security fix, this fixes serious security problems regarding overwriting
of the GLOBALS array.
All users of PHP 4.3 and 4.4 sare encouradged to update to this version.
The --with-regex=system bug with re_magic has been fixed too, so re-enabling
use of --with-regex=system for all operating systems again
This is a maintenance release that in addition to over 70 non-critical
bug fixes addresses several security issues inside the exif and
fbsql extensions as well as the unserialize(), swf_definepoly()
and getimagesize() functions. All Users of PHP are strongly
encouraged to upgrade to this release.
Bugfix release
* Crash in bzopen() if supplied path to non-existent file.
* DOM crashing when attribute appended to Document.
* unserialize() float problem on non-English locales.
* Crash in msg_send() when non-string is stored without being serialized.
* Possible infinite loop in imap_mail_compose().
* Fixed crash in chunk_split(), when chunklen > strlen.
* session_set_save_handler crashes PHP when supplied non-existent object ref.
* Memory leak in zend_language_scanner.c.
* Compile failures of zend_strtod.c.
* Fixed crash in overloaded objects & overload() function.
* cURL functions bypass open_basedir.
PHP4 also doesn't bundle PEAR Net_Socket and Net_SMTP anymore now.
creates its own compiler wrapper script. This "meta_ccld" script
isn't recognized by the installed libtool script as a compiler, and
libtool gets confused as to which compiler tag to use. Rather than
inserting "--tag=CC" into the Makefiles, we patch the configure script
to not make the wrapper script, and instead, to simply append the
appropriate pthreads CFLAGS to the normal CFLAGS variable subsituted
into Makefiles. This fixes PR pkg/28485.
Changes since 4.3.8:
* fixes to GPC input processing
* bundled GD extension synced with 2.0.28, re-introducing write support
for GIF (patent expiration worldwide)
* Implemented periodic PCRE compiled regexp cache cleanup, to avoid memory
exhaustion
* Fixed strip_tags() to correctly handle '\0' characters.
* Rewritten UNIX and Windows install help files.
* Fixed a file-descriptor leak with phpinfo() and other 'special' URLs.
* Fixed possible crash inside php_shutdown_config().
* Fixed isset crashes on arrays.
* Fixed imagecreatefromstring() crashes with external GD library.
* Fixed fgetcsv() parsing of strings ending with escaped enclosures.
* Fixed overflow in array_slice(), array_splice(), substr(), substr_replace(),
strspn(), strcspn().
* Fixed '\0' in Authenticate header passed via safe_mode.
* Allow bundled GD to compile against freetype 2.1.2.
All in all this release fixes over 50 bugs that have been discovered
and resolved since the 4.3.8 release.
Change list from release notes:
* Synchronized bundled GD library with GD 2.0.23.
* Fixed a bug that prevented compilation of GD extensions against
FreeType 2.1.0-2.1.2.
* Fixed thread safety issue with informix connection id.
* Fixed incorrect resolving of relative paths by glob() in windows.
* Fixed mapping of Greek letters to html entities.
* Fixed a bug that caused an on shutdown crash when using PHP with Apache
2.0.49.
* Fixed a number of crashes inside pgsql, cpdf and gd extensions.
All in all this release fixes over 30 bugs that have been discovered
and resolved since the 4.3.6 release.
(ports/lang/php4/files/patch-ext::pcre::php_pcre.c). Fixes a bug
(described at http://bugs.php.net/bug.php?id=27810) which causes
apache2 to dump core on receiving SIGHUP.
This is supposedly fixed in the next release of PHP.
http://cgi-spec.golux.com/
mentions SCRIPT_NAME but not SCRIPT_FILENAME.
Support web servers that only supply the former, even though
PHP 4.3 wants the latter to operate as a CGI...
Fixes problem using PHP 4.3 under a variety of non-Apache web servers.
Changes are bug-fixes mostly, but also synchronizes bundled GD
with GD 2.0.22 and updates PCRE to version 4.5. Several NetBSD
patches were integrated too, so future pkgsrc updates would
be even more smooth.
Full list of changes since PHP 4.3.4 is available at:
http://www.php.net/ChangeLog-4.php#4.3.6http://www.php.net/ChangeLog-4.php#4.3.5
From release announcemenet:
After a lengthy QA process, PHP 4.3.4 is finally out!
This is a medium size maintenance release, with a fair number of bug fixes.
All users are encouraged to upgrade to 4.3.4.
Bugfix release
PHP 4.3.4 contains, among others, following important fixes, additions
and improvements:
* Fixed disk_total_space() and disk_free_space() under FreeBSD.
* Fixed FastCGI support on Win32.
* Fixed FastCGI being unable to bind to a specific IP.
* Fixed several bugs in mail() implementation on win32.
* Fixed crashes in a number of functions.
* Fixed compile failure on MacOSX 10.3 Panther.
* Over 60 various bug fixes!
For full list of changes in PHP 4.3.4, see ChangeLog:
http://www.php.net/ChangeLog-4.php#4.3.4
Some highlights of changes since 4.2.3:
* PCRE updated to 4.3, GD to 2.0.15
* improved Apache2 support
* much improved stream & URL wrapper support, output compression support
* added CLI (Command Line Interface) SAPI
* debug_backtrace() backported from ZendEngine2
* faster build system
* huge number of other bug fixes and improvements
Packaging changes:
* 'pcre', 'xml', and 'session' modules folded back into main package -
'pcre' and 'xml' is required by PEAR, and 'session' is just too essential
to be separate
* 'gd' module now uses bundled PHP GD library, which is better integrated
* PHP modules use shared distinfo when possible to ease future PHP updates
* ${PREFIX}/bin/php is now CLI version, ${PREFIX}/libexec/cgi-big/php
remains CGI version
tech-pkg@ where the incorrect libtoolize was being invoked. We now pass
in the path to libtoolize via the environment, much like how the other
GNU auto* tools are found in pkgsrc.
generalise the linker flags used to export symbols by setting them on
a per-OS basis.
