After a lengthy QA process, PHP 4.1.0 is finally out. Download at
http://www.php.net/downloads.php !
PHP 4.1.0 includes several other key improvements:
- A new input interface for improved security (read below)
- Highly improved performance in general
- Revolutionary performance and stability improvements under Windows. The
multithreaded server modules under Windows (ISAPI, Apache, etc.) perform as
much as 30 times faster under load! We want to thank Brett Brewer and his
team in Microsoft for working with us to improve PHP for Windows.
- Versioning support for extensions. Right now it's barely being used, but
the infrastructure was put in place to support separate version numbers for
different extensions. The negative side effect is that loading extensions
that were built against old versions of PHP will now result in a crash,
instead of in a nice clear message. Make sure you only use extensions
built with PHP 4.1.0.
- Turn-key output compression support
- *LOTS* of fixes and new functions
As some of you may notice, this version is quite historical, as it's the
first time in history we actually incremented the middle digit! :) The two
key reasons for this unprecedented change were the new input interface, and
the broken binary compatibility of modules due to the versioning support.
Following is a description of the new input mechanism. For a full list of
changes in PHP 4.1.0, scroll down to the end of this section.
-----------------------------------
SECURITY: NEW INPUT MECHANISM
First and foremost, it's important to stress that regardless of anything
you may read in the following lines, PHP 4.1.0 *supports* the old input
mechanisms from older versions. Old applications should go on working fine
without modification!
Now that we have that behind us, let's move on :)
For various reasons, PHP setups which rely on register_globals being on
(i.e., on form, server and environment variables becoming a part of the
global namespace, automatically) are very often exploitable to various
degrees. For example, the piece of code:
<?php
if (authenticate_user()) {
$authenticated = true;
}
...
?>
May be exploitable, as remote users can simply pass on 'authenticated' as a
form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this misfeature.
While it is quite possible to write secure code in PHP, we felt that the
fact that PHP makes it too easy to write insecure code was bad, and we've
decided to attempt a far-reaching change, and deprecate
register_globals. Obviously, because the vast majority of the PHP code in
the world relies on the existence of this feature, we have no plans to
actually remove it from PHP anytime in the foreseeable future, but we've
decided to encourage people to shut it off whenever possible.
To help users build PHP applications with register_globals being off, we've
added several new special variables that can be used instead of the old
global variables. There are 7 new special arrays:
$_GET - contains form variables sent through GET
$_POST - contains form variables sent through POST
$_COOKIE - contains HTTP cookie variables
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
$_ENV - contains the environment variables
$_REQUEST - a merge of the GET variables, POST variables and Cookie
variables. In other words - all the information that is coming from the
user, and that from a security point of view, cannot be trusted.
$_SESSION - contains HTTP variables registered by the session module
Now, other than the fact that these variables contain this special
information, they're also special in another way - they're automatically
global in any scope. This means that you can access them anywhere, without
having to 'global' them first. For example:
function example1()
{
print $_GET["name"]; // works, 'global $_GET;' is not necessary!
}
would work fine! We hope that this fact would ease the pain in migrating
old code to new code a bit, and we're confident it's going to make writing
new code easier. Another neat trick is that creating new entries in the
$_SESSION array will automatically register them as session variables, as
if you called session_register(). This trick is limited to the session
module only - for example, setting new entries in $_ENV will *not* perform
an implicit putenv().
PHP 4.1.0 still defaults to have register_globals set to on. It's a
transitional version, and we encourage application authors, especially
public ones which are used by a wide audience, to change their applications
to work in an environment where register_globals is set to off. Of course,
they should take advantage of the new features supplied in PHP 4.1.0 that
make this transition much easier.
As of the next semi-major version of PHP, new installations of PHP will
default to having register_globals set to off. No worries! Existing
installations, which already have a php.ini file that has register_globals
set to on, will not be affected. Only when you install PHP on a brand new
machine (typically, if you're a brand new user), will this affect you, and
then too - you can turn it on if you choose to.
Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These
names still work, but we encourage users to switch to the new shorter, and
auto-global versions.
Thanks go to Shaun Clowes ([EMAIL PROTECTED]) for pointing out
this problem and for analyzing it.
-------------------------------------
FULL LIST OF CHANGES
10 Dec 2001, Version 4.1.0
- Worked around a bug in the MySQL client library that could cause PHP to hang
when using unbuffered queries. (Zeev)
- Fixed a bug which caused set_time_limit() to affect all subsequent requests
to running Apache child process. (Zeev)
- Removed the sablotron extension in favor of the new XSLT extension.
(Sterling)
- Fixed a bug in WDDX deserialization that would sometimes corrupt the root
element if it was a scalar one. (Andrei)
- Make ImageColorAt() and ImageColorsForIndex() work with TrueColor images.
(Rasmus)
- Fixed a bug in preg_match_all() that would return results under improper
indices in certain cases. (Andrei)
- Fixed a crash in str_replace() that would happen if search parameter was an
array and one of the replacements resulted in subject string being empty.
(Andrei)
- Fixed MySQL extension to work with MySQL 4.0. (Jani)
- Fixed a crash bug within Cobalt systems. Patch by [EMAIL PROTECTED] (Jani)
- Bundled Dan Libby's xmlrpc-epi extension.
- Introduced extension version numbers. (Stig)
- Added version_compare() function. (Stig)
- Fixed pg_last_notice() (could cause random crashes in PostgreSQL
applications, even if they didn't use pg_last_notice()). (Zeev)
- Fixed DOM-XML's error reporting, so E_WARNING errors are given instead of
E_ERROR error's, this allows you to trap errors thrown by DOMXML functions.
(Sterling)
- Fixed a bug in the mcrypt extension, where list destructors were not
properly being allocated. (Sterling)
- Better Interbase blob, null and error handling. (Patch by Jeremy Bettis)
- Fixed a crash bug in array_map() if the input arrays had string or
non-sequential keys. Also modified it so that if a single array is passed,
its keys are preserved in the resulting array. (Andrei)
- Fixed a crash in dbase_replace_record. (Patch by [EMAIL PROTECTED])
- Fixed a crash in msql_result(). (Zeev)
- Added support for single dimensional SafeArrays and Enumerations.
Added an is_enum() function to check if a component implements an
enumeration. (Alan, Harald)
- Fixed a bug in dbase_get_record() and dbase_get_record_with_names().
boolean fields are now returned correctly.
Patch by Lawrence E. Widman <[EMAIL PROTECTED]> (Jani)
- Added --version option to php-config. (Stig)
- Improved support for thttpd-2.21b by incorporating patches for all known
bugs. (Sascha)
- Added ircg_get_username, a roomkey argument to ircg_join, error fetching
infrastructure, a tokenizer to speed up message processing, and fixed
a lot of bugs in the IRCG extension. (Sascha)
- Improved speed of the serializer/deserializer. (Thies, Sascha)
- Floating point numbers are better detected when converting from strings.
