Change list from release notes:
* Synchronized bundled GD library with GD 2.0.23.
* Fixed a bug that prevented compilation of GD extensions against
FreeType 2.1.0-2.1.2.
* Fixed thread safety issue with informix connection id.
* Fixed incorrect resolving of relative paths by glob() in windows.
* Fixed mapping of Greek letters to html entities.
* Fixed a bug that caused an on shutdown crash when using PHP with Apache
2.0.49.
* Fixed a number of crashes inside pgsql, cpdf and gd extensions.
All in all this release fixes over 30 bugs that have been discovered
and resolved since the 4.3.6 release.
(ports/lang/php4/files/patch-ext::pcre::php_pcre.c). Fixes a bug
(described at http://bugs.php.net/bug.php?id=27810) which causes
apache2 to dump core on receiving SIGHUP.
This is supposedly fixed in the next release of PHP.
http://cgi-spec.golux.com/
mentions SCRIPT_NAME but not SCRIPT_FILENAME.
Support web servers that only supply the former, even though
PHP 4.3 wants the latter to operate as a CGI...
Fixes problem using PHP 4.3 under a variety of non-Apache web servers.
Changes are bug-fixes mostly, but also synchronizes bundled GD
with GD 2.0.22 and updates PCRE to version 4.5. Several NetBSD
patches were integrated too, so future pkgsrc updates would
be even more smooth.
Full list of changes since PHP 4.3.4 is available at:
http://www.php.net/ChangeLog-4.php#4.3.6http://www.php.net/ChangeLog-4.php#4.3.5
From release announcemenet:
After a lengthy QA process, PHP 4.3.4 is finally out!
This is a medium size maintenance release, with a fair number of bug fixes.
All users are encouraged to upgrade to 4.3.4.
Bugfix release
PHP 4.3.4 contains, among others, following important fixes, additions
and improvements:
* Fixed disk_total_space() and disk_free_space() under FreeBSD.
* Fixed FastCGI support on Win32.
* Fixed FastCGI being unable to bind to a specific IP.
* Fixed several bugs in mail() implementation on win32.
* Fixed crashes in a number of functions.
* Fixed compile failure on MacOSX 10.3 Panther.
* Over 60 various bug fixes!
For full list of changes in PHP 4.3.4, see ChangeLog:
http://www.php.net/ChangeLog-4.php#4.3.4
Some highlights of changes since 4.2.3:
* PCRE updated to 4.3, GD to 2.0.15
* improved Apache2 support
* much improved stream & URL wrapper support, output compression support
* added CLI (Command Line Interface) SAPI
* debug_backtrace() backported from ZendEngine2
* faster build system
* huge number of other bug fixes and improvements
Packaging changes:
* 'pcre', 'xml', and 'session' modules folded back into main package -
'pcre' and 'xml' is required by PEAR, and 'session' is just too essential
to be separate
* 'gd' module now uses bundled PHP GD library, which is better integrated
* PHP modules use shared distinfo when possible to ease future PHP updates
* ${PREFIX}/bin/php is now CLI version, ${PREFIX}/libexec/cgi-big/php
remains CGI version
tech-pkg@ where the incorrect libtoolize was being invoked. We now pass
in the path to libtoolize via the environment, much like how the other
GNU auto* tools are found in pkgsrc.
generalise the linker flags used to export symbols by setting them on
a per-OS basis.
> many packages force -Wl,-export-dynamic which is not portable outside GNU ld
> and cause problems e.g. on Solaris. some of these packages use if
> conditionals either only for NetBSD or except SunOS, but the state is not
> coherent and it may complicate later when support for new OS is added to
> pkgsrc (e.g. ongoing work on HP-UX support).
>
> jlam proposed the following framework in discussion on tech-pkg:
>
> http://mail-index.netbsd.org/tech-pkg/2002/06/21/0009.html
>
> now, ${EXPORT_SYMBOLS_LDFLAGS} is used instead of directly defining
> -Wl,-export-dynamic which is set in appropriate defs.*.mk to reasonable
> values. packages should be converted to this framework by:
>
> 1) replacing LDFLAGS+= -Wl,-export-dynamic and LIBS+= -export-dynamic with:
>
> LDFLAGS+= ${EXPORT_SYMBOLS_LDFLAGS}
>
> 2) for use in patchfiles, add this variable to MAKE_ENV if needed:
>
> MAKE_ENV+= EXPORT_SYMBOLS_LDFLAGS=${EXPORT_SYMBOLS_LDFLAGS}
>
> 3) replace occurances of -Wl,-export-dynamic and -export-dynamic in patch
> files with:
>
> $(EXPORT_SYMBOLS_LDFLAGS)
buildlink2.mk files back into the main trunk. This provides sufficient
buildlink2 infrastructure to start merging other packages from the
buildlink2 branch that have already been converted to use the buildlink2
framework.
