ZendPHP Changes
PHP version 8.4.1
Community dropped some extensions from the PHP main sources, extensions are now built from PECL sources, therefore the packaging changes on Linux and IBM i:
- oci8
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
- pdo_oci
- to be installed separately as php8.4-zend-pdo-oci (deb) / php84zend-php-pecl-pdo-oci (RPMs). Or: zendphpctl ext install [ --php 8.4 ] pdo_oci
- pspell
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
- imap
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
RPM packages rebuilt and re-released 25 Nov 2024 as 8.4.1-1.
Fixed apache libphp and litespeed SAPI build options.
Original release was built as ZTS, new build is fixed to be NTS.
All loadable extensions are built as non-thread-safe, therefore sapi modules built as ZTS cannot use NTS extension modules.
Community CVE Fixes
PHP version 8.3.14, 8.2.26, 8.1.31 CVE fixes
-
LDAP
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in
ldap_escape. (CVE-2024-8932)
-
MySQLnd
- Fixed bug GHSA-h35g-vwh6-m678: Leak partial content of the heap through heap buffer over-read. (CVE-2024-8929)
-
PDO DBLIB
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
dblib quoter causing OOB writes. (CVE-2024-11236)
-
PDO Firebird
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
firebird quoter causing OOB writes. (CVE-2024-11236)
-
Streams
- Fixed bug GHSA-c5f2-jwm7-mmq2: Configuring a proxy in a stream context might allow for CRLF injection in URIs. (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43: Single byte overread with
convert.quoted-printable-decode filter. (CVE-2024-11233)
Backported PHP CVE Fixes
PHP version 7.2.34.21, 7.3.33.13, 7.4.33.8, 8.0.30.4 CVE fixes
-
CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data
Processing in CLI SAPI Interface.
-
LDAP
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in
ldap_escape. (CVE-2024-8932)
-
MySQLnd
- Fixed bug GHSA-h35g-vwh6-m678: Leak partial content of the heap through heap buffer over-read. (CVE-2024-8929)
-
PDO DBLIB
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
dblib quoter causing OOB writes. (CVE-2024-11236)
-
PDO Firebird
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the
firebird quoter causing OOB writes. (CVE-2024-11236)
-
Streams
- Fixed bug GHSA-c5f2-jwm7-mmq2: Configuring a proxy in a stream context might allow for CRLF injection in URIs. (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43: Single byte overread with
convert.quoted-printable-decode filter. (CVE-2024-11233)
Community Changes
PHP version 8.4.1 changes
-
BcMath
- [RFC] Add bcfloor, bcceil and bcround to BCMath.
- Improve performance.
- Adjust bcround()'s $mode parameter to only accept the RoundingMode enum.
- Fixed LONG_MAX in BCMath ext.
- Fixed bcdiv() div by one.
- [RFC] Support object types in BCMath.
- bcpow() performance improvement.
- ext/bcmath: Check for scale overflow.
- [RFC] ext/bcmath: Added bcdivmod.
- Fix GH-15968: Avoid converting objects to strings in operator calculations.
- Fixed bug GH-16265: Added early return case when result is 0.
- Fixed bug GH-16262: Fixed a bug where size_t underflows.
- Fixed GH-16236: Fixed a bug in BcMath\Number::pow() and bcpow() when raising negative powers of 0
-
Core
- Added zend_call_stack_get implementation for NetBSD, DragonFlyBSD, Solaris and Haiku.
- Enabled ifunc checks on FreeBSD from the 12.x releases.
- Changed the type of PHP_DEBUG and PHP_ZTS constants to bool.
- Fixed bug GH-13142: Undefined variable name is shortened when contains \0.
- Fixed bug GH-13178: Iterator positions incorrect when converting packed array to hashed.
- Fixed zend fiber build for solaris default mode (32 bits).
- Fixed zend call stack size for macOs/arm64.
- Added support for Zend Max Execution Timers on FreeBSD.
- Ensure fiber stack is not backed by THP.
- Implement GH-13609: Dump wrapped object in WeakReference class.
- Added sparc64 arch assembly support for zend fiber.
- Fixed GH-13581 no space available for TLS on NetBSD.
- Added fiber Sys-V loongarch64 support.
- Adjusted closure names to include the parent function's name.
- Improve randomness of uploaded file names and files created by tempnam().
- Added gc and shutdown callbacks to zend_mm custom handlers.
- Fixed bug GH-14650: Compute the size of pages before allocating memory.
- Fixed bug GH-11928: The --enable-re2c-cgoto doesn't add the -g flag.
- Added the #[\Deprecated] attribute.
- Fixed GH-11389: Allow suspending fibers in destructors.
- Fixed bug GH-14801: Fix build for armv7.
- Implemented property hooks RFC.
- Fix GH-14978: The xmlreader extension phpize build.
- Throw Error exception when encountering recursion during comparison, rather than fatal error.
