After a lengthy QA process, PHP 4.1.0 is finally out. Download at http://www.php.net/downloads.php !
PHP 4.1.0 includes several other key improvements: - A new input interface for improved security (read below) - Highly improved performance in general - Revolutionary performance and stability improvements under Windows. The multithreaded server modules under Windows (ISAPI, Apache, etc.) perform as much as 30 times faster under load! We want to thank Brett Brewer and his team in Microsoft for working with us to improve PHP for Windows. - Versioning support for extensions. Right now it's barely being used, but the infrastructure was put in place to support separate version numbers for different extensions. The negative side effect is that loading extensions that were built against old versions of PHP will now result in a crash, instead of in a nice clear message. Make sure you only use extensions built with PHP 4.1.0. - Turn-key output compression support - *LOTS* of fixes and new functions As some of you may notice, this version is quite historical, as it's the first time in history we actually incremented the middle digit! :) The two key reasons for this unprecedented change were the new input interface, and the broken binary compatibility of modules due to the versioning support. Following is a description of the new input mechanism. For a full list of changes in PHP 4.1.0, scroll down to the end of this section. ----------------------------------- SECURITY: NEW INPUT MECHANISM First and foremost, it's important to stress that regardless of anything you may read in the following lines, PHP 4.1.0 *supports* the old input mechanisms from older versions. Old applications should go on working fine without modification! Now that we have that behind us, let's move on :) For various reasons, PHP setups which rely on register_globals being on (i.e., on form, server and environment variables becoming a part of the global namespace, automatically) are very often exploitable to various degrees. For example, the piece of code: <?php if (authenticate_user()) { $authenticated = true; } ... ?> May be exploitable, as remote users can simply pass on 'authenticated' as a form variable, and then even if authenticate_user() returns false, $authenticated will actually be set to true. While this looks like a simple example, in reality, quite a few PHP applications ended up being exploitable by things related to this misfeature. While it is quite possible to write secure code in PHP, we felt that the fact that PHP makes it too easy to write insecure code was bad, and we've decided to attempt a far-reaching change, and deprecate register_globals. Obviously, because the vast majority of the PHP code in the world relies on the existence of this feature, we have no plans to actually remove it from PHP anytime in the foreseeable future, but we've decided to encourage people to shut it off whenever possible. To help users build PHP applications with register_globals being off, we've added several new special variables that can be used instead of the old global variables. There are 7 new special arrays: $_GET - contains form variables sent through GET $_POST - contains form variables sent through POST $_COOKIE - contains HTTP cookie variables $_SERVER - contains server variables (e.g., REMOTE_ADDR) $_ENV - contains the environment variables $_REQUEST - a merge of the GET variables, POST variables and Cookie variables. In other words - all the information that is coming from the user, and that from a security point of view, cannot be trusted. $_SESSION - contains HTTP variables registered by the session module Now, other than the fact that these variables contain this special information, they're also special in another way - they're automatically global in any scope. This means that you can access them anywhere, without having to 'global' them first. For example: function example1() { print $_GET["name"]; // works, 'global $_GET;' is not necessary! } would work fine! We hope that this fact would ease the pain in migrating old code to new code a bit, and we're confident it's going to make writing new code easier. Another neat trick is that creating new entries in the $_SESSION array will automatically register them as session variables, as if you called session_register(). This trick is limited to the session module only - for example, setting new entries in $_ENV will *not* perform an implicit putenv(). PHP 4.1.0 still defaults to have register_globals set to on. It's a transitional version, and we encourage application authors, especially public ones which are used by a wide audience, to change their applications to work in an environment where register_globals is set to off. Of course, they should take advantage of the new features supplied in PHP 4.1.0 that make this transition much easier. As of the next semi-major version of PHP, new installations of PHP will default to having register_globals set to off. No worries! Existing installations, which already have a php.ini file that has register_globals set to on, will not be affected. Only when you install PHP on a brand new machine (typically, if you're a brand new user), will this affect you, and then too - you can turn it on if you choose to. Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names still work, but we encourage users to switch to the new shorter, and auto-global versions. Thanks go to Shaun Clowes ([EMAIL PROTECTED]) for pointing out this problem and for analyzing it. ------------------------------------- FULL LIST OF CHANGES 10 Dec 2001, Version 4.1.0 - Worked around a bug in the MySQL client library that could cause PHP to hang when using unbuffered queries. (Zeev) - Fixed a bug which caused set_time_limit() to affect all subsequent requests to running Apache child process. (Zeev) - Removed the sablotron extension in favor of the new XSLT extension. (Sterling) - Fixed a bug in WDDX deserialization that would sometimes corrupt the root element if it was a scalar one. (Andrei) - Make ImageColorAt() and ImageColorsForIndex() work with TrueColor images. (Rasmus) - Fixed a bug in preg_match_all() that would return results under improper indices in certain cases. (Andrei) - Fixed a crash in str_replace() that would happen if search parameter was an array and one of the replacements resulted in subject string being empty. (Andrei) - Fixed MySQL extension to work with MySQL 4.0. (Jani) - Fixed a crash bug within Cobalt systems. Patch by [EMAIL PROTECTED] (Jani) - Bundled Dan Libby's xmlrpc-epi extension. - Introduced extension version numbers. (Stig) - Added version_compare() function. (Stig) - Fixed pg_last_notice() (could cause random crashes in PostgreSQL applications, even if they didn't use pg_last_notice()). (Zeev) - Fixed DOM-XML's error reporting, so E_WARNING errors are given instead of E_ERROR error's, this allows you to trap errors thrown by DOMXML functions. (Sterling) - Fixed a bug in the mcrypt extension, where list destructors were not properly being allocated. (Sterling) - Better Interbase blob, null and error handling. (Patch by Jeremy Bettis) - Fixed a crash bug in array_map() if the input arrays had string or non-sequential keys. Also modified it so that if a single array is passed, its keys are preserved in the resulting array. (Andrei) - Fixed a crash in dbase_replace_record. (Patch by [EMAIL PROTECTED]) - Fixed a crash in msql_result(). (Zeev) - Added support for single dimensional SafeArrays and Enumerations. Added an is_enum() function to check if a component implements an enumeration. (Alan, Harald) - Fixed a bug in dbase_get_record() and dbase_get_record_with_names(). boolean fields are now returned correctly. Patch by Lawrence E. Widman <[EMAIL PROTECTED]> (Jani) - Added --version option to php-config. (Stig) - Improved support for thttpd-2.21b by incorporating patches for all known bugs. (Sascha) - Added ircg_get_username, a roomkey argument to ircg_join, error fetching infrastructure, a tokenizer to speed up message processing, and fixed a lot of bugs in the IRCG extension. (Sascha) - Improved speed of the serializer/deserializer. (Thies, Sascha) - Floating point numbers are better detected when converting from strings. (Zeev, Zend Engine) - Replaced php.ini-optimized with php.ini-recommended. As the name implies, it's warmly recommended to use this file as the basis for your PHP configuration, rather than php.ini-dist. (Zeev) - Restore xpath_eval() and php_xpathptr_eval() for 4.0.7. There are still some known leaks. (Joey) - Added import_request_variables(), to allow users to safely import form variables to the global scope (Zeev) - Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE variables. Like the other new variables, this variable is also available regardless of the context. (Andi & Zeev) - Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which deprecate the old $HTTP_*_VARS arrays. In addition to be much shorter to type - these variables are also available regardless of the scope, and there's no need to import them using the 'global' statement. (Andi & Zeev) - Added vprintf() and vsprintf() functions that allow passing all arguments after format as an array. (Andrei) - Added support for GD2 image type for ImageCreateFromString() (Jani) - Added ImageCreateFromGD(), ImageCreateFromGD2(), ImageCreateFromGD2part(), ImageGD() and ImageGD2() functions (Jani) - addcslashes now warns when charlist is invalid. The returned string remained the same (Jeroen) - Added optional extra argument to gmp_init(). The extra argument indicates which number base gmp should use when converting a string to the gmp-number. (Troels) - Added the Cyrus-IMAP extension, which allows a direct interface to Cyrus' more advanced capabilities. (Sterling) - Enhance read_exif_data() to support multiple comment tags (Rasmus) - Fixed a crash bug in array_map() when NULL callback was passed in. (Andrei) - Change from E_ERROR to E_WARNING in the exif extension (Rasmus) - New pow() implementation, which returns an integer when possible, and warnings on wrong input (jeroen) - Added optional second parameter to trim, chop and ltrim. You can now specify which characters to trim (jeroen) - Hugely improved the performance of the thread-safe version of PHP, especially under Windows (Andi & Zeev) - Improved request-shutdown performance significantly (Andi & Zeev, Zend Engine) - Added a few new math functions. (Jesus) - Bump bundled expat to 1.95.2 (Thies) - Improved the stability of OCIPlogon() after a database restart. (Thies) - Fixed __FILE__ in the CGI & Java servlet modes when used in the main script. It only worked correctly in included files before this fix (Andi) - Improved the Zend hash table implementation to be much faster (Andi, Zend Engine) - Updated PHP's file open function (used by include()) to check in the calling script's directory in case the file can't be found in the include_path (Andi) - Fixed a corruption bug that could cause constants to become corrupted, and possibly prevent resources from properly being cleaned up at the end of a request (Zeev) - Added optional use of Boyer-Moore algorithm to str_replace() (Sascha) - Fixed and improved shared-memory session storage module (Sascha) - Add config option (always_populate_raw_post_data) which when enabled will always populate $HTTP_RAW_POST_DATA