14687: Segfault on
SplObjectIterator
instance. - Fixed bug GH-16604: Memory leaks in SPL constructors.
- Fixed bug GH-16646: UAF in
ArrayObject::unset()
andArrayObject::exchangeArray()
.
- Fixed bug GH-16337: Use-after-free in
-
Standard
- Fixed bug GH-16293: Failed assertion when throwing in
assert()
callback with bail enabled.
- Fixed bug GH-16293: Failed assertion when throwing in
-
SysVMsg
- Fixed bug GH-16592:
msg_send()
crashes when a type does not properly serialize.
- Fixed bug GH-16592:
-
SysVShm
- Fixed bug GH-16591: Assertion error in
shm_put_var
.
- Fixed bug GH-16591: Assertion error in
-
XMLReader
- Fixed bug GH-16292: Segmentation fault in
ext/xmlreader/php_xmlreader.c
.
- Fixed bug GH-16292: Segmentation fault in
-
Zlib
- Fixed bug GH-16326: Memory management is broken for bad dictionaries.
PHP version 8.2.26 fixes
-
CLI
- Fixed bug GH-16373: Shebang is not skipped for router script in
cli-server
started through shebang. - Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data
Processing in CLI SAPI Interface.
- Fixed bug GH-16373: Shebang is not skipped for router script in
-
COM
- Fixed out of bound writes to
SafeArray
data.
- Fixed out of bound writes to
-
Core
- Fixed bug GH-16168:
php 8.1
and earlier crash immediately when compiled withXcode 16 clang
onmacOS 15
. - Fixed bug GH-16371: Assertion failure in
Zend/zend_weakrefs.c:646
. - Fixed bug GH-16515: Incorrect propagation of
ZEND_ACC_RETURN_REFERENCE
for call trampoline. - Fixed bug GH-16509: Incorrect line number in function redeclaration error.
- Fixed bug GH-16508: Incorrect line number in inheritance errors of delayed early bound classes.
- Fixed bug GH-16648: Use-after-free during array sorting.
- Fixed bug GH-16168:
-
Curl
- Fixed bug GH-16302:
CurlMultiHandle
holds a reference toCurlHandle
ifcurl_multi_add_handle
fails.
- Fixed bug GH-16302:
-
Date
- Fixed bug GH-16454: Unhandled INF in
date_sunset()
with tiny$utcOffset
. - Fixed bug GH-16037: Assertion failure in ext/date/php_date.c.
- Fixed bug GH-14732:
date_sun_info()
fails for non-finite values.
- Fixed bug GH-16454: Unhandled INF in
-
DBA
- Fixed bug GH-16390:
dba_open()
can segfault for "pathless" streams.
- Fixed bug GH-16390:
-
DOM
- Fixed bug GH-16316:
DOMXPath
breaks when not initialized properly. - Fixed bug GH-16473:
dom_import_simplexml
stub is wrong. - Fixed bug GH-16533: Segfault when adding attribute to parent that is not an element.
- Fixed bug GH-16535: UAF when using document as a child.
- Fixed bug GH-16593: Assertion failure in
DOM->replaceChild
. - Fixed bug GH-16595: Another UAF in
DOM -> cloneNode
.
- Fixed bug GH-16316:
-
EXIF
- Fixed bug GH-16409: Segfault in
exif_thumbnail
when not dealing with a real file.
- Fixed bug GH-16409: Segfault in
-
FFI
- Fixed bug GH-16397: Segmentation fault when comparing
FFI
object.
- Fixed bug GH-16397: Segmentation fault when comparing
-
Filter
- Fixed bug GH-16523:
FILTER_FLAG_HOSTNAME
accepts ending hyphen.
- Fixed bug GH-16523:
-
FPM
- Fixed bug GH-16628:
FPM
logs are getting corrupted with this log statement.
