Skip to content

[pull] master from php:master #850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jul 1, 2025
Merged

[pull] master from php:master #850

merged 14 commits into from
Jul 1, 2025

Conversation

@pull
Copy link

@pull pull bot commented Jul 1, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.2)

Can you help keep this open source service alive? 💖 Please sponsor : )

bukka and others added 14 commits June 23, 2025 23:00
@bukka
Fix GHSA-3cr5-j632-f35r: Null byte in hostnames
cac8f7f 
This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
@bukka
Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks
9376aee 
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
@Lekssays @ndossche
Fix GHSA-453j-q27h-5p8x
9cb3d8d 
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <[email protected]>
@bukka
Update NEWS with entries for security fixes
7b33b1c
@TimWolla
Zend: Use zend_bad_method_call() when cloning from the wrong scope (#…
59dd0f8 
…18999)
@kocsismate
Update uriparser to commit 5f7c6d88c50f548d0c7f499c22d36f51d34775b3
6637638 
While there, fix Windows build by adding UriResolve.c to the sources.
@ramsey
Merge branch 'PHP-8.1.33-security' into PHP-8.1
13bc0e2
@ramsey
PHP-8.1 is now for PHP 8.1.34-dev
ca09f4d
@ramsey
Merge branch 'PHP-8.1' into PHP-8.2
442638e
@ramsey
Merge branch 'PHP-8.2' into PHP-8.3
fa960f7
@ramsey
Merge branch 'PHP-8.3' into PHP-8.4
881ec13
@ramsey
Merge branch 'PHP-8.4'
607eec8
@DanielEScherzer
release-process: update some confusing parts (#18934)
642d729 
Update based on my training with Pierrick
* dates should correspond to when releases are released, not tagged
* qa.php.net is no longer used
* bugs.php.net is no longer used
* multiple commits to web-php can be combined
@DanielEScherzer
[ci skip] Update NEWS for PHP 8.5.0 alpha2
45c4650
@pull pull bot locked and limited conversation to collaborators Jul 1, 2025
@pull pull bot added the ⤵️ pull label Jul 1, 2025
@pull pull bot merged commit 45c4650 into wudi:master Jul 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bukka @Lekssays @TimWolla @kocsismate @ramsey @DanielEScherzer