mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
292 lines
11 KiB
Plaintext
Executable File
292 lines
11 KiB
Plaintext
Executable File
$Id$
|
|
|
|
PHP 5.6 UPGRADE NOTES
|
|
|
|
1. Backward Incompatible Changes
|
|
2. New Features
|
|
2. Changes in SAPI modules
|
|
3. Deprecated Functionality
|
|
4. Changed Functions
|
|
5. New Functions
|
|
6. New Classes and Interfaces
|
|
7. Removed Extensions
|
|
8. Other Changes to Extensions
|
|
9. New Global Constants
|
|
10. Changes to INI File Handling
|
|
11. Other Changes
|
|
|
|
|
|
========================================
|
|
1. Backward Incompatible Changes
|
|
========================================
|
|
|
|
- JSON:
|
|
json_decode() no longer accepts non-lowercase variants of lone JSON true,
|
|
false or null values. For example, True or FALSE will now cause json_decode to
|
|
return NULL and set an error value you can fetch with json_last_error().
|
|
This affects JSON texts consisting solely of true, false or null. Text
|
|
containing non-lowercase values inside JSON arrays or objects has never been
|
|
accepted.
|
|
|
|
- OpenSSL:
|
|
To prevent man-in-the-middle attacks against encrypted transfers client
|
|
streams now verify peer certificates by default. Previous versions
|
|
required users to manually enable peer verification. As a result of this
|
|
change, existing code using ssl:// or tls:// stream wrappers (e.g.
|
|
file_get_contents(), fsockopen(), stream_socket_client()) may no longer
|
|
connect successfully without manually disabling peer verification via the
|
|
stream context's "verify_peer" setting. Encrypted transfers delegate to
|
|
operating system certificate stores by default if not overridden via the
|
|
new openssl.cafile and openssl.cafile ini directives or via call-time SSL
|
|
context options, so most users should be unaffected by this transparent
|
|
security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
|
|
|
|
========================================
|
|
2. New Features
|
|
========================================
|
|
|
|
- Added constant scalar expressions syntax.
|
|
(https://wiki.php.net/rfc/const_scalar_exprs)
|
|
|
|
- Added dedicated syntax for variadic functions.
|
|
(https://wiki.php.net/rfc/variadics)
|
|
|
|
- Added support for argument unpacking to complement the variadic syntax.
|
|
(https://wiki.php.net/rfc/argument_unpacking)
|
|
|
|
- Added an exponentiation operator (**).
|
|
(https://wiki.php.net/rfc/pow-operator)
|
|
|
|
- Added unified default encoding. default_charset=UTF-8 and functions/extensions
|
|
use encoding settings honor default_charset.
|
|
|
|
- The php://input stream is now re-usable and can be used concurrently with
|
|
enable_post_data_reading=0.
|
|
|
|
- Added use function and use const.
|
|
(https://wiki.php.net/rfc/use_function)
|
|
|
|
- Added gost-crypto (CryptoPro S-box) hash algorithm.
|
|
|
|
- Stream wrappers verify peer certificates and host names by default in
|
|
encrypted client streams.
|
|
|
|
- Added openssl certificate fingerprint support (inclusive stream context
|
|
option).
|
|
|
|
- Added support for SAN x509 extension matching when verifing host names in
|
|
encrypted streams.
|
|
|
|
- Added a range of new SSL context options for improved encrypted stream
|
|
server security (https://wiki.php.net/rfc/improved-tls-defaults):
|
|
|
|
. "honor_cipher_order" allows servers to prioritize cipher suites of their
|
|
choosing when negotiating SSL/TLS handshakes.
|
|
. "single_ecdh_use" and "single_dh_use" allow for improved forward
|
|
secrecy in encrypted stream servers.
|
|
. "dh_param" allows specification of pre-generated key generation
|
|
parameters when negotiating ephemeral DHE ciphers in stream servers.
|
|
. "ecdh_curve" allows stream servers to specify which curve to use when
|
|
negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
|
|
. "rsa_key_size" SSL context option gives stream servers control
|
|
over the key size (in bits) used when negotiating RSA ciphers.
|
|
. "capture_session_meta" if specified stores an array of data describing
|
|
the TLS session's protocol/cipher in the "session_meta" SSL context key.
