[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/php.ini-development branches/PHP_5_3/php.ini-production branches/PHP_5_4/UPGRADING branches/PHP_5_4/php.ini-development branche
dmitry Thu, 15 Dec 2011 10:31:02 + Revision: http://svn.php.net/viewvc?view=revisionrevision=321040 Log: Added max_input_vars directive to prevent attacks based on hash collisions Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING U php/php-src/branches/PHP_5_3/php.ini-development U php/php-src/branches/PHP_5_3/php.ini-production U php/php-src/branches/PHP_5_4/UPGRADING U php/php-src/branches/PHP_5_4/php.ini-development U php/php-src/branches/PHP_5_4/php.ini-production U php/php-src/trunk/UPGRADING U php/php-src/trunk/php.ini-development U php/php-src/trunk/php.ini-production Modified: php/php-src/branches/PHP_5_3/UPGRADING === --- php/php-src/branches/PHP_5_3/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_3/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040) @@ -163,6 +163,11 @@ xsl.security_prefs. This option will be marked as deprecated in 5.4 again. Use the method XsltProcess::setSecurityPrefs($options) there. +- the following new directives were added + + - max_input_vars - specifies how many GET/POST/COOKIE input variables may be +accepted. default value 1000. + = 5. Deprecated = Modified: php/php-src/branches/PHP_5_3/php.ini-development === --- php/php-src/branches/PHP_5_3/php.ini-development2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_3/php.ini-development2011-12-15 10:31:02 UTC (rev 321040) @@ -457,6 +457,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/branches/PHP_5_3/php.ini-production === --- php/php-src/branches/PHP_5_3/php.ini-production 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_3/php.ini-production 2011-12-15 10:31:02 UTC (rev 321040) @@ -457,6 +457,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/branches/PHP_5_4/UPGRADING === --- php/php-src/branches/PHP_5_4/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_4/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040) @@ -75,7 +75,11 @@ - safe_mode_protected_env_vars - zend.ze1_compatibility_mode +- the following new directives were added + - max_input_vars - specifies how many GET/POST/COOKIE input variables may be +accepted. default value 1000. + = 2. Reserved words and classes = Modified: php/php-src/branches/PHP_5_4/php.ini-development === --- php/php-src/branches/PHP_5_4/php.ini-development2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_4/php.ini-development2011-12-15 10:31:02 UTC (rev 321040) @@ -397,6 +397,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/branches/PHP_5_4/php.ini-production === --- php/php-src/branches/PHP_5_4/php.ini-production 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_4/php.ini-production 2011-12-15 10:31:02 UTC (rev 321040) @@ -397,6 +397,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/trunk/UPGRADING === --- php/php-src/trunk/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/trunk/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040) @@ -82,6 +82,11 @@ - safe_mode_protected_env_vars - zend.ze1_compatibility_mode +- the following new directives were added + + - max_input_vars - specifies how many GET/POST/COOKIE input variables may be +accepted. default value 1000. + = 2. Reserved words and classes = Modified:
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/main/main.c branches/PHP_5_3/main/php_globals.h branches/PHP_5_4/main/main.c trunk/main/main.c
pajoye Thu, 24 Nov 2011 12:46:45 + Revision: http://svn.php.net/viewvc?view=revisionrevision=319750 Log: - merge crt warning change (r216594) and rename the ini to windows.show_crt_warning Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING U php/php-src/branches/PHP_5_3/main/main.c U php/php-src/branches/PHP_5_3/main/php_globals.h U php/php-src/branches/PHP_5_4/main/main.c U php/php-src/trunk/main/main.c Modified: php/php-src/branches/PHP_5_3/UPGRADING === --- php/php-src/branches/PHP_5_3/UPGRADING 2011-11-24 11:42:00 UTC (rev 319749) +++ php/php-src/branches/PHP_5_3/UPGRADING 2011-11-24 12:46:45 UTC (rev 319750) @@ -343,6 +343,9 @@ - A new directive, request_order, controls the behavior of $_REQUEST independently of variables_order. +- A new directive, called windows.show_crt_warning, has been introduced. + This directive shows the CRT warnings when enabled. These warnings were + displayed by default until now. It is disabled by default. - New INI directives: - mail.add_x_header Modified: php/php-src/branches/PHP_5_3/main/main.c === --- php/php-src/branches/PHP_5_3/main/main.c2011-11-24 11:42:00 UTC (rev 319749) +++ php/php-src/branches/PHP_5_3/main/main.c2011-11-24 12:46:45 UTC (rev 319750) @@ -544,6 +544,9 @@ STD_PHP_INI_ENTRY(user_ini.filename, .user.ini, PHP_INI_SYSTEM, OnUpdateString, user_ini_filename, php_core_globals, core_globals) STD_PHP_INI_ENTRY(user_ini.cache_ttl, 300, PHP_INI_SYSTEM, OnUpdateLong, user_ini_cache_ttl, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN(exit_on_timeout, 0, PHP_INI_ALL,OnUpdateBool, exit_on_timeout, php_core_globals, core_globals) +#ifdef PHP_WIN32 + STD_PHP_INI_BOOLEAN(windows.show_crt_warning, 0, PHP_INI_ALL,OnUpdateBool, windows_show_crt_warning, php_core_globals, core_globals) +#endif PHP_INI_END() /* }}} */ @@ -1787,18 +1790,21 @@ int len; if (!called) { - called = 1; - if (function) { - if (file) { - len = _snprintf(buf, sizeof(buf)-1, Invalid parameter detected in CRT function '%ws' (%ws:%d), function, file, line); + TSRMLS_FETCH(); + if(PG(windows_show_crt_warning)) { + called = 1; + if (function) { + if (file) { + len = _snprintf(buf, sizeof(buf)-1, Invalid parameter detected in CRT function '%ws' (%ws:%d), function, file, line); + } else { + len = _snprintf(buf, sizeof(buf)-1, Invalid parameter detected in CRT function '%ws', function); + } } else { - len = _snprintf(buf, sizeof(buf)-1, Invalid parameter detected in CRT function '%ws', function); + len = _snprintf(buf, sizeof(buf)-1, Invalid CRT parameter detected (function not known)); } - } else { - len = _snprintf(buf, sizeof(buf)-1, Invalid CRT parameters detected); + zend_error(E_WARNING, %s, buf); + called = 0; } - zend_error(E_WARNING, %s, buf); - called = 0; } } #endif Modified: php/php-src/branches/PHP_5_3/main/php_globals.h === --- php/php-src/branches/PHP_5_3/main/php_globals.h 2011-11-24 11:42:00 UTC (rev 319749) +++ php/php-src/branches/PHP_5_3/main/php_globals.h 2011-11-24 12:46:45 UTC (rev 319750) @@ -170,6 +170,10 @@ char *mail_log; zend_bool in_error_log; + +#ifdef PHP_WIN32 + zend_bool windows_show_crt_warning; +#endif }; Modified: php/php-src/branches/PHP_5_4/main/main.c === --- php/php-src/branches/PHP_5_4/main/main.c2011-11-24 11:42:00 UTC (rev 319749) +++ php/php-src/branches/PHP_5_4/main/main.c2011-11-24 12:46:45 UTC (rev 319750) @@ -514,7 +514,7 @@ STD_PHP_INI_ENTRY(user_ini.cache_ttl, 300, PHP_INI_SYSTEM, OnUpdateLong, user_ini_cache_ttl, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN(exit_on_timeout, 0, PHP_INI_ALL,OnUpdateBool, exit_on_timeout,
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/ext/xsl/php_xsl.c branches/PHP_5_3/ext/xsl/php_xsl.h branches/PHP_5_3/ext/xsl/tests/bug54446.phpt branches/PHP_5_3/ext/xsl/test
chregu Mon, 10 Oct 2011 07:59:19 + Revision: http://svn.php.net/viewvc?view=revisionrevision=317953 Log: Added the xsl.security_prefs option to 5_4 and trunk and mark it as deprecated for BC-reasons Added tests for ini option and combination of both Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h D php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt A + php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446_with_ini.phpt (from php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt:r317952) U php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c U php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.c U php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.h A php/php-src/branches/PHP_5_4/ext/xsl/tests/bug54446_with_ini.phpt U php/php-src/branches/PHP_5_4/ext/xsl/xsltprocessor.c U php/php-src/trunk/ext/xsl/php_xsl.c U php/php-src/trunk/ext/xsl/php_xsl.h A php/php-src/trunk/ext/xsl/tests/bug54446_with_ini.phpt U php/php-src/trunk/ext/xsl/xsltprocessor.c Modified: php/php-src/branches/PHP_5_3/UPGRADING === --- php/php-src/branches/PHP_5_3/UPGRADING 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/UPGRADING 