- Fixed bug GH-16628:
-
GD
- Fixed bug GH-16334:
imageaffine
overflow on matrix elements. - Fixed bug GH-16427: Unchecked
libavif
return values. - Fixed bug GH-16559: UBSan abort in
ext/gd/libgd/gd_interpolation.c:1007
.
- Fixed bug GH-16334:
-
GMP
- Fixed floating point exception bug with
gmp_pow
when using large exposant values. - Fixed bug GH-16411:
gmp_export()
can cause overflow. - Fixed bug GH-16501:
gmp_random_bits()
can cause overflow. - Fixed
gmp_pow()
overflow bug with large base/exponents. - Fixed segfaults and other issues related to operator overloading with
GMP
objects.
- Fixed floating point exception bug with
-
MBstring
- Fixed bug GH-16361:
mb_substr
overflow on start/length arguments.
- Fixed bug GH-16361:
-
OpenSSL
- Fixed bug GH-16357:
openssl
may modify member types of certificate arrays. - Fixed bug GH-16433: Large values for
openssl_csr_sign()
$days
overflow. - Fix various memory leaks on error conditions in
openssl_x509_parse()
.
- Fixed bug GH-16357:
-
PDO ODBC
- Fixed bug GH-16450:
PDO_ODBC
can inject garbage into field values.
- Fixed bug GH-16450:
-
Phar
- Fixed bug GH-16406: Assertion failure in
ext/phar/phar.c:2808
.
- Fixed bug GH-16406: Assertion failure in
-
PHPDBG
- Fixed bug GH-16174: Empty string is an invalid expression for
ev
.
- Fixed bug GH-16174: Empty string is an invalid expression for
-
Reflection
- Fixed bug GH-16601: Memory leak in Reflection constructors.
-
Session
- Fixed bug GH-16385: Unexpected null returned by
session_set_cookie_params
. - Fixed bug GH-16290: Overflow on
cookie_lifetime
ini value.
- Fixed bug GH-16385: Unexpected null returned by
-
SOAP
- Fixed bug GH-16429: Segmentation fault access null pointer in
SoapClient
.
- Fixed bug GH-16429: Segmentation fault access null pointer in
-
Sockets
- Fixed bug with overflow
socket_recvfrom
$length
argument.
- Fixed bug with overflow
-
SPL
- Fixed bug GH-16337: Use-after-free in
SplHeap
. - Fixed bug GH-16464: Use-after-free in
SplDoublyLinkedList::offsetSet()
. - Fixed bug GH-16479: Use-after-free in
SplObjectStorage::setInfo()
. - Fixed bug GH-16478: Use-after-free in
SplFixedArray::unset()
. - Fixed bug GH-16588: UAF in
Observer->serialize
. - Fix GH-16477: Segmentation fault when calling
__debugInfo()
after failedSplFileObject::__constructor
. - Fixed bug GH-16589: UAF in
SplDoublyLinked->serialize()
. - Fixed bug GH-14687: Segfault on
SplObjectIterator
instance. - Fixed bug GH-16604: Memory leaks in SPL constructors.
- Fixed bug GH-16646: UAF in
ArrayObject::unset()
andArrayObject::exchangeArray()
.
- Fixed bug GH-16337: Use-after-free in
-
Standard
- Fixed bug GH-16293: Failed assertion when throwing in
assert()
callback with bail enabled.
- Fixed bug GH-16293: Failed assertion when throwing in
-
SysVMsg
- Fixed bug GH-16592:
msg_send()
crashes when a type does not properly serialize.
- Fixed bug GH-16592:
-
SysVShm
- Fixed bug GH-16591: Assertion error in
shm_put_var
.
- Fixed bug GH-16591: Assertion error in
-
XMLReader
- Fixed bug GH-16292: Segmentation fault in
ext/xmlreader/php_xmlreader.c
.
- Fixed bug GH-16292: Segmentation fault in
-
Zlib
- Fixed bug GH-16326: Memory management is broken for bad dictionaries.
PHP version 8.1.31 fixes
-
CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data
Processing in CLI SAPI Interface.
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in