Forum d'entraide PHPFrance

The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.3.1:

* Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
* Added missing sanity checks around exif processing.
* Fixed a safe_mode bypass in tempnam().
* Fixed a open_basedir bypass in posix_mkfifo().
* Fixed failing safe_mode_include_dir.

Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

PHP 5.3.3 Release Announcement

The PHP development team would like to announce the immediate availability of PHP 5.3.3. This release focuses on improving the stability and security of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users are encouraged to upgrade to this release.

Backwards incompatible change:

* Methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn't affect non-namespaced classes.

<?php
namespace Foo;
class Bar {
public function Bar() {
// treated as constructor in PHP 5.3.0-5.3.2
// treated as regular method in PHP 5.3.3
}
}
?>

There is no impact on migration from 5.2.x because namespaces were only introduced in PHP 5.3.

Security Enhancements and Fixes in PHP 5.3.3:

* Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
* Fixed a possible resource destruction issues in shm_put_var().
* Fixed a possible information leak because of interruption of XOR operator.
* Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
* Fixed a possible memory corruption in ArrayObject::uasort().
* Fixed a possible memory corruption in parse_str().
* Fixed a possible memory corruption in pack().
* Fixed a possible memory corruption in substr_replace().
* Fixed a possible memory corruption in addcslashes().
* Fixed a possible stack exhaustion inside fnmatch().
* Fixed a possible dechunking filter buffer overflow.
* Fixed a possible arbitrary memory access inside sqlite extension.
* Fixed string format validation inside phar extension.
* Fixed handling of session variable serialization on certain prefix characters.
* Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
* Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
* Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
* Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements in PHP 5.3.3 include:

* Upgraded bundled sqlite to version 3.6.23.1.
* Upgraded bundled PCRE to version 8.02.
* Added FastCGI Process Manager (FPM) SAPI.
* Added stream filter support to mcrypt extension.
* Added full_special_chars filter to ext/filter.
* Fixed a possible crash because of recursive GC invocation.
* Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
* Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
* Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
* Fixed bug #52001 (Memory allocation problems after using variable variables).
* Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
* Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

- Fixed bug #51991 (spl_autoload and *nix support with namespace). (Felipe)

require_once 'MonFramework.phar';
$test = new MonFramework\Util\Test();

Hey ,

Regarde cet article : http://blog.mageekbox.net/?post/2010/05 ... -le-mec...

c'est pas encore parfait l'autoload ne marche pas sur les phar

avec tout ca on pourra arrivé a juste ca par exemple :

require_once 'MonFramework.phar';
$test = new MonFramework\Util\Test();

09 Dec 2010, PHP 5.3.4
- Upgraded bundled Sqlite3 to version 3.7.3. (Ilia)
- Upgraded bundled PCRE to version 8.10. (Ilia)

- Security enhancements:
. Fixed crash in zip extract method (possible CWE-170).
(Maksymilian Arciemowicz, Pierre)
. Paths with NULL in them (foo\0bar.txt) are now considered as invalid. (Rasmus)
. Fixed a possible double free in imap extension (Identified by Mateusz
Kocielski). (CVE-2010-4150). (Ilia)
. Fixed NULL pointer dereference in ZipArchive::getArchiveComment.
(CVE-2010-3709). (Maksymilian Arciemowicz)
. Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
. Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). (Pierre)
. Fixed symbolic resolution support when the target is a DFS share. (Pierre)
. Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with
large amount of data) (CVE-2010-3710). (Adam)

- General improvements:
. Added stat support for zip stream. (Pierre)
. Added follow_location (enabled by default) option for the http stream
support. (Pierre)
. Improved support for is_link and related functions on Windows. (Pierre)
. Added a 3rd parameter to get_html_translation_table. It now takes a charset
hint, like htmlentities et al. (Gustavo)