- Added missing cstddef include for C++ builds.
- Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
- Fixed bug GH-15240: Infinite recursion in trait hook.
- Fixed bug GH-15140: Missing variance check for abstract set with asymmetric type.
- Fixed bug GH-15181: Disabled output handler is flushed again.
- Passing E_USER_ERROR to trigger_error() is now deprecated.
- Fixed bug GH-15292: Dynamic AVX detection is broken for MSVC.
- Using "_" as a class name is now deprecated.
- Exiting a namespace now clears seen symbols.
- The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
- Fixed bug GH-15438: Hooks on constructor promoted properties without visibility are ignored.
- Fixed bug GH-15419: Missing readonly+hook incompatibility check for readonly classes.
- Fixed bug GH-15187: Various hooked object iterator issues.
- Fixed bug GH-15456: Crash in get_class_vars() on virtual properties.
- Fixed bug GH-15501: Windows HAVE__H macros defined to 1 or undefined.
- Implemented asymmetric visibility for properties.
- Fixed bug GH-15644: Asymmetric visibility doesn't work with hooks.
- Implemented lazy objects RFC.
- Fixed bug GH-15686: Building shared iconv with external iconv library.
- Fixed missing error when adding asymmetric visibility to unilateral virtual property.
- Fixed bug GH-15693: Unnecessary include in main.c bloats binary.
- Fixed bug GH-15731: AllowDynamicProperties validation should error on enums.
- Fixed bug GH-16040: Use-after-free of object released in hook.
- Fixed bug GH-16026: Reuse of dtor fiber during shutdown.
- Fixed bug GH-15999: zend_std_write_property() assertion failure with lazy objects.
- Fixed bug GH-15960: Foreach edge cases with lazy objects.
- Fixed bug GH-16185: Various hooked object iterator issues.
- Fixed bug OSS-Fuzz #371445205: Heap-use-after-free in attr_free.
- Fixed missing error when adding asymmetric visibility to static properties.
- Fixed bug OSS-Fuzz #71407: Null-dereference WRITE in
zend_lazy_object_clone.
- Fixed bug GH16574: Incorrect error "undefined method" messages.
- Fixed bug GH16577:
EG(strtod_state).freelist leaks with opcache.preload.
- Fixed bug GH16574: Incorrect error "undefined method" messages.
- Fixed bug GH16577:
EG(strtod_state).freelist leaks with opcache.preload.
- Fixed bug GH16615: Assertion failure in
zend_std_read_property.
- Fixed bug GH16342: Added
ReflectionProperty::isLazy().
- Fixed bug GH16725: Incorrect access check for non-hooked properties in hooked object iterator.
-
Curl
- Deprecated the
CURLOPT_BINARYTRANSFER constant.
- Bumped required libcurl version to 7.61.0.
- Added
feature_list key to the curl_version() return value.
- Added constants
CURL_HTTP_VERSION_3 (libcurl 7.66) and CURL_HTTP_VERSION_3ONLY (libcurl 7.88) as options for CURLOPT_HTTP_VERSION.
- Added
CURLOPT_TCP_KEEPCNT to set the number of probes to send before dropping the connection.
- Added
CURLOPT_PREREQFUNCTION Curl option to set a custom callback after the connection is established but before the request is performed.
- Added
CURLOPT_SERVER_RESPONSE_TIMEOUT, which was formerly known as CURLOPT_FTP_RESPONSE_TIMEOUT.
- The
CURLOPT_DNS_USE_GLOBAL_CACHE option is now silently ignored.
- Added
CURLOPT_DEBUGFUNCTION as a Curl option.
- Fixed bug GH16359: Crash with
curl_setopt* CURLOPT_WRITEFUNCTION without null callback.
- Fixed bug GH16723:
CURLMOPT_PUSHFUNCTION issues.
-
Date
- Added
DateTime[Immutable]::createFromTimestamp.
- Added
DateTime[Immutable]::[get|set]Microsecond.
- Constants
SUNFUNCS_RET_TIMESTAMP, SUNFUNCS_RET_STRING, and SUNFUNCS_RET_DOUBLE are now deprecated.
- Fixed bug GH13773:
DatePeriod not taking into account microseconds for end date.
-
DBA
- Passing
null or false to dba_key_split() is deprecated.
-
Debugging
- Fixed bug GH15923: GDB: Python Exception
BaseException.
-
DOM
- Added
DOMNode::compareDocumentPosition()
- Implemented #53655: Improve speed of
DOMNode::C14N() on large XML documents.
- Fixed cloning attribute with namespace disappearing namespace.
- Implemented DOM HTML5 parsing and serialization RFC.
- Fixed
DOMElement->prefix with empty string creating bogus prefix.
- Handled OOM more consistently.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added
DOMXPath::quote() static method.
- Implemented opt-in ext/dom spec compliance RFC.
