Sie sind hier: PHP-Versionen > PHP 7 > PHP 7.1

PHP 7.1.0 wurde am 01.12.2016 herausgebracht. Im folgenden erhalten Sie einen kurzen Überblick welche Änderungen in diesem Patch enthalten waren. Bei Interesse kann auch das ausführliche Änderungsprotokoll eingesehen werden.

Fehlerbehebung
Core
Logging of "Internal Zend error - Missing class information" missing class name
Fixed memory leak(null coalescing operator with Spl hash)
Slow performance when fetching large dataset with mysqli / PDO
Use After Free Vulnerability in unserialize()
Ilegal write/read access caused by gdImageAALine overflow
imagefilltoborder stackoverflow on truecolor images
Exception::__toString() cause circular references
(Float)"Nano" == NAN
Segfault in __clone > Exception.toString > __get
Write out of bounds at number_format
Fix pthreads detection when cross-compiling
try/catch not working with two exceptions inside a same operation
segfault on undefined function
PHP hangs if error handler throws while accessing undef const in default value
parse error: Invalid numeric literal
parse_str() without a second argument leads to crash
Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c
crypt broken when salt is 'too' long
Null pointer deref in zval_delref_p
assign_dim on string doesn't reset hval
Reference is lost after array_slice()
Out of bounds global memory read in BF_crypt triggered by password_verify
Segfault with __get returned by ref
PHP Segfaults when trying to expand an infinite operator
TypeError messages for arg_info type checks will now say "must be ... or null" where the parameter or return type accepts null
stream_socket_recvfrom read access violation
Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
PHP Session Data Injection Vulnerability
memory allocator fails to realloc small block to large one
Fixed URL rewriter. It would not rewrite '//example.com/' URL unconditionally. URL rewrite target hosts whitelist is implemented
phpize (on Windows) ignores PHP_PREFIX
getmxrr broken
Caught exception assignment to variables ignores references
Calling an earlier instance of an included anonymous class fatals
previous property undefined in Exception after deserialization
Different references behavior comparing to PHP 5
VERIFY_RETURN type casts visible in finally
Return by reference with finally is not memory safe
Wrong return value if var modified in finally
Memory leak when array altered in destructor
Memory error on $arr[$a] =& $arr[$b] if RHS rehashes
Unable to set --enable-debug on building extensions by phpize on Windows
The destructor is called when an exception is thrown from the constructor
Stack-based buffer overflow vulnerability in virtual_file_ex
HTTP_PROXY is improperly trusted by some PHP libraries and applications
dtrace issue with reflection (failed test)
strange references after recursive function call and "switch" statement
Segmentation fault: RFC list_keys
list() regression
TypeError after Generator function w/declared return type finishes
tempnam() should raise notice if falling back to temp dir
Fixed UTF-8 and long path support on Windows
Assignment via string index access on an empty string converts to array
Exceptions can leak temporary variables
It is possible to stiffen child class members visibility
Generators don't participate in cycle GC
Memleak if return in finally block
Missing separation of properties HT in foreach etc
Aborted Generators continue after nested finally
String offset assignment from an empty string inserts null byte
ASCII 0x7F Delete control character permitted in identifiers
Nested try/finally blocks losing return value
Finally leaks on nested exceptions
php-cgi.exe missing UAC manifest
BCmath
memcpy negative parameter _bc_new_num_ex
Bz2
integer overflow in bzdecompress caused heap corruption
Inadequate error handling in bzread()
Calendar
Fix integer overflows
cal_days_month() fails for final month of the French calendar
AddressSanitizer: global-buffer-overflow in zif_cal_from_jd
CLI Server
Unable to work in root with unicode chars
Built-in webserver does not send Date header
COM
Cannot pass parameter 1 by reference
Invalid free in extension trait
COM called from PHP does not return out parameters
DOTNET/COM array parameters broke in PHP7
variant_date_from_timestamp null dereference
Curl
Heap overflow in curl_escape
size_t overflow lead to heap corruption
curl_setopt segfault with empty CURLOPT_HTTPHEADER
CURLINFO_CERTINFO data parsing error
Date
DateInterval properties and isset
createFromFormat with 'z' format char results in incorrect time
Inconsistent behavior of the u format char
DateTime parser doesn't set microseconds for "now"
microseconds are missing in DateTime class
microseconds in DateInterval are missing
DateTime::createFromFormat() U after u nukes microtime
