PHP 5.4.2 - Changelog

What's new in PHP 5.4.0:

March 2nd, 2012

· Some of the key new features include: traits, a shortened array syntax, a built-in webserver for testing purposes and more. PHP 5.4.0 significantly improves performance, memory footprint and fixes over 100 bugs.

What's new in PHP 5.3.10:

February 3rd, 2012

· Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

What's new in PHP 5.4 RC5:

January 8th, 2012

Core:
· Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry)
· Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence)
· Fixed bug #55871 (Interruption in substr_replace()). (Stas)
· Fixed bug #60627 (httpd.worker segfault on startup with php_value). (Laruence)

SAPI:
· Fixed bug #55500 (Corrupted $_FILES indices lead to security concern). (Stas)
· Fixed bug #54374 (Insufficient validating of upload name leading to
· corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com)

CLI SAPI:
· Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence)

Intl:
· Fixed build on Fedora 15 / Ubuntu 11. (Hannes)

PHP-FPM SAPI:
· Fixed bug #60629 (memory corruption when web server closed the fcgi fd). (fat)
· Fixed bug #60659 (FPM does not clear auth_user on request accept). (bonbons at linux-vserver dot org)

Improved Session extension:
· Fixed bug #60640 (invalid return values). (Arpad)
· Implement

What's new in PHP 5.4 RC4:

December 28th, 2011

· Added max_input_vars directive to prevent attacks based on hash collisions
· Fixed a segfault in the traits code

What's new in PHP 5.3.3:

July 23rd, 2010

Security Enhancements and Fixes in PHP 5.3.3:

· Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
· Fixed a possible resource destruction issues in shm_put_var().
· Fixed a possible information leak because of interruption of XOR operator.
· Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
· Fixed a possible memory corruption in ArrayObject::uasort().
· Fixed a possible memory corruption in parse_str().
· Fixed a possible memory corruption in pack().
· Fixed a possible memory corruption in substr_replace().
· Fixed a possible memory corruption in addcslashes().
· Fixed a possible stack exhaustion inside fnmatch().
· Fixed a possible dechunking filter buffer overflow.
· Fixed a possible arbitrary memory access inside sqlite extension.
· Fixed string format validation inside phar extension.
· Fixed handling of session variable serialization on certain prefix characters.
· Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
· Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
· Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
· Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements in PHP 5.3.3 include:

· Upgraded bundled sqlite to version 3.6.23.1.
· Upgraded bundled PCRE to version 8.02.
· Added FastCGI Process Manager (FPM) SAPI.
· Added stream filter support to mcrypt extension.
· Added full_special_chars filter to ext/filter.
· Fixed a possible crash because of recursive GC invocation.
· Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
· Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
· Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
· Fixed bug #52001 (Memory allocation problems after using variable variables).
· Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
· Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

What's new in PHP 5.3.2:

March 5th, 2010

Security Enhancements and Fixes in PHP 5.3.2:

· Improved LCG entropy. (Rasmus, Samy Kamkar)
· Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
· Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)

Key Bug Fixes in PHP 5.3.2 include:

· Added support for SHA-256 and SHA-512 to php's crypt.
· Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check.
· Fixed bug #51059 (crypt crashes when invalid salt are given).
· Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.
· Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long).
· Fixed bug #50723 (Bug in garbage collector causes crash).
· Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16).
· Fixed bug #50632 (filter_input() does not return default value if the variable does not exist).
· Fixed bug #50540 (Crash while running ldap_next_reference test cases).
· Fixed bug #49851 (http wrapper breaks on 1024 char long headers).

What's new in PHP 5.3.2 RC1:

December 23rd, 2009

· Upgraded bundled sqlite to version 3.6.21. (Ilia)
· Upgraded bundled PCRE to version 8.00. (Scott)
· Changed gmp_strval() to use full range from 2 to 62, and -2 to -36. FR #50283 (David Soria Parra)
· Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus)
· Added INTERNALDATE support to imap_append. (nick at mailtrust dot com)
· Added support for SHA-256 and SHA-512 to php's crypt. (Pierre)
· Added realpath_cache_size() and realpath_cache_get() functions. (Stas)
· Added FILTER_FLAG_STRIP_BACKTICK option to the filter extension. (Ilia)
· Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check. (Stas)
· Added LIBXML_PARSEHUGE constant to override the maximum text size of a single text node when using libxml2.7.3+. (Kalle)
· Added ReflectionMethod::setAccessible() for invoking non-public methods through the Reflection API. (Sebastian)
· Added Collator::getSortKey for intl extension. (Stas)
· Added support for CURLOPT_POSTREDIR. FR #49571. (Sriram Natarajan)
· Added support for CURLOPT_CERTINFO. FR #49253. (Linus Nielsen Feltzing )
· Added client-side server name indication support in openssl. (Arnaud)
· Improved fix for bug #50006 (Segfault caused by uksort()). (Stas)
· Fixed mysqlnd hang when queries exactly 16777214 bytes long are sent. (Andrey)
· Fixed incorrect decoding of 5-byte BIT sequences in mysqlnd. (Andrey)
· Fixed error_log() to be binary safe when using message_type 3. (Jani)
· Fixed unnecessary invocation of setitimer when timeouts have been disabled. (Arvind Srinivasan)
· Fixed memory leak in extension loading when an error occurs on Windows. (Pierre)
· Fixed bug #50540 (Crash while running ldap_next_reference test cases). (Sriram)
· Fixed bug #50508 (compile failure: Conflicting HEADER type declarations). (Jani)
· Fixed bug #50496 (Use of is valid only in a c99 compilation environment. (Sriram)
· Fixed bug #50464 (declare encoding doesn't work within an included file). (Felipe)
· Fixed bug #50458 (PDO::FETCH_FUNC fails with Closures). (Felipe, Pierrick)
· Fixed bug #50445 (PDO-ODBC stored procedure call from Solaris 64-bit causes seg fault). (davbrown4 at yahoo dot com, Felipe)
· Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
· Fixed bug #50351 (performance regression handling objects, ten times slower in 5.3 than in 5.2). (Dmitry)
· Fixed bug #50392 (date_create_from_format() enforces 6 digits for 'u' format character). (Ilia)
· Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Jani)
· Fixed bug #50340 (php.ini parser does not allow spaces in ini keys). (Jani)
· Fixed bug #50334 (crypt ignores sha512 prefix). (Pierre)
· Fixed bug #50323 (Allow use of ; in values via ;; in PDO DSN). (Ilia, Pierrick)
· Fixed bug #50285 (xmlrpc does not preserve keys in encoded indexed arrays). (Felipe)
· Fixed bug #50282 (xmlrpc_encode_request() changes object into array in calling function). (Felipe)
· Fixed bug #50267 (get_browser(null) does not use HTTP_USER_AGENT). (Jani)
· Fixed bug #50266 (conflicting types for llabs). (Jani)
· Fixed bug #50261 (Crash When Calling Parent Constructor with call_user_func()). (Dmitry)
· Fixed bug #50255 (isset() and empty() silently casts array to object). (Felipe)
· Fixed bug #50240 (pdo_mysql.default_socket in php.ini shouldn't used if it is empty). (foutrelis at gmail dot com, Ilia)
· Fixed bug #50231 (Socket path passed using --with-mysql-sock is ignored when mysqlnd is enabled). (Jani)
· Fixed bug #50219 (soap call Segmentation fault on a redirected url). (Pierrick)
· Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT). (Ilia, shigeru_kitazaki at cybozu dot co dot jp)
· Fixed bug #50209 (Compiling with libedit cannot find readline.h). (tcallawa at redhat dot com)
· Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). (Ilia)
· Fixed bug #50196 (stream_copy_to_stream() produces warning when source is not file). (Stas)
· Fixed bug #50195 (pg_copy_to() fails when table name contains schema. (Ilia)
· Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani)
· Fixed bug #50174 (Incorrectly matched docComment). (Felipe)
· Fixed bug #50168 (FastCGI fails with wrong error on HEAD request to non-existant file). (Dmitry)
· Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle database). (Felipe)
· Fixed bug #50159 (wrong working directory in symlinked files). (Dmitry)
· Fixed bug #50158 (FILTER_VALIDATE_EMAIL fails with valid addresses containing = or ?). (Pierrick)
· Fixed bug #50152 (ReflectionClass::hasProperty behaves like isset() not property_exists). (Felipe)
· Fixed bug #50146 (property_exists: Closure object cannot have properties). (Felipe)
· Fixed bug #50145 (crash while running bug35634.phpt). (Felipe)
· Fixed bug #50140 (With default compilation option, php symbols are unresolved for nsapi). (Uwe Schindler)
· Fixed bug #50087 (NSAPI performance improvements). (Uwe Schindler)
· Fixed bug #50073 (parse_url() incorrect when ? in fragment). (Ilia)
· Fixed bug #50023 (pdo_mysql doesn't use PHP_MYSQL_UNIX_SOCK_ADDR). (Ilia)
· Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault). (Felipe)
· Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani)
· Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted transaction). (ben dot pineau at gmail dot com, Ilia, Matteo)
· Fixed bug #49938 (Phar::isBuffering() returns inverted value). (Greg)
· Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()). (Pierrick)
· Fixed bug #49921 (Curl post upload functions changed). (Ilia)
· Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
· Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia, sjoerd at php dot net)
· Fixed bug #49851, #50451 (http wrapper breaks on 1024 char long headers). (Ilia)
· Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning). (Ilia, wmeler at wp-sa dot pl)
· Fixed bug #49719 (ReflectionClass::hasProperty returns true for a private property in base class). (Felipe)
· Fixed bug #49677 (ini parser crashes with apache2 and using ${something} ini variables). (Jani)
· Fixed bug #49660 (libxml 2.7.3+ limits text nodes to 10MB). (Felipe)
· Fixed bug #49647 (DOMUserData does not exist). (Rob)
· Fixed bug #49521 (PDO fetchObject sets values before calling constructor). (Pierrick)
· Fixed bug #49472 (Constants defined in Interfaces can be overridden). (Felipe)
· Fixed bug #49244 (Floating point NaN cause garbage characters). (Sjoerd)
· Fixed bug #49224 (Compile error due to old DNS functions on AIX systems). (Scott)
· Fixed bug #49174 (crash when extending PDOStatement and trying to set queryString property). (Felipe)
· Fixed bug #47848 (importNode doesn't preserve attribute namespaces). (Rob)
· Fixed bug #46478 (htmlentities() uses obsolete mapping table for character entity references). (Moriyoshi)
· Fixed bug #45599 (strip_tags() truncates rest of string with invalid attribute). (Ilia, hradtke)
· Fixed bug #45120 (PDOStatement->execute() returns true then false for same statement). (Pierrick)
· Fixed bug #34852 (Failure in odbc_exec() using oracle-supplied odbc driver). (tim dot tassonis at trivadis dot com)

What's new in PHP 5.2.8:

December 9th, 2008

· The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 inregard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.