- Fixed bug #79701:
getElementById does not correctly work with duplicate definitions.
- Implemented "New extdom features in PHP 8.4" RFC.
- Fixed bug GH14698: Segfault on DOM node dereference.
- Improved support for template elements.
- Fixed trampoline leak in XPath callables.
- Throws instead of silently failing when creating a too long text node in
(DOM)ParentNode and (DOM)ChildNode.
- Fixed bug GH15192: Segmentation fault in DOM extension (html5_serializer).
- Deprecated
DOM_PHP_ERR constant.
- Removed
DOMImplementation::getFeature().
- Fixed bug GH15331:
Element::$substitutedNodeValue test failed.
- Fixed bug GH15570: Segmentation fault (access null pointer) in
ext/dom/html5_serializer.c.
- Fixed bug GH13988: Storing
DOMElement consumes 4 times more memory in PHP 8.1 than in PHP 8.0.
- Fixed XML serializer errata:
xmlns="" serialization should be allowed.
- Fixed bug GH15910: Assertion failure in
ext/dom/element.c.
- Fixed unsetting of DOM properties.
- Fixed bug GH16190: Using reflection to call
Dom\Node::__construct causes assertion failure.
- Fixed edge case in DOM parsing decoding.
- Fixed bug GH16465: Heap buffer overflow in
DOMNode->getElementByTagName.
- Fixed bug GH16594: Assertion failure in DOM > before.
-
Fileinfo
- Updated to
libmagic 5.45.
- Fixed bug #65106: PHP fails to compile
ext/fileinfo.
-
FPM
- Implemented GH12385: Flush headers without body when calling
flush().
- Added DragonFlyBSD system to the list which sets
FPM_BACKLOG_DEFAULT to SOMAXCONN.
/dev/poll events.mechanism for Solaris/Illumos setting has been retired.- Added memory peak to the scoreboard/status page.
-
FTP
- Removed the deprecated
inet_ntoa call support.
- Fixed bug #63937: Upload speed 10 times slower with PHP.
-
GD
- Fixed parameter numbers and missing alpha check for
imagecolorset().
imagepng, imagejpeg, imagewep, and imageavif now throw an exception on invalid quality parameter.- Checked overflow/underflow for
imagescale and imagefilter.
- Added
gdImageClone to bundled libgd.
-
Gettext
bind_textdomain_codeset, textdomain, and d(*)gettext functions now throw an exception on empty domain.
-
GMP
- The
GMP class is now final and cannot be extended anymore.
- RFC: Changed GMP bool cast behavior.
-
Hash
- Changed return type of
hash_update() to true.
- Added
HashContext::__debugInfo().
-
IMAP
-
Intl
- Added
IntlDateFormatter::PATTERN constant.
- Fixed
Numberformatter::__construct when the locale is invalid, now throws an exception.
- Added
NumberFormatter::ROUND_TOWARD_ZERO and ::ROUND_AWAY_FROM_ZERO as aliases for ::ROUND_DOWN and ::ROUND_UP.
- Added
NumberFormatter::ROUND_HALFODD.
- Added
PROPERTY_IDS_UNARY_OPERATOR, PROPERTY_ID_COMPAT_MATH_START, and PROPERTY_ID_COMPAT_MATH_CONTINUE constants.
- Added
IntlDateFormatter::getIanaID/intltz_get_iana_id method/function.
- Set to C++17 standard for ICU 74 and onwards.
resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw:
TypeError for invalid offset types.ValueError for an empty string.ValueError if the integer index does not fit in a signed 32-bit integer.
ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null.- Added the new Grapheme function
grapheme_str_split.
- Added
IntlDateFormatter::parseToCalendar.
- Added
SpoofChecker::setAllowedChars to set Unicode character ranges.
-
LDAP
- Added
LDAP_OPT_X_TLS_PROTOCOL_MAX/LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 constants.
-
LibXML
- Added
LIBXML_RECOVER constant.
libxml_set_streams_context() now throws immediately on an invalid context instead of at the use site.- Added
LIBXML_NO_XXE constant.
-
MBString
- Added
mb_trim, mb_ltrim, and mb_rtrim.
- Added
mb_ucfirst and mb_lcfirst.
- Updated Unicode data tables to Unicode 15.1.
- Fixed bug GH15824:
mb_detect_encoding(): Argument $encodings contains invalid encoding "UTF8".
- Updated Unicode data tables to Unicode 16.0.
-
Mysqli
- The
mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
- The
mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed, a SQL "KILL" command can be used instead.
- The
mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed, a SQL "FLUSH" command can be used instead.
- Passing explicitly the
$mode parameter to mysqli_store_result() has been deprecated.
- As the
MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function, it has also been deprecated.
-
MySQLnd
- Fixed bug GH13440: PDO quote bottleneck.
- Fixed bug GH10599: Apache crash on Windows when using a self-referencing anonymous function inside a class with an active MySQLi connection.
