PHP 4.1.0 Released!

confguru

ExAdmin
Команда форума
Брать можно здесь...
http://www.php.net/downloads.php

Кто поставил - пишите о багах и фиксах ,)))


PHP 4 ChangeLog
Version 4.1.0
10-Dec-2001

* Worked around a bug in the MySQL client library that could cause PHP to hang when using unbuffered queries. (Zeev)
* Fixed a bug which caused set_time_limit() to affect all subsequent requests to running Apache child process. (Zeev)
* Removed the sablotron extension in favor of the new XSLT extension. (Sterling)
* Fixed a bug in WDDX deserialization that would sometimes corrupt the root element if it was a scalar one. (Andrei)
* Make ImageColorAt() and ImageColorsForIndex() work with TrueColor images. (Rasmus)
* Fixed a bug in preg_match_all() that would return results under improper indices in certain cases. (Andrei)
* Fixed a crash in str_replace() that would happen if search parameter was an array and one of the replacements resulted in subject string being empty. (Andrei)
* Fixed MySQL extension to work with MySQL 4.0. (Jani)
* Fixed a crash bug within Cobalt systems. Patch by [email protected]. (Jani)
* Bundled Dan Libby's xmlrpc-epi extension.
* Introduced extension version numbers. (Stig)
* Added version_compare() function. (Stig)
* Fixed pg_last_notice() (could cause random crashes in PostgreSQL applications, even if they didn't use pg_last_notice()). (Zeev)
* Fixed DOM-XML's error reporting, so E_WARNING errors are given instead of E_ERROR error's, this allows you to trap errors thrown by DOMXML functions. (Sterling)
* Fixed a bug in the mcrypt extension, where list destructors were not properly being allocated. (Sterling)
* Better Interbase blob, null and error handling. (Patch by Jeremy Bettis)
* Fixed a crash bug in array_map() if the input arrays had string or non-sequential keys. Also modified it so that if a single array is passed, its keys are preserved in the resulting array. (Andrei)
* Fixed a crash in dbase_replace_record. (Patch by [email protected])
* Fixed a crash in msql_result(). (Zeev)
* Added support for single dimensional SafeArrays and Enumerations. Added an is_enum() function to check if a component implements an enumeration. (Alan, Harald)
* Fixed a bug in dbase_get_record() and dbase_get_record_with_names(). boolean fields are now returned correctly. Patch b
Lawrence E. Widman (Jani)
* Added --version option to php-config. (Stig)
* Improved support for thttpd-2.21b by incorporating patches for all known bugs. (Sascha)
* Added ircg_get_username, a roomkey argument to ircg_join, error fetching infrastructure, a tokenizer to speed up message processing, and fixed a lot of bugs in the IRCG extension. (Sascha)
* Improved speed of the serializer/deserializer. (Thies, Sascha)
* Floating point numbers are better detected when converting from strings. (Zeev, Zend Engine)
* Replaced php.ini-optimized with php.ini-recommended. As the name implies, it's warmly recommended to use this file as the basis for your PHP configuration, rather than php.ini-dist. (Zeev)
* Restore xpath_eval() and php_xpathptr_eval() for 4.0.7. There are still some known leaks. (Joey)
* Added import_request_variables(), to allow users to safely import form variables to the global scope (Zeev)
* Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE variables. Like the other new variables, this variable is also available regardless of the context. (Andi & Zeev)
* Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which deprecate the old $HTTP_*_VARS arrays. In addition to be much shorter to type - these variables are also available regardless of the scope, and there's no need to import them using the 'global' statement. (Andi & Zeev)
* Added vprintf() and vsprintf() functions that allow passing all arguments after format as an array. (Andrei)
* Added support for GD2 image type for ImageCreateFromString() (Jani)
* Added ImageCreateFromGD(), ImageCreateFromGD2(), ImageCreateFromGD2part(), ImageGD() and ImageGD2() functions (Jani)
* addcslashes now warns when charlist is invalid. The returned string remained the same (Jeroen)
* Added optional extra argument to gmp_init(). The extra argument indicates which number base gmp should use when converting a string to the gmp-number. (Troels)
* Added the Cyrus-IMAP extension, which allows a direct interface to Cyrus' more advanced capabilities. (Sterling)
* Enhance read_exif_data() to support multiple comment tags (Rasmus)
* Fixed a crash bug in array_map() when NULL callback was passed in. (Andrei)
* Change from E_ERROR to E_WARNING in the exif extension (Rasmus)
* New pow() implementation, which returns an integer when possible, and warnings on wrong input (jeroen)
* Added optional second parameter to trim, chop and ltrim. You can now specify which characters to trim (jeroen)
* Hugely improved the performance of the thread-safe version of PHP, especially under Windows (Andi & Zeev)
* Improved request-shutdown performance significantly (Andi & Zeev, Zend Engine)
* Added a few new math functions. (Jesus)
* Bump bundled expat to 1.95.2 (Thies)
* Improved the stability of OCIPlogon() after a database restart. (Thies)
* Fixed __FILE__ in the CGI & Java servlet modes when used in the main script. It only worked correctly in included files before this fix (Andi)
* Improved the Zend hash table implementation to be much faster (Andi, Zend Engine)
* Updated PHP's file open function (used by include()) to check in the calling script's directory in case the file can't be found in the include_path (Andi)
* Fixed a corruption bug that could cause constants to become corrupted, and possibly prevent resources from properly being cleaned up at the end of a request (Zeev)
* Added optional use of Boyer-Moore algorithm to str_replace() (Sascha)