> many packages force -Wl,-export-dynamic which is not portable outside GNU ld
> and cause problems e.g. on Solaris. some of these packages use if
> conditionals either only for NetBSD or except SunOS, but the state is not
> coherent and it may complicate later when support for new OS is added to
> pkgsrc (e.g. ongoing work on HP-UX support).
>
> jlam proposed the following framework in discussion on tech-pkg:
>
> http://mail-index.netbsd.org/tech-pkg/2002/06/21/0009.html
>
> now, ${EXPORT_SYMBOLS_LDFLAGS} is used instead of directly defining
> -Wl,-export-dynamic which is set in appropriate defs.*.mk to reasonable
> values. packages should be converted to this framework by:
>
> 1) replacing LDFLAGS+= -Wl,-export-dynamic and LIBS+= -export-dynamic with:
>
> LDFLAGS+= ${EXPORT_SYMBOLS_LDFLAGS}
>
> 2) for use in patchfiles, add this variable to MAKE_ENV if needed:
>
> MAKE_ENV+= EXPORT_SYMBOLS_LDFLAGS=${EXPORT_SYMBOLS_LDFLAGS}
>
> 3) replace occurances of -Wl,-export-dynamic and -export-dynamic in patch
> files with:
>
> $(EXPORT_SYMBOLS_LDFLAGS)
buildlink2.mk files back into the main trunk. This provides sufficient
buildlink2 infrastructure to start merging other packages from the
buildlink2 branch that have already been converted to use the buildlink2
framework.
- Fixed start up failure when mm save handler is used and there is multiple
SAPIs are working at the same time. (Yasuo)
- Fixed a buffer overflow in the RFC-1867 file upload code (Stefan)
<===> SECURITY NOTE <===>
Note that the buffer overflow fix is a major security fix. Quoting from
the security advisory at:
http://security.e-matters.de/advisories/012002.html
"PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute
arbitrary code. During our research we found out that not only PHP4 but
also older versions from the PHP3 tree are vulnerable.
[...]
"If you are running PHP 4.0.3 or above one way to workaround these bugs is
to disable the fileupload support within your php.ini (file_uploads = Off).
If you are running php as module keep in mind to restart the webserver.
Anyway you should better install the fixed or a properly patched version to
be safe."
- Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE
variables. Like the other new variables, this variable is also available
regardless of the context.
- Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which
deprecate the old $HTTP_*_VARS arrays. In addition to be much shorter to
type - these variables are also available regardless of the scope, and
there's no need to import them using the 'global' statement.
Other relevant changes include:
- Bug fixes to prevent crashes on unexpected input.
- Huge performance improvements, especially in thread-safe code.
- Introduced extension version numbers.
- Added support for single dimensional SafeArrays and Enumerations.
Added an is_enum() function to check if a component implements an
enumeration.
- Improved speed of the serializer/deserializer.
- Floating point numbers are better detected when converting from strings.
- Added import_request_variables(), to allow users to safely import form
variables to the global scope
- Add config option (always_populate_raw_post_data) which when enabled
will always populate $HTTP_RAW_POST_DATA regardless of the post mime
type
- Added getmygid() and safe_mode_gid ini directive to allow safe mode to do
a gid check instead of a uid check.
- Assigning to a string offset beyond the end of the string now automatically
increases the string length by padding it with spaces, and performs the
assignment.
- Bug fixes (memory leaks and other errors)
- Made $HTTP_SESSION_VARS['foo'] and $foo be references to the same value
when register_globals is on. (Andrei)
- Added is_callable() function that can be used to find out whether
its argument is a valid callable construct. (Andrei)
- Added pg_last_notice() function. (Rasmus from suggestion by Dirk@rackspace.com)
- Added support to getimagesize to return dimensions of BMP and PSD
files. (Derick)
- Added Japanese multibyte string functions support. (Rui)
- Added key_exists() to check if a given key or index exists in an
array or object. (David Croft)
- Added -C command-line option to avoid chdir to the script's directory. (Stig)
- printf argnum (parameter swapping) support. (Morten Poulsen, Rasmus)
- Modified get_parent_class() and get_class_methods() to accept a class name as
well as a class instance. (Andrei, Zend Engine)
- Added array_map() function that applies a callback to the elements
of given arrays and returns the result. It can also be used with a
null callback to transpose arrays. (Andrei)
- Added array_filter(), which allows filtering of array elements via
the specified callback. (Andrei)
This bumps the version number to 4.0.4.1nb1. Also, build the php CGI
binary by statically linking against the helper library libphp4.la so we
aren't forced to install a shared library used solely by one program.
* Make NetBSD PHP extensions_dir equal the compiled-in default for PHP4.
* Install the PEAR PHP4 script repository and tools.
* Use the source's install target instead of homegrown one.
- Fixed the various pdf_open_*() functions (Daniel)
- Fixed a bug that could cause invalid INI entries to be used under certain
circumstances (Zeev)
- Fixed a bug in the Apache module that could cause invalid INI values to
propogate to different virtual hosts, if one or more of the virtual
hosts was configured with engine=Off (Zeev)
- Fixed possible crash bugs in the session module (Sascha)
- Fixed the ODBC module to build properly with Solid 3.0 and OpenLink (Dan
Kalowsky)
- Fixed possible corruption of line number information in PHP scripts (Zeev,
Zend Engine)
- Fixed a few possible crashes in functions that use user-defined callbacks
(Zeev, Zend Engine)