-
Opcache
- Added large shared segments support for FreeBSD.
- If JIT is enabled, PHP will now exit with a fatal error on startup in case of JIT startup initialization issues.
- Increased the maximum value of
opcache.interned_strings_buffer to 32767 on 64-bit architectures.
- Fixed bug GH13834: Applying nonzero offset 36 to null pointer in
zend_jit.c.
- Fixed bug GH14361: Deep recursion in
zend_cfg.c causes segfault.
- Fixed bug GH14873: PHP 8.4
min function fails on typed integer.
- Fixed bug GH15490: Building of call graph modifies preloaded symbols.
- Fixed bug GH15178: Assertion in tracing JIT on hooks.
- Fixed bug GH15657: Segmentation fault in
dasm_x86.h.
- Added
opcache_jit_blacklist() function.
- Fixed bug GH16009: Segmentation fault with frameless functions and undefined CVs.
- Fixed bug GH16186: Assertion failure in
Zend/zend_operators.c.
- Fixed bug GH16572: Incorrect result with reflection in low-trigger JIT.
- Fixed bug GH16839: Error on building Opcache JIT for Windows ARM64.
-
OpenSSL
- Fixed bug #80269: OpenSSL sets Subject wrong with
extraattribs parameter.
- Implemented request #48520:
openssl_csr_new allows multiple values in DN.
- Introduced new
serial_hex parameter to openssl_csr_sign.
- Added
X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants.
- Bumped minimum required OpenSSL version to 1.1.1.
- Added compile-time option
--with-openssl-legacy-provider to enable legacy provider.
- Added support for Curve25519 + Curve448 based keys.
- Fixed bug GH13343:
openssl_x509_parse should not allow omitted seconds in UTC times.
- Bumped minimum required OpenSSL version to 1.1.0.
- Implemented GH13514:
PASSWORD_ARGON2 from OpenSSL 3.2.
-
Output
- Clear output handler status flags during handler initialization.
- Fixed bug with
url_rewriter.hosts not used by output_add_rewrite_var().
-
PCNTL
- Added
pcntl_setns for Linux.
- Added
pcntl_getcpuaffinity/pcntl_setcpuaffinity.
- Updated
pcntl_get_signal_handler signal ID upper limit to be more in line with platform limits.
- Added
pcntl_getcpu for Linux/FreeBSD/Solaris/Illumos.
- Added
pcntl_getqos_class/pcntl_setqos_class for macOS.
- Added
SIGCKPT/SIGCKPTEXIT constants for DragonFlyBSD.
- Added FreeBSD's
SIGTRAP handling to pcntl_siginfo_to_zval.
- Added POSIX
pcntl_waitid.
- Fixed bug GH16769:
pcntl_sigwaitinfo aborts on signal value as reference.
-
PCRE
- Upgraded bundled
pcre2lib to version 10.43.
- Added
/r modifier.
- Upgraded bundled
pcre2lib to version 10.44.
- Fixed GH16189: Underflow on offset argument.
- Fixed UAF issues with PCRE after request shutdown.
-
PDO
- Fixed
setAttribute and getAttribute.
- Implemented PDO driver-specific subclasses RFC.
- Added support for PDO driver-specific SQL parsers.
- Fixed bug GH14792: Compilation failure on
pdo_* extensions.
mysqlnd supports ER_CLIENT_INTERACTION_TIMEOUT.- The internal header
php_pdo_int.h is no longer installed; it is not supposed to be used by PDO drivers.
- Fixed bug GH16167: Prevent mixing PDO subclasses with different DSN.
- Fixed bug GH16314:
"Pdo\Mysql object is uninitialized" when opening a persistent connection.
-
PDO_DBLIB
- Fixed
setAttribute and getAttribute.
- Added class
Pdo\DbLib.
-
PDO_Firebird
- Fixed
setAttribute and getAttribute.
- Added transaction isolation level and mode settings to
pdo_firebird.
- Added class
Pdo\Firebird.
- Added
Pdo\Firebird::ATTR_API_VERSION.
- Added
getApiVersion() and removed it from getAttribute().
- Supported Firebird 4.0 datatypes.
- Supported proper formatting of time zone types.
- Fixed GH15604: Always make input parameters nullable.
-
PDO_MYSQL
- Fixed
setAttribute and getAttribute.
- Added class
Pdo\Mysql.
- Added custom SQL parser.
- Fixed GH15949:
PDO_MySQL not properly quoting PDO_PARAM_LOB binary data.
-
PDO_ODBC
-
PDO_PGSQL
- Fixed GH12423: DSN credentials being prioritized over the
user/password PDO constructor arguments.
- Fixed native float support with
pdo_pgsql query results.
- Added class
Pdo\Pgsql.
- Retrieve the memory usage of the query result resource.
- Added
Pdo\Pgsql::setNoticeCallBack method to receive DB notices.