- Implemented feature requests:
. Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect
zend multibyte at runtime. (Kalle)
. Implemented FR #52173, added functions pcntl_get_last_error() and
pcntl_strerror(). (nick dot telford at gmail dot com, Arnaud)
. Implemented symbolic links support for open_basedir checks. (Pierre)
. Implemented FR #51804, SplFileInfo::getLinkTarget on Windows. (Pierre)
. Implemented FR #50692, not uploaded files don't count towards
max_file_uploads limit. As a side improvement, temporary files are not opened
for empty uploads and, in debug mode, 0-length uploads. (Gustavo)

• La version 8.10 de PCRE qui apporte un changement au niveau de l'utf-8 (avec une nouvelle option) (j'expliquerai ce qu'il faut modifier pour les regex marche partout)
• Le support de stat pour le protocole zip
• le follow_location activer par default pour toute ouverture http
• le bug 51176 annulé
• IntlDateFormatter::format (datefmt_format) accepte un object DateTime en timestamp
• RegexIterator::REPLACE marche enfin !!! (ça na jamais marcher) (j'ai fais la demande pour modifié le patch parce que ça allait être bizarre, la c'est OK)
• Meilleurs support de PHP-FPM

$a = new ArrayIterator(array('test1', 'test2', 'test3'));
$i = new RegexIterator($a, '/^(test)(\d+)/', RegexIterator::REPLACE);
$i->replacement = '$2:$1';
	
print_r(iterator_to_array($i));
/*
Array
(
    [0] => 1:test
    [1] => 2:test
    [2] => 3:test
)
*/

je pense qu'on va avoir une 5.3.5 plutôt que prévu :
http://php.developpez.com/actu/26676/PH ... -et-Linux/
http://bugs.php.net/bug.php?id=53632

06 Jan 2011, PHP 5.3.5
- Fixed Bug #53632 (infinite loop with x87 fpu). (Scott, Rasmus)

Implemented FR #47802 (Support for setting character sets in DSN strings). (Kalle)

$dbh = new PDO('mysql:host=localhost;dbname=test;charset=utf-8', 'root');

17 Mars 2011, PHP 5.3.5
Security Enhancements and Fixes in PHP 5.3.6:

* Enforce security in the fastcgi protocol parsing with fpm SAPI.
* Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
* Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
* Fixed bug #54055 (buffer overrun with high values for precision ini setting).
* Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
* Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)

Key enhancements in PHP 5.3.6 include:

* Upgraded bundled Sqlite3 to version 3.7.4.
* Upgraded bundled PCRE to version 8.11.
* Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.
* Added options to debug backtrace functions.
* Changed default value of ini directive serialize_precision from 100 to 17.
* Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error).
* Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference).
* Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash).
* Over 60 other bug fixes.

18 Aout 2011, PHP 5.3.5
Security Enhancements and Fixes in PHP 5.3.7:

* Updated crypt_blowfish to 1.2. (CVE-2011-2483)
* Fixed crash in error_log(). Reported by Mateusz Kocielski
* Fixed buffer overflow on overlog salt in crypt().
* Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
* Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
* Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)


Key enhancements in PHP 5.3.7 include:

* Upgraded bundled Sqlite3 to version 3.7.7.1
* Upgraded bundled PCRE to version 8.12
* Fixed bug #54910 (Crash when calling call_user_func with unknown function name)
* Fixed bug #54585 (track_errors causes segfault)
* Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
* Fixed a crash inside dtor for error handling
* Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
* Fixed bug #54935 php_win_err can lead to crash
* Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
* Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
* Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value)
* Fixed bug #54529 (SAPI crashes on apache_config.c:197)
* Fixed bug #54283 (new DatePeriod(NULL) causes crash).
* Fixed bug #54269 (Short exception message buffer causes crash)
* Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
* Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
* Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the parent constructor)
* Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct())
* Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
* Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
* Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket)
* Fixed bug #54681 (addGlob() crashes on invalid flags)
* Over 80 other bug fixes.