clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-23 19:07:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
5328d42899
php-src/ext
History
Anatol Belski 5328d42899 Fixed bug #67072 Echoing unserialized "SplFileObject" crash 
The actual issue lays in the unserializer code which doesn't honor
the unserialize callback. By contrast, the serialize callback is
respected. This leads to the situation that even if a class has
disabled the serialization explicitly, user could still construct
a vulnerable string which would result bad things when trying
to unserialize.

This conserns also the classes implementing Serializable as well
as some core classes disabling serialize/unserialize callbacks
explicitly (PDO, SimpleXML, SplFileInfo and co). As of now, the
flow is first to call the unserialize callback (if available),
then call __wakeup. If the unserialize callback returns with no
success, no object is instantiated. This makes the scheme used
by internal classes effective, to disable unserialize just assign
zend_class_unserialize_deny as callback.
2014-04-17 10:48:14 +02:00
..
bcmath Bump year 2014-01-03 11:04:26 +08:00
bz2 Bump year 2014-01-03 11:04:26 +08:00
calendar Bump year 2014-01-03 11:04:26 +08:00
com_dotnet Bump year 2014-01-03 11:04:26 +08:00
ctype Bump year 2014-01-03 11:04:26 +08:00
curl Fix #66562: Consistency bug where curl_multi_getcontent behaves different from curl_exec 2014-04-13 18:12:17 -07:00
date Fix bug #66721 2014-04-13 15:51:55 -07:00
dba Bump year 2014-01-03 11:04:26 +08:00
dom correct the bug #67081 fix 2014-04-16 15:06:57 +02:00
enchant Bump year 2014-01-03 11:04:26 +08:00
ereg Bump year 2014-01-03 11:04:26 +08:00
exif Bump year 2014-01-03 11:04:26 +08:00
fileinfo Fixed Bug #66987 Memory corruption in fileinfo ext (bigendian) 2014-03-31 16:50:47 +02:00
filter Bump year 2014-01-03 11:04:26 +08:00
ftp Bump year 2014-01-03 11:04:26 +08:00
gd Bump year 2014-01-03 11:04:26 +08:00
gettext Bump year 2014-01-03 11:04:26 +08:00
gmp restored the old code in 5.4/5 related to bug #66872 2014-03-11 11:50:14 +01:00
hash Bump year 2014-01-03 11:04:26 +08:00
iconv Bump year 2014-01-03 11:04:26 +08:00
imap Bump year 2014-01-03 11:04:26 +08:00
interbase Cleanup $ is not needed for git 2014-04-10 17:42:32 +03:00
intl backported some ext/intl tests from 5.6 into 5.4 2014-04-14 16:31:18 +02:00
json Merge branch 'pull-request/518' into PHP-5.4 2014-04-13 18:50:39 -07:00
ldap Fix null byte in LDAP bindings 2014-04-14 10:44:53 -07:00
libxml fixed post deactivate signature in ext\libxml 2014-01-21 17:08:59 +01:00
mbstring tests still failing, so xfail for now until fixed 2014-01-29 23:48:07 -08:00
mcrypt Bump year 2014-01-03 11:04:26 +08:00
mssql Bump year 2014-01-03 11:04:26 +08:00
mysql Bump year 2014-01-03 11:04:26 +08:00
mysqli test for bug #66762 2014-02-27 08:48:01 +01:00
mysqlnd add text for the new constants 2014-01-28 15:32:59 +02:00
oci8 Reduce test noise on cross Oracle client <-> server version tests. 2014-02-24 17:01:30 -08:00
odbc Bump year 2014-01-03 11:04:26 +08:00
openssl Fix #66942: openssl_seal() memory leak 2014-04-14 13:24:14 -07:00
pcntl Bump year 2014-01-03 11:04:26 +08:00
pcre Bump year 2014-01-03 11:04:26 +08:00
pdo Fixed arginfo of PDO::__construct() to match the docs and zend_parse_parameters definition. 2014-01-28 13:31:52 +01:00
pdo_dblib Bump year 2014-01-03 11:04:26 +08:00
pdo_firebird Cleanup $ is not needed for git 2014-04-10 17:42:32 +03:00
pdo_mysql We can't dereference dbh if it is NULL 2014-02-23 14:18:24 +01:00
pdo_oci Bump year 2014-01-03 11:04:26 +08:00
pdo_odbc Bump year 2014-01-03 11:04:26 +08:00
pdo_pgsql fix test bug62479.phpt 2014-01-25 23:25:39 -08:00
pdo_sqlite Bump year 2014-01-03 11:04:26 +08:00
pgsql Fixed possbile injections against pg_insert()/pg_delete()/pg_update()/pg_select() 2014-02-16 10:45:15 +09:00
phar Bump year 2014-01-03 11:04:26 +08:00
posix Fix test - on CI somebody could create a process in the meantime 2014-04-14 15:44:23 -07:00
pspell Bump year 2014-01-03 11:04:26 +08:00
readline Bump year 2014-01-03 11:04:26 +08:00
recode Bump year 2014-01-03 11:04:26 +08:00
reflection fix tests broken by 633f898f15 2014-02-27 02:31:42 +01:00
session fix windows build 2014-04-14 23:29:38 +02:00
shmop Bump year 2014-01-03 11:04:26 +08:00
simplexml Fixed bug #66084 simplexml_load_string() mangles empty node name 2014-04-05 09:46:24 +02:00
skeleton fixed skeleton to produce the normalized ext version macros 2013-10-14 14:18:43 +02:00
snmp Bump year 2014-01-03 11:04:26 +08:00
soap Bump year 2014-01-03 11:04:26 +08:00
sockets Bump year 2014-01-03 11:04:26 +08:00
spl fix tests broken by 633f898f15 2014-02-27 02:31:42 +01:00
sqlite3 Bump year 2014-01-03 11:04:26 +08:00
standard Fixed bug #67072 Echoing unserialized "SplFileObject" crash 2014-04-17 10:48:14 +02:00
sybase_ct Bump year 2014-01-03 11:04:26 +08:00
sysvmsg Bump year 2014-01-03 11:04:26 +08:00
sysvsem Bump year 2014-01-03 11:04:26 +08:00
sysvshm Bump year 2014-01-03 11:04:26 +08:00
tidy Bump year 2014-01-03 11:04:26 +08:00
tokenizer a few typofixes 2014-02-14 14:51:10 +02:00
wddx Bump year 2014-01-03 11:04:26 +08:00
xml Bump year 2014-01-03 11:04:26 +08:00
xmlreader Bump year 2014-01-03 11:04:26 +08:00
xmlrpc Bump year 2014-01-03 11:04:26 +08:00
xmlwriter Bump year 2014-01-03 11:04:26 +08:00
xsl added test for bug #53965 2014-04-01 10:08:08 +02:00
zip Bump year 2014-01-03 11:04:26 +08:00
zlib Bump year 2014-01-03 11:04:26 +08:00
ext_skel - ext_skelshould create a .svnignore not .cvsignore these days 2010-08-06 22:19:47 +00:00
ext_skel_win32.php revert change #298288: Remove old dsp/dsw/makefile files 2010-04-28 14:41:51 +00:00