* Fixed and improved shared-memory session storage module (Sascha)
* Add config option (always_populate_raw_post_data) which when enabled will always populate $HTTP_RAW_POST_DATA regardless of the post mime type (Rasmus)
* Added support for socket and popen file types to ftp_fput (Jason)
* Fixed various memory leaks in the LDAP extension (Stig Venaas)
* Improved interactive mode - it is now available in all builds of PHP, without any significant slowdown (Zeev, Zend Engine)
* Fixed crash in iptcparse() if the supplied data was bogus. (Thies)
* Fixed return value for a failed snmpset() - now returns false (Rasmus)
* Added hostname:port support to snmp functions ([email protected], Rasmus)
* Added fdf_set_encoding() function (Masaki YATSU, Rasmus)
* Reversed the destruction-order of resources. This fixes the reported OCI8 "failed to rollback outstanding transactions!" message (Thies, Zend Engine)
* Added option for returning XMLRPC fault packets. (Matt Allen, Sascha Schumann)
* Improved range() function to support range('a','z') and range(9,0) types of ranges. (Rasmus)
* Added getmygid() and safe_mode_gid ini directive to allow safe mode to do a gid check instead of a uid check. (James E. Flemer, Rasmus)
* Made assert() accept the array(&$obj, 'methodname') syntax. (Thies)
* Made sure that OCI8 outbound variables are always zero-terminated. (Thies)
* Fixed a bug that allowed users to spawn processes while using the 5th parameter to mail(). (Derick)
* Added nl_langinfo() (when OS provides it) that returns locale.
* Fixed a major memory corruption bug in the thread safe version. (Zeev)
* Fixed a crash when using the CURLOPT_WRITEHEADER option. (Sterling)
* Added optional suffix removal parameter to basename(). (Hartmut)
* Added new parameter UDM_PARAM_VARDIR ha in Udm_Set_Agent_Param() function to support alternative search data directory. This requires mnogoSearch 3.1.13 or later.
* Fixed references in sessions. This doesn't work when using the WDDX session-serializer. Also improved speed of sessions. (Thies)
* Added new experimental module pcntl (Process Control). (Jason)
* Fixed a bug when com.allow_dcom is set to false. (phanto)
* Added a further parameter to the constructor to load typelibs from file when instantiating components (e.g. DCOM Components without local registration). (phanto)
* Added the possibility to specify typelibs by full name in the typelib file (Alan Brown)
* Renamed the ZZiplib extension to the Zip extension, function names have also changed accordingly, functionality, has stayed constant. (Sterling)
* Made the length argument (argument 2) to pg_loread() optional, if not specified data will be read in 1kb chunks. (Sterling)
* Added a third argument to pg_lowrite() which is the length of the data to write. (Sterling)
* Added the CONNECTION_ABORTED, CONNECTION_TIMEOUT and CONNECTION_NORMAL constants. (Zak)
* Assigning to a string offset beyond the end of the string now automatically increases the string length by padding it with spaces, and performs the assignment. (Zeev, Zend Engine)
* Added warnings in case an uninitialized string offset is read. (Zeev, Zend Engine)
* Fixed a couple of overflow bugs in case of very large negative integer numbers. (Zeev, Zend Engine)
* Fixed a crash bug in the string-offsets implementation (Zeev, Zend Engine)
* Improved the implementation of parent::method_name() for classes which use run-time inheritance. (Zeev, Zend Engine)
* Added 'W' flag to date() function to return week number of year using ISO 8601 standard. (Colin)
* Made the PostgreSQL driver do internal row counting when iterating through result sets. ([email protected])
* Updated ext/mysql/libmysql to version 3.23.39; Portability fixes, minor bug fixes. ([email protected])
* Added get_defined_constants() function to return an associative array of constants mapped to their values. (Sean)
* New mailparse extension for parsing and manipulating MIME mail. (Wez)
* Define HAVE_CONFIG_H when building standalone DSO extensions. (Stig)
* Added the 'u' modifier to printf/sprintf which prints unsigned longs. (Derick)
* Improved IRIX compatibility. (Sascha)
* Fixed crash bug in bzopen() when specifying an invalid file. (Andi)
* Fixed bugs in the mcrypt extension that caused crashes. (Derick)
* Added the IMG_ARC_ROUNDED option for the ImageFilledArc() function, which specified that the drawn curve should be rounded. (Sterling)
* Updated the sockets extension to use resources instead of longs for the socket descriptors. The socket functions have been renamed to conform with the PHP standard instead of their C counterparts. The sockets extension is now usable under Win32. (Daniel)
* Added disk_total_space() to return the total size of a filesystem. (Patch from Steven Bower)
* Renamed diskfreespace() to disk_free_space() to conform to established naming conventions. (Jon)
* Fixed #2181. Now zero is returned instead of an unset value for 7-bit encoding and plain text body type. (Vlad)
* Fixed a bug in call_user_*() functions that would not allow calling functions/methods that accepted parameters by reference. (Andrei)
* Added com_release($obj) and com_addref($obj) functions and the related class members $obj->Release() and $obj->AddRef() to gain more control over the used COM components. (phanto)
* Added an additional parameter to dotnet_load to specify the codepage (phanto)
* Added peak memory logging. Use --enable-memory-limit to create a new Apache 1.x logging directive "{mod_php_memory_usage}n" which will log the peak amount of memory used by the script. (Thies)
* Made fstat() and stat() provide identical output by returning a numerical and string indexed array. (Jason)
* Fixed memory leak upon re-registering constants. (Sascha, Zend Engine)
 