- Added custom SQL parser.
- Fixed GH15986: Double free due to
Pdo\Pgsql::setNoticeCallback().
- Fixed GH12940: Using
PQclosePrepared when available instead of the DEALLOCATE command to free statement resources.
- Removed
PGSQL_ATTR_RESULT_MEMORY_SIZE constant as it is provided by the new PDO subclass as Pdo\Pgsql::ATTR_RESULT_MEMORY_SIZE.
-
PDO_SQLITE
- Added class
Pdo\Sqlite.
- Fixed bug #81227:
PDO::inTransaction reports false when in a transaction.
- Added custom SQL parser.
-
PHPDBG
- Array out of bounds and stack overflow handled for segfault handler on Windows.
- Fixed bug GH16041: Support stack limit in
phpdbg.
-
PGSQL
- Added the possibility to have no conditions for
pg_select.
- Persistent connections support the
PGSQL_CONNECT_FORCE_RENEW flag.
- Added
pg_result_memory_size to get the query result memory usage.
- Added
pg_change_password to alter a user's password.
- Added
pg_put_copy_data/pg_put_copy_end to send COPY commands and signal the end of the COPY.
- Added
pg_socket_poll to poll on the connection.
- Added
pg_jit to get information on server JIT support.
- Added
pg_set_chunked_rows_size to fetch results per chunk.
-pg_convert/pg_insert/pg_update/pg_delete: Regular expressions are now cached.
-
Phar
- Fixed bug GH12532: PharData created from zip has incorrect timestamp.
-
POSIX
- Added POSIX_SC_CHILD_MAX and POSIX_SC_CLK_TCK constants.
- Updated posix_isatty to set the error number on file descriptors.
-
PSpell
-
Random
- Fixed bug GH15094: php_random_default_engine() is not C++ conforming.
- lcg_value() is now deprecated.
-
Readline
- Fixed readline_info, rl_line_buffer_length/rl_len globals on update.
- Fixed bug #51558: Shared readline build fails.
- Fixed UAF with readline_info().
-
Reflection
- Implement GH12908: Show attribute name/class in ReflectionAttribute dump.
- Make
ReflectionGenerator::getFunction() legal after generator termination.
- Added
ReflectionGenerator::isClosed().
- Fixed bug GH15718: Segfault on
ReflectionProperty::get{Hook,Hooks}() on dynamic properties.
- Fixed bug GH15694:
ReflectionProperty::isInitialized() is incorrect for hooked properties.
- Add missing
ReflectionProperty::hasHook[s]() methods.
- Add missing
ReflectionProperty::isFinal() method.
- Fixed bug GH16122: The return value of
ReflectionFunction::getNamespaceName() and ReflectionFunction::inNamespace() for closures is incorrect.
- Fixed bug GH16162: No
ReflectionProperty::IS_VIRTUAL.
- Fixed the name of the second parameter of
ReflectionClass::resetAsLazyGhost().
-
Session
- INI settings
session.sid_length and session.sid_bits_per_character are now deprecated.
- Emit warnings for nonpositive values of
session.gc_divisor and negative values of session.gc_probability.
- Fixed bug GH16590: UAF in
session_encode().
-
SimpleXML
- Fix signature of
simplexml_import_dom().
-
SNMP
- Removed the deprecated
inet_ntoa call support.
-
SOAP
- Add support for clark notation for namespaces in class map.
- Mitigate #51561: SoapServer with an extended class and using sessions lost the
setPersistence().
- Fixed bug #49278:
SoapClient::__getLastResponseHeaders returns NULL if WSDL operation has no output.
- Fixed bug #44383: PHP
DateTime not converted to xsd:datetime.
- Fixed bug GH11941: Soap with session persistence will silently fail when "session" is built as a shared object.
- Passing an int to
SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided, flatten the array returned by get_defined_functions().
- The
SOAP_FUNCTIONS_ALL constant is now deprecated.
- Fixed bug #61525: SOAP functions require at least one space after HTTP header colon.
- Implement request #47317:
SoapServer::__getLastResponse().
-
Sockets
- Removed the deprecated
inet_ntoa call support.
- Added the
SO_EXCLUSIVEADDRUSE windows constant.
- Added the
SOCK_CONN_DGRAM/SOCK_DCCP NetBSD constants.
- Added multicast group support for IPv4 on FreeBSD.
- Added the
TCP_SYNCNT constant for Linux to set the number of attempts to send SYN packets from the client.
- Added the
SO_EXCLBIND constant for exclusive socket binding on illumos/Solaris.
- Updated the
socket_create_listen backlog argument default value to SOMAXCONN.
- Added the
SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOS and FreeBSD.
- Added
SO_LINGER_SEC for macOS, true equivalent of SO_LINGER in other platforms.
- Added
closeonexec on socket created with socket_accept on Unix.
- Added
IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
- Added
SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to newly created sockets.
