Check open_basedir after the fallback to the system's temporary
directory in tempnam().
In order to preserve the current behavior of upload_tmp_dir
(do not check explicitly specified dir, but check fallback),
new flags are added to check open_basedir for explicit dir
and for fallback.
Closes GH-6526.
In the case of a stream with no filters, php_stream_fill_read_buffer
only reads stream->chunk_size into the read buffer. If the stream has
filters attached, it could unnecessarily buffer a large amount of data.
With this change, php_stream_fill_read_buffer only proceeds until either
the requested size or stream->chunk_size is available in the read buffer.
Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>
Closes GH-6444.
The timeout is only real-time based on Windows. Make this use
a busy wait loop instead. If hard_timeout is broken, this will
fail with a run-tests enforced timeout instead.
We switch the cookie value parsing function from `php_url_decode()` to
`php_raw_url_decode()`, so that cookie values are now parsed according
to RFC 6265, section 4.1.1. We also refactor to remove duplicate code
without changing the execution flow.
After taking a more detailed look at our commonly failing timeout
tests... turns out that most of them are useless as written and
don't test what they're supposed to.
This PR has a couple of changes:
* Tests for timeout in while/for/foreach should just have the loop
as an infinite loop. Calling into something like busy_wait means
that we just end up always testing whatever busy_wait does.
* Tests for timeouts in calls need to be based on something like
sleep, otherwise we'd have to introduce a loop, and we'd end up
testing timeout of the looping structure instead. Using sleep only
works on Windows, because that's the only system where sleep counts
towards the timeout. As such, many of those tests are now Windows only.
* Removed some tests where I don't see a good way to test what they're
supposed to test. E.g. how can we test a timeout in eval() specifically?
The shutdown function tests are marked as XFAIL, as we are currently
missing a timeout check in call_user_function. I believe that's a
legitimate issue.
Closes GH-4969.
This goes in the reverse direction of 4463acb951.
After looking around a bit, it seems that we already check for
Z_ISERROR_P() on the get_property_ptr_ptr return value in other places.
So do this in zend_fetch_property_address() as well, and also make
sure that EG(error_zval) is indeed returned on exception in
get_property_ptr_ptr.
In particular, this fixes the duplicate exceptions that we used to
get because first get_property_ptr_ptr threw one and then
read_property throws the same exception again.
Relying on setting ERROR if an exception happened during the
property address fetch is both a bit fragile and may pessimize
other codepaths that will check for exceptions in the VM. Adding
an extra exception check instead, which should also allow us to
drop the use of ERROR in this area in master.
This is a fix for symfony/symfony#32995.
The behavior is:
* Throwing exception when loading parent/interface is allowed
(and we will also throw one if the class is simply not found).
* If this happens, the bucket key for the class is reset, so
it's possibly to try registering the same class again.
* However, if the class has already been used due to a variance
obligation, the exception is upgraded to a fatal error, as we
cannot safely unregister the class stub anymore.
No notice is thrown for list() accesses, because we did not come
to an agreement regarding patterns like
while ([$key, $value] = yield $it->next()) { ... }
where silent null access may be desirable.
No effort is made to suppress multiple notices in access chains
likes $x[0][0][0], because the technical complexity this causes
does not seem worthwhile.
RFC: https://wiki.php.net/rfc/notice-for-non-valid-array-container
Another stab in the dark to fix the intermittent failures of timeout
tests on macos CI: We're using ITIMER_PROF, which means that the
timer counts against user+system time. The "busy" wait loop counts
against real time. Currently it calls microtime() on every iteration.
If that call is implemented as a syscall rather than going through
vDSO or commpage we might be seeing many context switches here which
drive up the real time, but not user or system time.
See if making the loop busier and calling microtime() less helps the
situation.
RFC: https://wiki.php.net/rfc/tostring_exceptions
And convert some object to string conversion related recoverable
fatal errors into Error exceptions.
Improve exception safety of internal code performing string
conversions.
Ensure that the "creating default object from empty value" warning is
always thrown. Previously some cases were missing the warning, in
particular those going through FETCH_OBJ_W rather than a dedicated
opcode (like ASSIGN_OBJ).
One slightly unfortunate side-effect of this change is that something
like $a->b->c = 'd' will now generate two warnings rather than one
when $a is null (one for property b, one for property c).
RFC: https://wiki.php.net/rfc/typed_properties_v2
This is a squash of PR #3734, which is a squash of PR #3313.
Co-authored-by: Bob Weinand <bobwei9@hotmail.com>
Co-authored-by: Joe Watkins <krakjoe@php.net>
Co-authored-by: Dmitry Stogov <dmitry@zend.com>