Allow DateTime modification with subsecond items
General DateTime improvments needed for microseconds to become useful
timelib_meridian doesn't parse dots correctly
DateTime constructor does not initialise microseconds property
Use After Free in PHP7 unserialize()
Memcpy negative size parameter php_resolve_path
DateTime::createFromFormat 'U' with pre 1970 dates fails parsing
strtotime seems to use both sunday and monday as start of week
Dba
Cannot fetch multiple values with group in ini file
DOM
missing NULL check in dom_document_save_html
DOM document dangling reference
EXIF
Samsung picture thumb not read (zero size)
Memory Leakage In exif_process_IFD_in_TIFF
Out of bound read in exif_process_IFD_in_MAKERNOTE
NULL Pointer Dereference in exif_process_user_comment
Filter
Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE
default option ignored when object passed to int filter
FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range
FPM
using --allow-to-run-as-root should ignore missing user
FTP
Cannot upload file using ftp_put to FTPES with require_ssl_reuse
GD
Integer overflow in imageline() with antialiasing
imagescale() is not affected by, but affects imagesetinterpolation()
Integer overflow in gdImageScaleBilinearPalette()
Stack Buffer Overflow in GD dynamicGetbuf
imagettftext broken on transparent background w/o alphablending
Integer Overflow in gdImageWebpCtx of gd_webp.c
imagettfbbox gives incorrect values for bounding box
imagegd2() ignores 3rd param if 4 are given
imagegd2() writes wrong chunk sizes on boundaries
imagegd2(): unrecognized formats may result in corrupted files
imagecreatefromgd2() may leak memory
imagetruecolortopalette: white is duplicated in palette
imagecopy does not support 1bit transparency on truecolor images
imagecopy() loses single-color transparency on palette images
possible resource leaks in _php_image_convert()
imagesetstyle() causes OOB read for empty $styles
select_colors write out-of-bounds
imagegammacorrect allows arbitrary write access
imagetypes function won't advertise WEBP support
imagearc() ignores thickness for full arcs
500 Server Error but page is fully rendered
broken transparency of imagearc for truecolor in blendingmode
gdImageTrueColorToPaletteBody allows arbitrary write/read access
imagegif/output out-of-bounds access
Integer overflow error within _gdContributionsAlloc()
Ilegal write/read access caused by gdImageAALine overflow
imagecropauto out-of-bounds access
imagecreatefromjpeg fails on selfie
Thick styled lines have scrambled patterns
XBM images require width to be multiple of 8
imagefilledpolygon doesn't draw horizontal line
iconv
iconv_substr returns false for empty strings
IMAP
Integer Overflow in "_php_imap_mail" leads to crash
Interbase
Fails to find firebird headers as don't use fb_config output
Intl
add locale length check
add mitigation for ICU int overflow
grapheme_*() is not Unicode compliant on CR LF sequence
add locale length check
Segfault when instantiating class that extends IntlCalendar and adds a property
Locale::lookup() / locale_lookup() hangs if no match found
idn_to_ascii for UTS #46 incorrect for long domain names
locale_accept_from_http out-of-bounds access
IntlDateFormatter formatObject returns wrong utf8 value
IntlDateFormatter formatObject returns wrong value when time style is NONE
JSON
Segfault with throwing JsonSerializable
Mbstring
Null pointer dereference in mb_eregi
mb_convert_variables() cannot detect recursion
mbstring.internal_encoding doesn't inherit default_charset
mb_substr only takes 32-bit signed integer
`mb_ereg` does not clear the `$regs` parameter on failure
mb_ereg_search raises a warning if a match zero-width
mb_ereg_search increments search position when a match zero-width
mb_ereg_search_setpos does not accept a string's last position
`mb_ereg` causes buffer overflow on regexp compile error
mb_ereg should reject ill-formed byte sequence
mb_ereg_replace - mbc_to_code (oniguruma) - oob read access
Use-After-Free in MBString (search_re)
mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used
Mcrypt
Heap Overflow due to integer overflows
In correct casting from size_t to int lead to heap overflow in mdecrypt_generic
Mysqlnd
Add missing mysqlnd.* parameters to php.ini-*
Segfault when EXPLAIN with "Unknown column" error when using MariaDB
mysqli_get_host_info() wrong output
OCI8
Bind reference overwritten on PHP 7
Fixed invalid handle error with Implicit Result Sets
Binding null values triggers ORA-24816 error
ODBC
odbc_errormsg returns trash, always 513 bytes
Opcache
Segfaults when conditionally declared class and function have the same name
check cached files permissions
Memory leak in zend_accel_blacklist_update_regexp() function
Typo in opcache error message