2011-10-10 07:59:19 UTC (rev 317953) @@ -153,7 +153,16 @@ - SplObjectStorage now has ArrayAccess support. It is also now possible to store associative information with objects in SplObjectStorage. + += +4.1 New in PHP 5.3.9 += +- Write operations within XSLT (for example with the extension sax:output) are + disabled by default. You can define what is forbidden with the INI option + xsl.security_prefs. This option will be marked as deprecated in 5.4 again. + Use the method XsltProcess::setSecurityPrefs($options) there. + = 5. Deprecated = Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c === --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -180,6 +180,7 @@ REGISTER_LONG_CONSTANT(XSL_SECPREF_CREATE_DIRECTORY, XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(XSL_SECPREF_READ_NETWORK, XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(XSL_SECPREF_WRITE_NETWORK,XSL_SECPREF_WRITE_NETWORK,CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT(XSL_SECPREF_DEFAULT, XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(LIBXSLT_VERSION, LIBXSLT_VERSION,CONST_CS | CONST_PERSISTENT); REGISTER_STRING_CONSTANT(LIBXSLT_DOTTED_VERSION, LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h === --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h 2011-10-10 07:59:19 UTC (rev 317953) @@ -50,6 +50,8 @@ #define XSL_SECPREF_CREATE_DIRECTORY 8 #define XSL_SECPREF_READ_NETWORK 16 #define XSL_SECPREF_WRITE_NETWORK 32 +/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */ +#define XSL_SECPREF_DEFAULT 44 typedef struct _xsl_object { zend_object std; Deleted: php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt === --- php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt 2011-10-10 07:59:19 UTC (rev 317953) @@ -1,95 +0,0 @@ ---TEST-- -Bug #54446 (Arbitrary file creation via libxslt 'output' extension) ---SKIPIF-- -?php -if (!extension_loaded('xsl')) die(skip Extension XSL is required\n); -? ---FILE-- -?php -include(prepare.inc); - -$outputfile = dirname(__FILE__)./bug54446test.txt; -if (file_exists($outputfile)) { -unlink($outputfile); -} - -$sXsl = EOT -xsl:stylesheet version=1.0 - xmlns:xsl=http://www.w3.org/1999/XSL/Transform; - xmlns:sax=http://icl.com/saxon; - extension-element-prefixes=sax - - xsl:template match=/ - sax:output href=$outputfile method=text - xsl:value-of select='0wn3d via PHP and libxslt ...'/ - /sax:output - /xsl:template - -/xsl:stylesheet -EOT; - -$xsl-loadXML( $sXsl ); - -# START XSLT -$proc-importStylesheet( $xsl ); - -# TRASNFORM PRINT -print $proc-transformToXML( $dom ); - - -if (file_exists($outputfile)) { -print $outputfile exists, but shouldn't!\n; -} else { -print OK, no file created\n; -} - -#SET NO
[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ UPGRADING
salathe Fri, 11 Feb 2011 22:31:52 + Revision: http://svn.php.net/viewvc?view=revisionrevision=308266 Log: Oopsie, fix typo in UPGRADING Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING Modified: php/php-src/branches/PHP_5_3/UPGRADING === --- php/php-src/branches/PHP_5_3/UPGRADING 2011-02-11 22:16:33 UTC (rev 308265) +++ php/php-src/branches/PHP_5_3/UPGRADING 2011-02-11 22:31:52 UTC (rev 308266) @@ -671,7 +671,7 @@ ReflectionClass::getNamespaceName() ReflectionClass::getShortName() - SPL: DirectoryIterator::getExtension() - SplFileObject::getExtension() + SplFileInfo::getExtension() SplObjectStorage::addAll() SplObjectStorage::removeAll() - XSL: XSLTProcessor::setProfiling() -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ UPGRADING
pajoye Wed, 08 Dec 2010 09:38:47 + Revision: http://svn.php.net/viewvc?view=revisionrevision=306076 Log: - new warning in imagepstext Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING Modified: php/php-src/branches/PHP_5_3/UPGRADING === --- php/php-src/branches/PHP_5_3/UPGRADING 2010-12-08 08:45:56 UTC (rev 306075) +++ php/php-src/branches/PHP_5_3/UPGRADING 2010-12-08 09:38:47 UTC (rev 306076) @@ -276,6 +276,8 @@ - MySQLi: Now supports persistent connections by prepending the hostname with p:. +- imagepstext now rejects invalid antialiasing steps and raises a warning. + d. no longer possible to disable - PCRE -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php