tony2001

TeaM PHPClub
PHP 4.1.0 SECURITY: NEW INPUT MECHANISM

По-моему, как раз ЭТО очень важно.

SECURITY: NEW INPUT MECHANISM

First and foremost, it's important to stress that regardless of
anything you may read in the following lines, PHP 4.1.0 *supports*
the old input mechanisms from older versions. Old applications
should go on working fine without modification!

Now that we have that behind us, let's move on :)

For various reasons, PHP setups which rely on register_globals
being on (i.e., on form, server and environment variables becoming
a part of the global namespace, automatically) are very often
exploitable to various degrees. For example, the piece of code:

PHP:
<?php
if (authenticate_user()) {
  $authenticated = true;
}
...
?>
May be exploitable, as remote users can simply pass on 'authenticated'
as a form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this misfeature.

While it is quite possible to write secure code in PHP, we felt that the
fact that PHP makes it too easy to write insecure code was bad, and we've
decided to attempt a far-reaching change, and deprecate register_globals.
Obviously, because the vast majority of the PHP code in the world relies
on the existence of this feature, we have no plans to actually remove it
from PHP anytime in the foreseeable future, but we've decided to encourage
people to shut it off whenever possible.

To help users build PHP applications with register_globals being off,
we've added several new special variables that can be used instead of the
old global variables. There are 7 new special arrays:

$_GET - contains form variables sent through GET
$_POST - contains form variables sent through POST
$_COOKIE - contains HTTP cookie variables
$_SERVER - contains server variables (e.g., REMOTE_ADDR)
$_ENV - contains the environment variables
$_REQUEST - a merge of the GET variables, POST variables and Cookie variables.
In other words - all the information that is coming from the user,
and that from a security point of view, cannot be trusted.
$_SESSION - contains HTTP variables registered by the session module

Now, other than the fact that these variables contain this special information,
they're also special in another way - they're automatically global in any
scope. This means that you can access them anywhere, without having to
'global' them first. For example:


function example1()
{
print $_GET["name"]; // works, 'global $_GET;' is not necessary!
}

would work fine! We hope that this fact would ease the pain in migrating
old code to new code a bit, and we're confident it's going to make writing
new code easier. Another neat trick is that creating new entries in the
$_SESSION array will automatically register them as session variables, as
if you called session_register(). This trick is limited to the session
module only - for example, setting new entries in $_ENV will *not* perform
an implicit putenv().