- Fixed start up failure when mm save handler is used and there is multiple
SAPIs are working at the same time. (Yasuo)
- Fixed a buffer overflow in the RFC-1867 file upload code (Stefan)
<===> SECURITY NOTE <===>
Note that the buffer overflow fix is a major security fix. Quoting from
the security advisory at:
http://security.e-matters.de/advisories/012002.html
"PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute
arbitrary code. During our research we found out that not only PHP4 but
also older versions from the PHP3 tree are vulnerable.
[...]
"If you are running PHP 4.0.3 or above one way to workaround these bugs is
to disable the fileupload support within your php.ini (file_uploads = Off).
If you are running php as module keep in mind to restart the webserver.
Anyway you should better install the fixed or a properly patched version to
be safe."
- Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE
variables. Like the other new variables, this variable is also available
regardless of the context.
- Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which
deprecate the old $HTTP_*_VARS arrays. In addition to be much shorter to
type - these variables are also available regardless of the scope, and
there's no need to import them using the 'global' statement.
Other relevant changes include:
- Bug fixes to prevent crashes on unexpected input.
- Huge performance improvements, especially in thread-safe code.
- Introduced extension version numbers.
- Added support for single dimensional SafeArrays and Enumerations.
Added an is_enum() function to check if a component implements an
enumeration.
- Improved speed of the serializer/deserializer.
- Floating point numbers are better detected when converting from strings.
- Added import_request_variables(), to allow users to safely import form
variables to the global scope
- Add config option (always_populate_raw_post_data) which when enabled
will always populate $HTTP_RAW_POST_DATA regardless of the post mime
type
- Added getmygid() and safe_mode_gid ini directive to allow safe mode to do
a gid check instead of a uid check.
- Assigning to a string offset beyond the end of the string now automatically
increases the string length by padding it with spaces, and performs the
assignment.
- Bug fixes (memory leaks and other errors)
- Made $HTTP_SESSION_VARS['foo'] and $foo be references to the same value
when register_globals is on. (Andrei)
- Added is_callable() function that can be used to find out whether
its argument is a valid callable construct. (Andrei)
- Added pg_last_notice() function. (Rasmus from suggestion by Dirk@rackspace.com)
- Added support to getimagesize to return dimensions of BMP and PSD
files. (Derick)
- Added Japanese multibyte string functions support. (Rui)
- Added key_exists() to check if a given key or index exists in an
array or object. (David Croft)
- Added -C command-line option to avoid chdir to the script's directory. (Stig)
- printf argnum (parameter swapping) support. (Morten Poulsen, Rasmus)
- Modified get_parent_class() and get_class_methods() to accept a class name as
well as a class instance. (Andrei, Zend Engine)
- Added array_map() function that applies a callback to the elements
of given arrays and returns the result. It can also be used with a
null callback to transpose arrays. (Andrei)
- Added array_filter(), which allows filtering of array elements via
the specified callback. (Andrei)
This bumps the version number to 4.0.4.1nb1. Also, build the php CGI
binary by statically linking against the helper library libphp4.la so we
aren't forced to install a shared library used solely by one program.
* Make NetBSD PHP extensions_dir equal the compiled-in default for PHP4.
* Install the PEAR PHP4 script repository and tools.
* Use the source's install target instead of homegrown one.
- Fixed the various pdf_open_*() functions (Daniel)
- Fixed a bug that could cause invalid INI entries to be used under certain
circumstances (Zeev)
- Fixed a bug in the Apache module that could cause invalid INI values to
propogate to different virtual hosts, if one or more of the virtual
hosts was configured with engine=Off (Zeev)
- Fixed possible crash bugs in the session module (Sascha)
- Fixed the ODBC module to build properly with Solid 3.0 and OpenLink (Dan
Kalowsky)
- Fixed possible corruption of line number information in PHP scripts (Zeev,
Zend Engine)
- Fixed a few possible crashes in functions that use user-defined callbacks
(Zeev, Zend Engine)
4.0.3 include many bugfixes (including one bad interaction with mod_perl which
caused segfaults) and additions of several new functions. Several new PHP
modules were also added to the main distribution, including new database
extensions and OpenSSL, and some bugs with improperly closing database
connections was fixed.