- Added
SO_BINDTOIFINDEX to bind a socket to an interface index.
-
Sodium
- Add support for AEGIS128L and AEGIS256.
- Enable AESGCM on aarch64 with the ARM crypto extensions.
-
SPL
- Implement
SeekableIterator for SplObjectStorage.
- The
SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
- Passing a nonempty string for the
$escape parameter of SplFileObject::setCsvControl(), SplFileObject::fputcsv(), SplFileObject::fgetcsv() is now deprecated.
-
Standard
- Implement GH12188: Indication for the int size in
phpinfo().
- Partly fix GH12143: Incorrect
round() result for 0.49999999999999994.
- Fix GH12252:
round(): Validate the rounding mode.
- Increase the default BCrypt cost to 12.
- Fixed bug GH12592:
strcspn() odd behavior with NUL bytes and empty mask.
- Removed the deprecated
inet_ntoa call support.
- Cast large floats that are within int range to int in
number_format so the precision is not lost.
- Add support for 4 new rounding modes to the
round() function.
debug_zval_dump() now indicates whether an array is packed.- Fix GH12143: Optimize
round.
- Changed return type of
long2ip to string from string|false.
- Fix GH12143: Extend the maximum precision
round can handle by one digit.
- Added the
http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
- Add
php_base64_encode_ex() API.
- Implemented "Raising zero to the power of a negative number" RFC.
- Added
array_find(), array_find_key(), array_all(), and array_any().
- Change
highlight_string() and print_r() return type to string|true.
- Fix references in
request_parse_body() options array.
- Add
RoundingMode enum.
- Unserializing the uppercase 'S' tag is now deprecated.
- Enables
crc32 auxiliary detection on OpenBSD.
- Passing a nonempty string for the
$escape parameter of fputcsv(), fgetcsv(), str_getcsv() is now deprecated.
- The
str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behavior to be identical to that of fputcsv() and fgetcsv().
php_uname() now throws ValueErrors on invalid inputs.- The
allowed_classes option for unserialize() now throws TypeErrors and ValueErrors if it is not an array of class names.
- Implemented GH15685: Improve
proc_open error reporting on Windows.
- Add support for backed enums in
http_build_query().
- Fixed bug GH15982: Assertion failure with
array_find when references are involved.
- Fixed parameter names of
fpow() to be identical to pow().
-
Streams
- Implemented GH15155: Stream context is lost when custom stream wrapper is being filtered.
-
Tidy
- Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
- Add
tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
-
Windows
- Update the icon of the Windows executables, e.g.
php.exe.
- Fixed bug GH16199:
GREP_HEADER() is broken.
-
XML
- Added
XML_OPTION_PARSE_HUGE parser option.
- Fixed bug #81481:
xml_get_current_byte_index limited to 32bit numbers on 64bit builds.
- The
xml_set_object() function has been deprecated.
- Passing noncallable strings to the
xml_set_*_handler() functions is now deprecated.
-
XMLReader
- Declares class constant types.
- Add
XMLReader::fromStream(), XMLReader::fromUri(), XMLReader::fromString().
- Fixed bug GH15123:
var_dump doesn't actually work on XMLReader.
-
XMLWriter
- Add
XMLWriter::toStream(), XMLWriter::toUri(), XMLWriter::toMemory().
-
XSL
- Implement request #64137:
XSLTProcessor::setParameter() should allow both quotes to be used.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added
XSLTProcessor::$maxTemplateDepth and XSLTProcessor::$maxTemplateVars.
- Fix trampoline leak in xpath callables.
-
Zip
- Added ZipArchive::ER_TRUNCATED_ZIP added in libzip 1.11.
Community Fixes
PHP version 8.3.14 fixes
-
CLI
- Fixed bug GH-16373: Shebang is not skipped for router script in
cli-server started through shebang.
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data Processing in CLI SAPI Interface.
-
COM
- Fixed out of bound writes to
SafeArray data.
-
Core
- Fixed bug GH-16168:
php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15.
- Fixed bug GH-16371: Assertion failure in
Zend/zend_weakrefs.c:646.
- Fixed bug GH-16515: Incorrect propagation of
ZEND_ACC_RETURN_REFERENCE for call trampoline.
- Fixed bug GH-16509: Incorrect line number in function redeclaration error.
- Fixed bug GH-16508: Incorrect line number in inheritance errors of delayed early bound classes.
- Fixed bug GH-16648: Use-after-free during array sorting.
-
Curl
- Fixed bug GH-16302:
CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails.
-
Date
- Fixed bug GH-16454: Unhandled INF in
date_sunset() with tiny $utcOffset.
- Fixed bug GH-14732:
date_sun_info() fails for non-finite values.
-
DBA
- Fixed bug GH-16390:
dba_open() can segfault for "pathless" streams.
-
DOM
- Fixed bug GH-16316:
DOMXPath breaks when not initialized properly.
