- [ main/safe_mode.h ] added new checkuid mode:
CHECKUID_ALLOW_ONLY_FILE: skips directory check if file check
fails
- [ ext/standard/dir.c ] changed php_checkuid() to use
CHECKUID_ALLOW_ONLY_FILE instead of CHECKUID_ALLOW_ONLY_DIR
- [ main/safe_mode.c ] added code for new checkuid mode
o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
- [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
of symlink before trimming filename
o New Feature: safe_mode_include_dir (php.ini directive)
- Allows bypassing UID/GID checks when including files
from the directory in safe_mode_include_dir and its
subdirectories. (safe_mode must be on, directory must
also be in include_path or full path must be used when
including)
o Fixed Feature: safe_mode_gid (php.ini directive)
- Correctly check (and report) UID/GID bits on directories
o Changed include() fall back to scripts cwd implementation
- CWD added to the (local) search path in php_fopen_with_path()
instead of seperate case. [ main/fopen_wrappers.c ]
a gid check instead of a uid check.
@ - Add getmygid() and safe_mode_gid ini directive to allow safe mode to do
@ a gid check instead of a uid check. (James E. Flemer, Rasmus)
DEFAULT_INCLUDE_PATH
PEAR_INSTALL_DIR
PHP_EXTENSION_DIR
PHP_BINDIR
PHP_LIBDIR
PHP_DATADIR
PHP_SYSCONFDIR
PHP_LOCALSTATEDIR
PHP_CONFIG_FILE_PATH
* no longer generating pear/PEAR.php
* fixed some tests
* some more installer work
- Make sapi_module available to external modules (PHPAPI)
- Make the php.ini path reported in phpinfo() always point to
real full path of the php.ini file
- Optimized the ISAPI module not to read unnecessary server
variables and read necessary variables at most once.
* Fixed a bug in zend_rsrc_list_get_rsrc_type()
* Switched register_list_destructors() to use
zend_register_list_destructors_ex() instead
* Updated all relevant modules to provide the resource type name
to register_list_destructors() call
* Updated var_dump() to output resource type name instead of number
@- Made resource type names visible, e.g. var_dump() and
@ get_resource_type() display "file" for file resources. (Andrei)
- comfiguration is now done by an ini parameter
instead of a compile time option
- the implementations of the three standard wrappers
now live in seperate files in ext/standard
- the compiler is happy again, no more warnings
Manual for snprintf says:
If the output was truncated, the return value is -1, oth-
erwise it is the number of characters stored, not includ-
ing the terminating null.
And that's a blatant lie - in reality, libc 2.1 always returns number of
characters that _would be_ stored. I hate those libc bugs. Now we should go
and check every place we trusted snprintf return value.
(the older code worked, even though it didn't compile well for some very odd reason, probably
a compiler bug; The new code would cause PHP to crash if both display_errors/log_errors and
track_errors were enabled)
Added PHP API for registering tick functions. Ticks is a per-instruction
callback in Zend that allows us to implement cooperative multitasking
within PHP. Example:
In extension code:
php_add_tick_function(my_tick_func);
void my_tick_func(int count) {
php_printf("[tick %d]", count);
}
In PHP code:
<?php
declare(ticks = 1) {
print "there should be two ticks here.\n";
}
?>
- but as it is Sascha who has reverted a zillion patches I don't feel that
- bad about it :)
- The patch is morally incorrect and it actually also has a crash bug which
- I won't point out because it shouldn't be there.
- SG(path_translated) should be set by the SAPI module correctly and if it
- isn't the SAPI module should be fixed and not add code to PHP. There is
- enough special case code in PHP and I would like to clean it up and not
- add more.
- Last but not least, old_cwd takes 4KB of stack space. We should probably
- malloc() it because in ISAPI we only have 10KB of stack space.
to the directory where the executing script is located.
Since this needs to be implemented for all SAPI modules anyway, this
change moves the functionality to php_execute_script() and gets rid
of the per-module code.
long-requested functionality, now that output buffering is re-entrant:
function eval_ret($code)
{
ob_start();
eval($code);
$retval = ob_get_contents();
ob_end_clean();
return $retval;
}
plus a little cleanup and rearranging in command line option parsing
@ CGI aka. command line version has now an option '-l' for syntax check
@ without execution (Hartmut)