Infinite loop while parsing a file with opcache enabled
Opcache restart with kill_all_lockers does not work
OpenSSL
openssl_pkey_new() generates wrong pub/priv keys with Diffie Hellman
crash in openssl_random_pseudo_bytes function
Invalid path SNI_server_certs causes segfault
ext/openssl build failure with OpenSSL 1.1.0
PCRE
Segmentation fault on pcre_replace_callback
preg_*() may leak memory
A use-after-free in zend allocator management
Bundled PCRE doesn't compile because JIT isn't supported on s390
preg_match missing group names in matches
Memleak in jit_stack
mail fails with invalid argument
PDO
Invalid memory access when using persistent PDO connection
Memory leak in PDO persistent connection handling
call to empty() on NULL result using PDO::FETCH_LAZY returns false
PDO_DBlib
Never quote values as raw binary data
PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched
Ignore potentially misleading dberr values
Implemented stringify 'uniqueidentifier' fields
PDO_Firebird
Memory corruption in bindParam
Integer returned as a 64bit integer on X86_64
PDO_pgsql
PDO statement fails to throw exception
Segmentation fault when binding parameters on a query without placeholders
Phar
Out of bound when verify signature of zip phar in phar_parse_zipfile
Out of bound when verify signature of tar phar in phar_parse_tarfile
Postgres
Incorrect SQL generated for pg_copy_to()
Readline
readline_redisplay crashes php
Reflection
ReflectionType::__toString crashes with iterable
ReflectionClass::export doesn't handle array constants
ReflectionProperty::getValue() doesn't fail if object doesn't match type
Session
session_unset() empties values from all variables in which is $_session stored
session_destroy null dereference in ps_files_path_create
Session does not report invalid uid for files save handler
SID always return "name=ID", even if session cookie exist
ps_files_cleanup_dir Buffer overflow
Use After Free in unserialize() with Unexpected Session Deserialization
Empty session IDs do still start sessions
session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value
session_regenerate_id() must close opened session on errors
SimpleXML
NULL pointer dereference in SimpleXMLElement::asXML()
SimpleXML isset/unset do not respect namespace
Null coalescing operator doesn't behave as expected with SimpleXMLElement
Using global var doesn't work while accessing SimpleXML element
SNMP
php_snmp_parse_oid integer overflow in memory allocation
Use After Free Vulnerability in SNMP with GC and unserialize()
Soap
SoapClient::__setSoapHeaders doesn't overwrite SOAP headers
Segfault
SoapServer reports Bad Request when gzipped
Nested object in "any" element overwrites other fields
Peer verification fails when using a proxy with SoapClient
Soap Server Member variables reference bug
Using references in arrays doesn't work like expected
SPL
Reproducible crash with GDB backtrace
Segfault on clone on splFileObject
Missing type check when unserializing SplArray
SplFileObject::getCsvControl does not return the escape character
AppendIterator segfault with closed generator
GlobIterator throws LogicException
SQLite3
Unsetting result set may reset other result set
2147483647 is fetched as string
Spurious warning when exception is thrown in user defined function
Clearing bindings on an SQLite3 statement doesn't work
Standard
HTTP stream wrapper should ignore HTTP 100 Continue
Scope not inherited by eval in assert()
parse_url return wrong hostname
passing additional_parameters causes mail to fail
passing additional_parameters causes mail to fail
Accessing a private constant using constant() creates an exception AND warning
get_browser() incorrectly parses entries with "+" sign
Negative ftruncate() on php://memory exhausts memory
substr_compare NULL length interpreted as 0
getimagesize returning FALSE on valid jpg
unset array item in array_walk_recursive cause inconsistent array
array_walk_recursive move internal pointer
Exchanging array during array_walk -> memory errors
Use After Free Vulnerability in array_walk()/ array_walk_recursive()
array_walk + array_replace_recursive create references from nothing
CSV fields incorrectly split if escape char followed by UTF chars
readfile() mangles files larger than 2G
Heap overflow through proc_open and $env parameter
long2ip() doesn't accept integers in strict mode
Streams
php_user_filter::$stream is not set to the stream the filter is working on
stream_set_blocking doesn't work
Out-of-bound read in php_stream_filter_create
ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5
Missing SKIP_ONLINE_TESTS checks
Problems with the ftps wrapper
opendir() does not work with ftps:// wrapper
opendir() with ftp:// attempts to open data stream for non-existent directories
ftps:// wrapper is vulnerable to protocol downgrade attack