(Zeev, Zend Engine)
- Replaced php.ini-optimized with php.ini-recommended. As the name implies,
it's warmly recommended to use this file as the basis for your PHP
configuration, rather than php.ini-dist. (Zeev)
- Restore xpath_eval() and php_xpathptr_eval() for 4.0.7. There
are still some known leaks. (Joey)
- Added import_request_variables(), to allow users to safely import form
variables to the global scope (Zeev)
- Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE
variables. Like the other new variables, this variable is also available
regardless of the context. (Andi & Zeev)
- Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which
deprecate the old $HTTP_*_VARS arrays. In addition to be much shorter to
type - these variables are also available regardless of the scope, and
there's no need to import them using the 'global' statement. (Andi & Zeev)
- Added vprintf() and vsprintf() functions that allow passing all arguments
after format as an array. (Andrei)
- Added support for GD2 image type for ImageCreateFromString() (Jani)
- Added ImageCreateFromGD(), ImageCreateFromGD2(), ImageCreateFromGD2part(),
ImageGD() and ImageGD2() functions (Jani)
- addcslashes now warns when charlist is invalid. The returned string
remained the same (Jeroen)
- Added optional extra argument to gmp_init(). The extra argument
indicates which number base gmp should use when converting a
string to the gmp-number. (Troels)
- Added the Cyrus-IMAP extension, which allows a direct interface to Cyrus'
more advanced capabilities. (Sterling)
- Enhance read_exif_data() to support multiple comment tags (Rasmus)
- Fixed a crash bug in array_map() when NULL callback was passed in. (Andrei)
- Change from E_ERROR to E_WARNING in the exif extension (Rasmus)
- New pow() implementation, which returns an integer when possible,
and warnings on wrong input (jeroen)
- Added optional second parameter to trim, chop and ltrim. You can
now specify which characters to trim (jeroen)
- Hugely improved the performance of the thread-safe version of PHP, especially
under Windows (Andi & Zeev)
- Improved request-shutdown performance significantly (Andi & Zeev, Zend
Engine)
- Added a few new math functions. (Jesus)
- Bump bundled expat to 1.95.2 (Thies)
- Improved the stability of OCIPlogon() after a database restart. (Thies)
- Fixed __FILE__ in the CGI & Java servlet modes when used in the main script.
It only worked correctly in included files before this fix (Andi)
- Improved the Zend hash table implementation to be much faster (Andi, Zend
Engine)
- Updated PHP's file open function (used by include()) to check in the calling
script's directory in case the file can't be found in the include_path
(Andi)
- Fixed a corruption bug that could cause constants to become corrupted, and
possibly prevent resources from properly being cleaned up at the end of
a request (Zeev)
- Added optional use of Boyer-Moore algorithm to str_replace() (Sascha)
- Fixed and improved shared-memory session storage module (Sascha)
- Add config option (always_populate_raw_post_data) which when enabled
will always populate $HTTP_RAW_POST_DATA regardless of the post mime
type (Rasmus)
- Added support for socket and popen file types to ftp_fput (Jason)
- Fixed various memory leaks in the LDAP extension (Stig Venaas)
- Improved interactive mode - it is now available in all builds of PHP, without
any significant slowdown (Zeev, Zend Engine)
- Fixed crash in iptcparse() if the supplied data was bogus. (Thies)
- Fixed return value for a failed snmpset() - now returns false (Rasmus)
- Added hostname:port support to snmp functions ([EMAIL PROTECTED], Rasmus)
- Added fdf_set_encoding() function (Masaki YATSU, Rasmus)
- Reversed the destruction-order of resources. This fixes the reported OCI8
"failed to rollback outstanding transactions!" message (Thies, Zend Engine)
- Added option for returning XMLRPC fault packets. (Matt Allen, Sascha
Schumann)
- Improved range() function to support range('a','z') and range(9,0) types of
ranges. (Rasmus)
- Added getmygid() and safe_mode_gid ini directive to allow safe mode to do
a gid check instead of a uid check. (James E. Flemer, Rasmus)
- Made assert() accept the array(&$obj, 'methodname') syntax. (Thies)
- Made sure that OCI8 outbound variables are always zero-terminated. (Thies)
- Fixed a bug that allowed users to spawn processes while using the 5th
parameter to mail(). (Derick)
- Added nl_langinfo() (when OS provides it) that returns locale.
- Fixed a major memory corruption bug in the thread safe version. (Zeev)
- Fixed a crash when using the CURLOPT_WRITEHEADER option. (Sterling)
- Added optional suffix removal parameter to basename(). (Hartmut)
- Added new parameter UDM_PARAM_VARDIR ha in Udm_Set_Agent_Param() function to
support alternative search data directory. This requires mnogoSearch 3.1.13
or later.