- Add missing hierarchy checks to
replaceChild.
- Fixed bug GH-16336: Attribute intern document mismanagement.
- Fixed bug GH-16338: Null-dereference in
ext/dom/node.c.
- Fixed bug GH-16473:
dom_import_simplexml stub is wrong.
- Fixed bug GH-16533: Segfault when adding attribute to parent that is not an element.
- Fixed bug GH-16535: UAF when using document as a child.
- Fixed bug GH-16593: Assertion failure in
DOM->replaceChild.
- Fixed bug GH-16595: Another UAF in
DOM -> cloneNode.
-
EXIF
- Fixed bug GH-16409: Segfault in
exif_thumbnail when not dealing with a real file.
-
FFI
- Fixed bug GH-16397: Segmentation fault when comparing
FFI object.
-
Filter
- Fixed bug GH-16523:
FILTER_FLAG_HOSTNAME accepts ending hyphen.
-
FPM
- Fixed bug GH-16628:
FPM logs are getting corrupted with this log statement.
-
GD
- Fixed bug GH-16334:
imageaffine overflow on matrix elements.
- Fixed bug GH-16427: Unchecked
libavif return values.
- Fixed bug GH-16559: UBSan abort in
ext/gd/libgd/gd_interpolation.c:1007.
-
GMP
- Fixed floating point exception bug with
gmp_pow when using large exposant values.
- Fixed bug GH-16411:
gmp_export() can cause overflow.
- Fixed bug GH-16501:
gmp_random_bits() can cause overflow.
- Fixed
gmp_pow() overflow bug with large base/exponents.
- Fixed segfaults and other issues related to operator overloading with
GMP objects.
-
MBstring
- Fixed bug GH-16361:
mb_substr overflow on start/length arguments.
-
Opcache
- Fixed bug GH-16408: Array to string conversion warning emitted in optimizer.
-
OpenSSL
- Fixed bug GH-16357:
openssl may modify member types of certificate arrays.
- Fixed bug GH-16433: Large values for
openssl_csr_sign() $days overflow.
- Fix various memory leaks on error conditions in
openssl_x509_parse().
-
PDO ODBC
- Fixed bug GH-16450:
PDO_ODBC can inject garbage into field values.
-
Phar
- Fixed bug GH-16406: Assertion failure in
ext/phar/phar.c:2808.
-
PHPDBG
- Fixed bug GH-16174: Empty string is an invalid expression for
ev.
-
Reflection
- Fixed bug GH-16601: Memory leak in Reflection constructors.
-
Session
- Fixed bug GH-16385: Unexpected null returned by
session_set_cookie_params.
- Fixed bug GH-16290: Overflow on
cookie_lifetime ini value.
-
SOAP
- Fixed bug GH-16318: Recursive array segfaults soap encoding.
- Fixed bug GH-16429: Segmentation fault access null pointer in
SoapClient.
-
Sockets
- Fixed bug with overflow
socket_recvfrom $length argument.
-
SPL
- Fixed bug GH-16337: Use-after-free in
SplHeap.
- Fixed bug GH-16464: Use-after-free in
SplDoublyLinkedList::offsetSet().
- Fixed bug GH-16479: Use-after-free in
SplObjectStorage::setInfo().
- Fixed bug GH-16478: Use-after-free in
SplFixedArray::unset().
- Fixed bug GH-16588: UAF in
Observer->serialize.
- Fix GH-16477: Segmentation fault when calling
__debugInfo() after failed SplFileObject::__constructor.
- Fixed bug GH-16589: UAF in
SplDoublyLinked->serialize().
- Fixed bug GH-14687: Segfault on
SplObjectIterator instance.
- Fixed bug GH-16604: Memory leaks in SPL constructors.
- Fixed bug GH-16646: UAF in
ArrayObject::unset() and ArrayObject::exchangeArray().
-
Standard
- Fixed bug GH-16293: Failed assertion when throwing in
assert() callback with bail enabled.
-
SysVMsg
- Fixed bug GH-16592:
msg_send() crashes when a type does not properly serialize.
-
SysVShm
- Fixed bug GH-16591: Assertion error in
shm_put_var.
-
XMLReader
- Fixed bug GH-16292: Segmentation fault in
ext/xmlreader/php_xmlreader.c.
-
Zlib
- Fixed bug GH-16326: Memory management is broken for bad dictionaries.
PHP version 8.2.26 fixes
-
CLI
- Fixed bug GH-16373: Shebang is not skipped for router script in
cli-server started through shebang.
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data Processing in CLI SAPI Interface.
-
COM
- Fixed out of bound writes to
SafeArray data.
-
Core
- Fixed bug GH-16168:
php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15.
- Fixed bug GH-16371: Assertion failure in
Zend/zend_weakrefs.c:646.
- Fixed bug GH-16515: Incorrect propagation of
ZEND_ACC_RETURN_REFERENCE for call trampoline.
