Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: php/php-src
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: php/php-src
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: PHP-8.4.10
Choose a head ref
  • 6 commits
  • 14 files changed
  • 5 contributors

Commits on Jul 2, 2025

  1. Fix GHSA-3cr5-j632-f35r: Null byte in hostnames 

    This fixes stream_socket_client() and fsockopen().

Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
    @bukka @SakiTakamachi
    bukka authored and SakiTakamachi committed Jul 2, 2025
    Configuration menu
    Copy the full SHA
    9234b0d View commit details
    Browse the repository at this point in the history

  2. Fix GHSA-hrwm-9436-5mv3: pgsql escaping no error checks 

    This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
    @bukka @SakiTakamachi
    bukka authored and SakiTakamachi committed Jul 2, 2025
    Configuration menu
    Copy the full SHA
    2e37a4d View commit details
    Browse the repository at this point in the history

  3. Fix GHSA-453j-q27h-5p8x 

    Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <[email protected]>
    @Lekssays @nielsdos @SakiTakamachi
    2 people authored and SakiTakamachi committed Jul 2, 2025
    Configuration menu
    Copy the full SHA
    158aa14 View commit details
    Browse the repository at this point in the history

  4. ext/dom: Fix new MSVC compiler warning 

    Closes GH-18889
    @Girgias @SakiTakamachi
    Girgias authored and SakiTakamachi committed Jul 2, 2025
    Configuration menu
    Copy the full SHA
    758e1e3 View commit details
    Browse the repository at this point in the history

  5. Update NEWS with entries for security fixes

    @bukka @SakiTakamachi
    bukka authored and SakiTakamachi committed Jul 2, 2025
    Configuration menu
    Copy the full SHA
    80637d1 View commit details
    Browse the repository at this point in the history

  6. Update versions for PHP 8.4.10

    @SakiTakamachi
    SakiTakamachi committed Jul 2, 2025
    Configuration menu
    Copy the full SHA
    f600f86 View commit details
    Browse the repository at this point in the history
Loading