PHP 4.1.0 still defaults to have register_globals set to on. It's a
transitional version, and we encourage application authors, especially
public ones which are used by a wide audience, to change their applications
to work in an environment where register_globals is set to off. Of course,
they should take advantage of the new features supplied in PHP 4.1.0 that
make this transition much easier.

As of the next semi-major version of PHP, new installations of PHP will
default to having register_globals set to off. No worries! Existing
installations, which already have a php.ini file that has register_globals
set to on, will not be affected. Only when you install PHP on a brand new
machine (typically, if you're a brand new user), will this affect you, and
then too - you can turn it on if you choose to.

Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names
still work, but we encourage users to switch to the new shorter, and
auto-global versions.

Thanks go to Shaun Clowes ([email protected]) for pointing out this
problem and for analyzing it.
 

confguru

ExAdmin
Команда форума
А перевести для народа слабо ,)))
PHP 4.1.0 SECURITY: NEW INPUT MECHANISM
 

tony2001

TeaM PHPClub
да нет, не слабо, щас времени нет. НУ СОВСЕМ НЕТ =(

ладно, содержание в трех словах:
теперь переменные ГЕТа, ПОСТа, куков и сессий и т.п. содержатся в массивах(соответственно):
$_GET
$_POST
$_COOKIE
$_SESSION
и т.п. (полный список в оригинальном тексте).

И!
ЭТИ МАССИВЫ ВСЕГДА GLOBAL, не нужно объявлять их глобальными в каждой функции.

Насчет $HTTP_..._VARS - насколько, я понимаю, они сохраняются и сохраняется то, что они НЕ глобальные.
Код, написанный ранее, ессно, работать будет, но написание нового кода упрощается значительно.

Вот такие фичи...
 

Konstantin

Guest
PHP 4.1.0 SECURITY: NEW INPUT MECHANISM
И что в этом крутого, ну ввели новые массивы с короткими именами, которые не надо регисрить как глобальный в функциях и это все. А сколько лишней памяти они сожрут?
 

tony2001

TeaM PHPClub
2 Konstantin Kosinsky:
а ты никогда с глюками не сталкивался, когда обращаешься в функции к $HTTP_..., а забыл объявить как глобальный его ?
не надоедало объявлять везде ?
если нет - тебе это не нужно.
а мне мешают эти явно лишние строки в каждой функции.
 

si

Administrator
Смысл в том, что для новой инсталяции по умолчанию register_global=off
А эти $_* для удобства. память я думаю они не расходуют, т.к скорее всего они как алиасы сделаны (это только лишь предположение основанное на том что там не идиоты все это пишут)
 

Konstantin

Guest
2 tony2001
Конечно сталкивался, но стоит ли маленькое удобство для программера лишних ресурсов? Но если они действительно сделали как алиасы, то такие изменения очень хороши.
 

tony2001

TeaM PHPClub
не стоит беспокоиться, Константин, я не думаю, что там дураки сидят.
если уж так беспокоит это - уточни у них.
 

tony2001

TeaM PHPClub
все читали прикол про грабли ?
а то мне его уже 5 человек прислали, могу и сюда запостить....
 

OlEG

Guest
Поставил. Только вот Zend Optimizer'а под него еще нет. :-( Апача ругается. Будем ждать.
 

Тимофей

Guest
Они еще что-то писали про сильную оптимизацию для работы под виндами (при помощи программистов из Майкрософта). Интересно, тут кто-нибудь это проверил?
 

Konstantin

Guest
А у меня не собрался с новой поддержкой XSLT, оно ругаеться что чего-то нехватает а чего не говорит, а в configure я разабраться толком несмог.
 

Konstantin

Guest
А как єту заразу под виндой заставить работать у меня орет
Syntax error on line 138 of C:/Program Files/Apache Group/Apache2/conf/httpd.conf:
Cannot load C:/Program Files/Apache Group/php-4.1.0/sapi/php4apache.dll into server: Не найден указанный модуль.
Где 138 строка:LoadModule php4_module "C:/Program Files/Apache Group/php-4.1.0/sapi/php4apache.dll"
 

WOLLE

Guest
насчёт WIN! Работать стало действительно намного быстрее... Процентов на 50 дак точно..
 
Сверху