- Fixed bug GH-16509: Incorrect line number in function redeclaration error.
- Fixed bug GH-16508: Incorrect line number in inheritance errors of delayed early bound classes.
- Fixed bug GH-16648: Use-after-free during array sorting.
-
Curl
- Fixed bug GH-16302:
CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails.
-
Date
- Fixed bug GH-16454: Unhandled INF in
date_sunset() with tiny $utcOffset.
- Fixed bug GH-16037: Assertion failure in ext/date/php_date.c.
- Fixed bug GH-14732:
date_sun_info() fails for non-finite values.
-
DBA
- Fixed bug GH-16390:
dba_open() can segfault for "pathless" streams.
-
DOM
- Fixed bug GH-16316:
DOMXPath breaks when not initialized properly.
- Fixed bug GH-16473:
dom_import_simplexml stub is wrong.
- Fixed bug GH-16533: Segfault when adding attribute to parent that is not an element.
- Fixed bug GH-16535: UAF when using document as a child.
- Fixed bug GH-16593: Assertion failure in
DOM->replaceChild.
- Fixed bug GH-16595: Another UAF in
DOM -> cloneNode.
-
EXIF
- Fixed bug GH-16409: Segfault in
exif_thumbnail when not dealing with a real file.
-
FFI
- Fixed bug GH-16397: Segmentation fault when comparing
FFI object.
-
Filter
- Fixed bug GH-16523:
FILTER_FLAG_HOSTNAME accepts ending hyphen.
-
FPM
- Fixed bug GH-16628:
FPM logs are getting corrupted with this log statement.
-
GD
- Fixed bug GH-16334:
imageaffine overflow on matrix elements.
- Fixed bug GH-16427: Unchecked
libavif return values.
- Fixed bug GH-16559: UBSan abort in
ext/gd/libgd/gd_interpolation.c:1007.
-
GMP
- Fixed floating point exception bug with
gmp_pow when using large exposant values.
- Fixed bug GH-16411:
gmp_export() can cause overflow.
- Fixed bug GH-16501:
gmp_random_bits() can cause overflow.
- Fixed
gmp_pow() overflow bug with large base/exponents.
- Fixed segfaults and other issues related to operator overloading with
GMP objects.
-
MBstring
- Fixed bug GH-16361:
mb_substr overflow on start/length arguments.
-
OpenSSL
- Fixed bug GH-16357:
openssl may modify member types of certificate arrays.
- Fixed bug GH-16433: Large values for
openssl_csr_sign() $days overflow.
- Fix various memory leaks on error conditions in
openssl_x509_parse().
-
PDO ODBC
- Fixed bug GH-16450:
PDO_ODBC can inject garbage into field values.
-
Phar
- Fixed bug GH-16406: Assertion failure in
ext/phar/phar.c:2808.
-
PHPDBG
- Fixed bug GH-16174: Empty string is an invalid expression for
ev.
-
Reflection
- Fixed bug GH-16601: Memory leak in Reflection constructors.
-
Session
- Fixed bug GH-16385: Unexpected null returned by
session_set_cookie_params.
- Fixed bug GH-16290: Overflow on
cookie_lifetime ini value.
-
SOAP
- Fixed bug GH-16429: Segmentation fault access null pointer in
SoapClient.
-
Sockets
- Fixed bug with overflow
socket_recvfrom $length argument.
-
SPL
- Fixed bug GH-16337: Use-after-free in
SplHeap.
- Fixed bug GH-16464: Use-after-free in
SplDoublyLinkedList::offsetSet().
- Fixed bug GH-16479: Use-after-free in
SplObjectStorage::setInfo().
- Fixed bug GH-16478: Use-after-free in
SplFixedArray::unset().
- Fixed bug GH-16588: UAF in
Observer->serialize.
- Fix GH-16477: Segmentation fault when calling
__debugInfo() after failed SplFileObject::__constructor.
- Fixed bug GH-16589: UAF in
SplDoublyLinked->serialize().
- Fixed bug GH-14687: Segfault on
SplObjectIterator instance.
- Fixed bug GH-16604: Memory leaks in SPL constructors.
- Fixed bug GH-16646: UAF in
ArrayObject::unset() and ArrayObject::exchangeArray().
-
Standard
- Fixed bug GH-16293: Failed assertion when throwing in
assert() callback with bail enabled.
-
SysVMsg
- Fixed bug GH-16592:
msg_send() crashes when a type does not properly serialize.
-
SysVShm
- Fixed bug GH-16591: Assertion error in
shm_put_var.
-
XMLReader
- Fixed bug GH-16292: Segmentation fault in
ext/xmlreader/php_xmlreader.c.
-
Zlib
- Fixed bug GH-16326: Memory management is broken for bad dictionaries.
PHP version 8.1.31 fixes
- CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in
sapi_read_post_data Processing in CLI SAPI Interface.