|
|
|
|
- Added automatic mitigation against client-initated TLS renegotiation DoS
|
|
attacks in encrypted server streams. Renegotiation limiting may be
|
|
customized via three new SSL context options:
|
|
|
|
. "reneg_limit" (number of allowed renegotiations per time window)
|
|
. "reneg_window" (renegotiation time window in seconds)
|
|
. "reneg_limit_callback" (optional notification callback on limiting)
|
|
|
|
- Encrypted TLS servers now support the server name indication (SNI) TLS
|
|
extension via the new "SNI_server_certs" SSL context option.
|
|
|
|
- Added "crypto_method" SSL context option for use in encrypted streams.
|
|
|
|
- Added "peer_name" SSL context option to better reflect peer certificate
|
|
name matching using SAN extension (replaces deprecated "CN_match").
|
|
|
|
- Added stream wrapper support when specifying "cafile" SSL context paths.
|
|
|
|
- Independent peer cert and peer name validation is now available via a new
|
|
boolean "verify_peer_name" SSL context option. This option is enabled by
|
|
default in encrypted client streams.
|
|
|
|
- Added protocol-specific tlsv1.0://, tlsv1.1:// and tlsv1.2:// encryption
|
|
stream wrappers. tls:// wrapper now supports TLSv1.1 and TLSv1.2 (previously
|
|
only supported TLSv1).
|
|
|
|
- Stream crypto method specification now accepts flags instead of values
|
|
allowing support for multiple discrete protocols in a given stream.
|
|
|
|
========================================
|
|
2. Changes in SAPI modules
|
|
========================================
|
|
|
|
- Added phpdbg SAPI.
|
|
(https://wiki.php.net/rfc/phpdbg)
|
|
|
|
- Support for FPM workers changing the apparmor profile through the pool configuration.
|
|
(https://wiki.php.net/rfc/fpm_change_hat)
|
|
|
|
========================================
|
|
3. Deprecated Functionality
|
|
========================================
|
|
|
|
- Incompatible context calls:
|
|
Instance calls from an incompatible context are now deprecated and issue
|
|
E_DEPRECATED instead of E_STRICT. See https://wiki.php.net/rfc/incompat_ctx
|
|
|
|
- The "CN_match" SSL context option is deprecated in favor of the new
|
|
"peer_name" option. Name verification now checks certificate SAN names as
|
|
well as the CN field and "CN_match" is deprecated to avoid confusion. Its
|
|
use triggers E_DEPRECATED but continues to work as before. If both values
|
|
are specified "CN_match" takes precedence. Otherwise, the two options are
|
|
interchangeable.
|
|
|
|
========================================
|
|
4. Changed Functions
|
|
========================================
|
|
|
|
- cURL:
|
|
CURLOPT_SAFE_UPLOAD is now turned on by default and uploads with @file
|
|
do not work unless it is explicitly set to false.
|
|
|
|
- Crypt:
|
|
crypt() will now raise an E_NOTICE error if the salt parameter is omitted.
|
|
See: https://wiki.php.net/rfc/crypt_function_salt
|
|
|
|
- XMLReader:
|
|
XMLReader::getAttributeNs and XMLReader::getAttributeNo now return NULL if
|
|
the attribute could not be found, just like XMLReader::getAttribute.
|
|
|
|
- Pgsql:
|
|
pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
|
|
|
|
========================================
|
|
5. New Functions
|
|
========================================
|
|
|
|
- GMP:
|
|
Added gmp_root($a, $nth) and gmp_rootrem($a, $nth) for calculating nth roots.
|
|
|
|
- OpenSSL:
|
|
Added string openssl_x509_fingerprint($x509, $type, $binary).
|
|
Added string openssl_spki_new($private_key, $challenge, $algorithm)
|
|
Added bool openssl_spki_verify($spkac)
|
|
Added string openssl_spki_export($spkac)
|
|
Added string openssl_spki_export_challenge($spkac)
|
|
Added array openssl_get_cert_locations()
|
|
|
|
- LDAP:
|
|
Added ldap_escape($value, $ignore = "", $flags = 0).
|
|
Added ldap_modify_batch($link_identifier, $dn, $modifications) described in
|
|
https://wiki.php.net/rfc/ldap_modify_batch.