regardless of the post mime type (Rasmus) - Added support for socket and popen file types to ftp_fput (Jason) - Fixed various memory leaks in the LDAP extension (Stig Venaas) - Improved interactive mode - it is now available in all builds of PHP, without any significant slowdown (Zeev, Zend Engine) - Fixed crash in iptcparse() if the supplied data was bogus. (Thies) - Fixed return value for a failed snmpset() - now returns false (Rasmus) - Added hostname:port support to snmp functions ([EMAIL PROTECTED], Rasmus) - Added fdf_set_encoding() function (Masaki YATSU, Rasmus) - Reversed the destruction-order of resources. This fixes the reported OCI8 "failed to rollback outstanding transactions!" message (Thies, Zend Engine) - Added option for returning XMLRPC fault packets. (Matt Allen, Sascha Schumann) - Improved range() function to support range('a','z') and range(9,0) types of ranges. (Rasmus) - Added getmygid() and safe_mode_gid ini directive to allow safe mode to do a gid check instead of a uid check. (James E. Flemer, Rasmus) - Made assert() accept the array(&$obj, 'methodname') syntax. (Thies) - Made sure that OCI8 outbound variables are always zero-terminated. (Thies) - Fixed a bug that allowed users to spawn processes while using the 5th parameter to mail(). (Derick) - Added nl_langinfo() (when OS provides it) that returns locale. - Fixed a major memory corruption bug in the thread safe version. (Zeev) - Fixed a crash when using the CURLOPT_WRITEHEADER option. (Sterling) - Added optional suffix removal parameter to basename(). (Hartmut) - Added new parameter UDM_PARAM_VARDIR ha in Udm_Set_Agent_Param() function to support alternative search data directory. This requires mnogoSearch 3.1.13 or later. - Fixed references in sessions. This doesn't work when using the WDDX session-serializer. Also improved speed of sessions. (Thies) - Added new experimental module pcntl (Process Control). (Jason) - Fixed a bug when com.allow_dcom is set to false. (phanto) - Added a further parameter to the constructor to load typelibs from file when instantiating components (e.g. DCOM Components without local registration). (phanto) - Added the possibility to specify typelibs by full name in the typelib file (Alan Brown) - Renamed the ZZiplib extension to the Zip extension, function names have also changed accordingly, functionality, has stayed constant. (Sterling) - Made the length argument (argument 2) to pg_loread() optional, if not specified data will be read in 1kb chunks. (Sterling) - Added a third argument to pg_lowrite() which is the length of the data to write. (Sterling) - Added the CONNECTION_ABORTED, CONNECTION_TIMEOUT and CONNECTION_NORMAL constants. (Zak) - Assigning to a string offset beyond the end of the string now automatically increases the string length by padding it with spaces, and performs the assignment. (Zeev, Zend Engine) - Added warnings in case an uninitialized string offset is read. (Zeev, Zend Engine) - Fixed a couple of overflow bugs in case of very large negative integer numbers. (Zeev, Zend Engine) - Fixed a crash bug in the string-offsets implementation (Zeev, Zend Engine) - Improved the implementation of parent::method_name() for classes which use run-time inheritance. (Zeev, Zend Engine) - Added 'W' flag to date() function to return week number of year using ISO 8601 standard. (Colin) - Made the PostgreSQL driver do internal row counting when iterating through result sets. ([EMAIL PROTECTED]) - Updated ext/mysql/libmysql to version 3.23.39; Portability fixes, minor bug fixes. ([EMAIL PROTECTED]) - Added get_defined_constants() function to return an associative array of constants mapped to their values. (Sean) - New mailparse extension for parsing and manipulating MIME mail. (Wez) - Define HAVE_CONFIG_H when building standalone DSO extensions. (Stig) - Added the 'u' modifier to printf/sprintf which prints unsigned longs. (Derick) - Improved IRIX compatibility. (Sascha) - Fixed crash bug in bzopen() when specifying an invalid file. (Andi) - Fixed bugs in the mcrypt extension that caused crashes. (Derick) - Added the IMG_ARC_ROUNDED option for the ImageFilledArc() function, which specified that the drawn curve should be rounded. (Sterling) - Updated the sockets extension to use resources instead of longs for the socket descriptors. The socket functions have been renamed to conform with the PHP standard instead of their C counterparts. The sockets extension is now usable under Win32. (Daniel) - Added disk_total_space() to return the total size of a filesystem. (Patch from Steven Bower) - Renamed diskfreespace() to disk_free_space() to conform to established naming conventions. (Jon) - Fixed #2181. Now zero is returned instead of an unset value for 7-bit encoding and plain text body type. (Vlad) - Fixed a bug in call_user_*() functions that would not allow calling functions/methods that accepted parameters by reference. (Andrei) - Added com_release($obj) and com_addref($obj) functions and the related class members $obj->Release() and $obj->AddRef() to gain more control over the used COM components. (phanto) - Added an additional parameter to dotnet_load to specify the codepage (phanto) - Added peak memory logging. Use --enable-memory-limit to create a new Apache 1.x logging directive "{mod_php_memory_usage}n" which will log the peak amount of memory used by the script. (Thies) - Made fstat() and stat() provide identical output by returning a numerical and string indexed array. (Jason) - Fixed memory leak upon re-registering constants. (Sascha, Zend Engine) ----------------------------------- Zeev -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]