- Fixed references in sessions. This doesn't work when using the WDDX
session-serializer. Also improved speed of sessions. (Thies)
- Added new experimental module pcntl (Process Control). (Jason)
- Fixed a bug when com.allow_dcom is set to false. (phanto)
- Added a further parameter to the constructor to load typelibs from file when
instantiating components (e.g. DCOM Components without local registration).
(phanto)
- Added the possibility to specify typelibs by full name in the typelib file
(Alan Brown)
- Renamed the ZZiplib extension to the Zip extension, function names have also
changed accordingly, functionality, has stayed constant. (Sterling)
- Made the length argument (argument 2) to pg_loread() optional, if not
specified data will be read in 1kb chunks. (Sterling)
- Added a third argument to pg_lowrite() which is the length of the data to
write. (Sterling)
- Added the CONNECTION_ABORTED, CONNECTION_TIMEOUT and CONNECTION_NORMAL
constants. (Zak)
- Assigning to a string offset beyond the end of the string now automatically
increases the string length by padding it with spaces, and performs the
assignment. (Zeev, Zend Engine)
- Added warnings in case an uninitialized string offset is read. (Zeev, Zend
Engine)
- Fixed a couple of overflow bugs in case of very large negative integer
numbers. (Zeev, Zend Engine)
- Fixed a crash bug in the string-offsets implementation (Zeev, Zend Engine)
- Improved the implementation of parent::method_name() for classes which use
run-time inheritance. (Zeev, Zend Engine)
- Added 'W' flag to date() function to return week number of year using ISO
8601 standard. (Colin)
- Made the PostgreSQL driver do internal row counting when iterating through
result sets. ([EMAIL PROTECTED])
- Updated ext/mysql/libmysql to version 3.23.39; Portability fixes, minor
bug fixes. ([EMAIL PROTECTED])
- Added get_defined_constants() function to return an associative array of
constants mapped to their values. (Sean)
- New mailparse extension for parsing and manipulating MIME mail. (Wez)
- Define HAVE_CONFIG_H when building standalone DSO extensions. (Stig)
- Added the 'u' modifier to printf/sprintf which prints unsigned longs.
(Derick)
- Improved IRIX compatibility. (Sascha)
- Fixed crash bug in bzopen() when specifying an invalid file. (Andi)
- Fixed bugs in the mcrypt extension that caused crashes. (Derick)
- Added the IMG_ARC_ROUNDED option for the ImageFilledArc() function, which
specified that the drawn curve should be rounded. (Sterling)
- Updated the sockets extension to use resources instead of longs for the
socket descriptors. The socket functions have been renamed to conform with
the PHP standard instead of their C counterparts. The sockets extension is
now usable under Win32. (Daniel)
- Added disk_total_space() to return the total size of a filesystem.
(Patch from Steven Bower)
- Renamed diskfreespace() to disk_free_space() to conform to established
naming conventions. (Jon)
- Fixed #2181. Now zero is returned instead of an unset value for
7-bit encoding and plain text body type. (Vlad)
- Fixed a bug in call_user_*() functions that would not allow calling
functions/methods that accepted parameters by reference. (Andrei)
- Added com_release($obj) and com_addref($obj) functions and the related class
members $obj->Release() and $obj->AddRef() to gain more control over the
used
COM components. (phanto)
- Added an additional parameter to dotnet_load to specify the codepage (phanto)
- Added peak memory logging. Use --enable-memory-limit to create a new Apache
1.x logging directive "{mod_php_memory_usage}n" which will log the peak
amount of memory used by the script. (Thies)
- Made fstat() and stat() provide identical output by returning a numerical and
string indexed array. (Jason)
- Fixed memory leak upon re-registering constants. (Sascha, Zend Engine)
-----------------------------------
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