|
|
|
|
- Zip:
|
|
Added ZipArchive::setPassword($password)
|
|
|
|
========================================
|
|
6. New Classes and Interfaces
|
|
========================================
|
|
|
|
|
|
========================================
|
|
7. Removed Extensions
|
|
========================================
|
|
|
|
|
|
========================================
|
|
8. Other Changes to Extensions
|
|
========================================
|
|
|
|
- cURL:
|
|
- The following constants have been removed as they are now marked "obsolete"
|
|
in the underlying library and never had any effect to begin with:
|
|
. CURLOPT_CLOSEPOLICY
|
|
. CURLCLOSEPOLICY_CALLBACK
|
|
. CURLCLOSEPOLICY_LEAST_RECENTLY_USED
|
|
. CURLCLOSEPOLICY_LEAST_TRAFFIC
|
|
. CURLCLOSEPOLICY_OLDEST
|
|
. CURLCLOSEPOLICY_SLOWEST
|
|
|
|
- GMP:
|
|
The GMP extension now uses objects as the underlying data structure, rather
|
|
than resources. GMP instances now support dumping, serialization, cloning,
|
|
casts to primitive types and have overloaded operators.
|
|
(RFC: https://wiki.php.net/rfc/operator_overloading_gmp)
|
|
|
|
- OCI8:
|
|
- Added Implicit Result Set support for Oracle Database 12c with a
|
|
new oci_get_implicit_resultset() function.
|
|
- Using 'oci_execute($s, OCI_NO_AUTO_COMMIT)' for a SELECT no longer
|
|
unnecessarily initiates an internal ROLLBACK during connection
|
|
close.
|
|
- Added DTrace probes enabled with PHP's generic --enable-dtrace
|
|
- The oci_internal_debug() function is now a no-op.
|
|
- The phpinfo() output format for OCI8 has changed.
|
|
|
|
- Pgsql:
|
|
- pg_insert()/pg_select()/pg_update()/pg_delete()/pg_meta_data()/pg_convert()
|
|
are no longer EXPERIMENTAL
|
|
- Added PGSQL_DML_ESCAPE option for pg_insert()/pg_select()/pg_update()/pg_delete()
|
|
that simply escapes all supplied parameters. These functions can be as fast as
|
|
native query. Unvalidated data(Unknown data types) is passed as string.
|
|
JSON/Array/etc are supported both PGSQL_DML_ESCAPE and pg_convert() as string.
|
|
- pg_select() returns PostgreSQL query resource when query is executed.
|
|
- Added extended flag parameter for pg_meta_data(). pg_meta_data() always
|
|
returns "is enum" attribute.
|
|
|
|
========================================
|
|
9. New Global Constants
|
|
========================================
|
|
|
|
- LDAP:
|
|
LDAP_ESCAPE_FILTER int(1)
|
|
LDAP_ESCAPE_DN int(2)
|
|
|
|
- Pgsql:
|
|
PGSQL_DML_ESCAPE int(4096)
|
|
|
|
- OpenSSL:
|
|
STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT int(9)
|
|
STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT int(17)
|
|
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT int(33)
|
|
STREAM_CRYPTO_METHOD_ANY_CLIENT int(63)
|
|
STREAM_CRYPTO_METHOD_TLSv1_0_SERVER int(8)
|
|
STREAM_CRYPTO_METHOD_TLSv1_1_SERVER int(16)
|
|
STREAM_CRYPTO_METHOD_TLSv1_2_SERVER int(32)
|
|
STREAM_CRYPTO_METHOD_ANY_SERVER int(62)
|
|
OPENSSL_DEFAULT_STREAM_CIPHERS string
|
|
|
|
========================================
|
|
10. Changes to INI File Handling
|
|
========================================
|
|
|
|
- Core:
|
|
Changed always_populate_raw_post_data to throw a deprecation warning when
|
|
enabled and to recognize the value -1 for never populating the global
|
|
$HTTP_RAW_POST_DATA variable, which will be default in future PHP versions.
|
|
|
|
- OpenSSL:
|
|
openssl.cafile and openssl.capath ini directives have been added to allow
|
|
global CA default specification as necessary.
|
|
|
|
========================================
|
|
11. Other Changes
|
|
========================================
|
|
|
|
- File upload:
|
|
Uploads equal or greater than 2GB in size are now accepted.
|
|
|
|
- HTTP stream wrapper:
|
|
HTTP 1.1 requests now include a Connection: close header unless explicitly
|
|
overridden by setting a Connection header via the header context option.
|
|
|
|
- Zip:
|
|
New --with-libzip option allow to use system libzip. Version > 0.11 required,
|
|
Version >= 0.11.2 recommended for all features.
|