Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: php/php-src
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: php-8.1.28
Choose a base ref
...
head repository: php/php-src
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: php-8.1.29
Choose a head ref
  • 11 commits
  • 20 files changed
  • 5 contributors

Commits on Apr 10, 2024

  1. Add proc_open escaping for cmd file execution

    @bukka @ramsey
    bukka authored and ramsey committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    e3c784f View commit details
    Browse the repository at this point in the history

  2. Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial 

    CVE-2022-31629 fix

The check happened too early as later code paths may perform more
mangling rules. Move the check downwards right before adding the actual
variable.
    @nielsdos @ramsey
    nielsdos authored and ramsey committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    093c08a View commit details
    Browse the repository at this point in the history

  3. Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true 

    Disallow null character in bcrypt password
    @bukka @ramsey
    bukka authored and ramsey committed Apr 10, 2024
    1 Configuration menu
    Copy the full SHA
    0ba5229 View commit details
    Browse the repository at this point in the history

  4. Update NEWS

    @ramsey
    ramsey committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    de4f7f9 View commit details
    Browse the repository at this point in the history

  5. PHP-8.1 is now for PHP 8.1.29-dev

    @ramsey
    ramsey committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    ca5fe40 View commit details
    Browse the repository at this point in the history

Commits on Apr 21, 2024

  1. [skip ci] Backport 0e7ef95 and 4f0d4c0

    @iluuu1994
    iluuu1994 committed Apr 21, 2024
    Configuration menu
    Copy the full SHA
    469ad32 View commit details
    Browse the repository at this point in the history

Commits on Jun 5, 2024

  1. Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 

    The old code checked for suffixes but didn't take into account trailing
whitespace. Furthermore, there is peculiar behaviour with trailing dots
too. This all happens because of the special path-handling code inside
CreateProcessW.

By studying Wine's code, we can see that CreateProcessInternalW calls
get_file_name [1] in our case because we haven't provided an application
name. That code gets the first whitespace-delimited string into app_name
excluding the quotes. It's then passed to create_process_params [2]
where there is the path handling code that transforms the command line
argument to an image path [3]. Inside Wine, the extension check if
performed after these transformations [4]. By doing the same thing in
PHP we match the behaviour and can properly match the extension even in
the given edge cases.

[1] https://github.com/wine-mirror/wine/blob/166895ae3ad3890ad946a309d0fd85e89ea3630e/dlls/kernelbase/process.c#L542-L543
[2] https://github.com/wine-mirror/wine/blob/166895ae3ad3890ad946a309d0fd85e89ea3630e/dlls/kernelbase/process.c#L565
[3] https://github.com/wine-mirror/wine/blob/166895ae3ad3890ad946a309d0fd85e89ea3630e/dlls/kernelbase/process.c#L150-L151
[4] https://github.com/wine-mirror/wine/blob/166895ae3ad3890ad946a309d0fd85e89ea3630e/dlls/kernelbase/process.c#L647-L654
    @nielsdos @ramsey
    nielsdos authored and ramsey committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    c8b3640 View commit details
    Browse the repository at this point in the history

  2. Fix GHSA-3qgc-jrrr-25jv 

    The original code is error-prone due to the "best fit mapping" that
happens with the argument parsing but not with the query string.
When we get a non-ASCII character, try to remap it and see if it becomes
a hyphen.

An alternative approach is to create a custom main `wmain` receiving
wide-character variations that does the ANSI transformation with the
best-fit mapping, but that's more error-prone and could cause unexpected
breakage.

Another alternative was just don't doing this check altogether and
always check for `cgi || fastcgi` instead, but that breaks real-world
use-cases.
    @nielsdos @ramsey
    nielsdos authored and ramsey committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    4dd9a36 View commit details
    Browse the repository at this point in the history

  3. Fix GHSA-w8qr-v226-r27w 

    We should not early-out with success status if we found an ipv6
hostname, we should keep checking the rest of the conditions.
Because integrating the if-check of the ipv6 hostname in the
"Validate domain" if-check made the code hard to read, I extracted the
condition out to a separate function. This also required to make
a few pointers const in order to have some clean code.
    @nielsdos @ramsey
    nielsdos authored and ramsey committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    5c6d473 View commit details
    Browse the repository at this point in the history

  4. Update NEWS 

    Co-authored-by: Eric Mann <[email protected]>
    @ramsey @ericmann
    ramsey and ericmann committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    6150156 View commit details
    Browse the repository at this point in the history

  5. Update versions for PHP 8.1.29

    @ramsey
    ramsey committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    fc4973f View commit details
    Browse the repository at this point in the history
Loading