stream_socket_get_name crashes
Stream socket with remote address leads to a segmentation fault
sysvshm
shm_attach null dereference
Wddx
NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
WDDX Packet Injection Vulnerability in wddx_serialize_value()
wddx_deserialize allows illegal memory access
wddx_deserialize null dereference
wddx_deserialize null dereference with invalid xml
wddx_deserialize null dereference in php_wddx_pop_element
wddx_deserialize use-after-free
Out-Of-Bounds Read in php_wddx_push_element
boolean always deserialized as "true"
XML
malformed XML causes fault
_xml_startElementHandler() segmentation fault
SEGV on unknown address zif_xml_parse
XMLRPC
xmlrpc_encode() unexpected output after referencing array elements
heap-buffer-overflow (write) simplestring_addn simplestring.c
Zip
impossible to compile php with zip support
NULL Pointer dereference in zend_virtual_cwd
Stack-based buffer overflow vulnerability in php_stream_zip_opener
Implementierung FR
Core
Support "nmake test" on building extensions by phpize
FTP
Option to ignore the returned FTP PASV address
JSON
"_empty_" key in objects
OpenSSL
Add elliptic curve support for OpenSSL
Added AEAD support [CCM and GCM modes] to openssl_encrypt and openssl_decrypt
PDO_pgsql
Postgres PDO lastInsertId() should work without specifying a sequence
Postgres
pg_last_notice() is needed to get all notice messages
Allow pg_fetch_all() to index numerically
SQLite3
SQLite should allow opening with empty filename
Upgraded bundled SQLite lib to 3.9.2
Standard
Add an option to pass a custom stream context to get_headers()
Provide a way to fetch the current environment variables
Streams
Multiple small packets send for HTTP request
Implementierung RFC
Core
Iterable
Closure::fromCallable
Replace "Missing argument" warning with "ArgumentCountError" exception
Fix inconsistent behavior of $this variable
RNG Fixes
Implemented email validation as per RFC 6531
Session
Session ID without hashing
Standard
More precise float values
Veraltet
Mbstring
mb_ereg_replace() eval option
Mcrypt
ext/mcrypt
Verbesserung
Core
Added nullable types
Added DFA optimization framework based on e-SSA form
Added specialized opcode handlers (e.g. ZEND_ADD_LONG_NO_OVERFLOW)
Added [] = as alternative construct to list() =
Added void return type
Added support for negative string offsets in string offset syntax and various string functions
Added a form of the list() construct where keys can be specified
Implemented safe execution timeout handling, that prevents random crashes after "Maximum execution time exceeded" error
Implemented the RFC `Support Class Constant Visibility`
Implemented the RFC `Catching multiple exception types`
Implemented logging to syslog with dynamic error levels
Added new constant PHP_FD_SETSIZE
Added optind parameter to getopt()
Added PHP to SAPI error severity mapping for logs
Change statement and fcall extension handlers to accept frame
Number operators taking numeric strings now emit E_NOTICEs or E_WARNINGs when given malformed numeric strings
(int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings
Raise a compile-time warning on octal escape sequence overflow
Apache2handler
Enable per-module logging in Apache 2.4+
Curl
Implement support for handling HTTP/2 Server Push
Add curl_multi_errno(), curl_share_errno() and curl_share_strerror() functions
Date
Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error
Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error
Export date_get_interface_ce() for extension use
Dba
Data modification functions (e.g.: dba_insert()) now throw an instance of Error instead of triggering a catchable fatal error if the key is does not contain exactly two elements
DOM
Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error
Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error
DTrace
Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1
Hash
Added SHA3 fixed mode algorithms (224, 256, 384, and 512 bit)
Added SHA512/256 and SHA512/224 algorithms
IMAP
An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error
Intl
Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error
Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails
Added IntlTimeZone::getWindowsID() and IntlTimeZone::getIDForWindowsID()
JSON
Introduced encoder struct instead of global which fixes bugs related to pretty print indentation
Implemented earlier return when json_encode fails, fixes bugs (Stacking exceptions thrown by JsonSerializable) and (On recursion error, json_encode can eat up all system memory)
Exported JSON parser API including json_parser_method that can be used for implementing custom logic when parsing JSON
Escaped U+2028 and U+2029 when JSON_UNESCAPED_UNICODE is supplied as json_encode options and added JSON_UNESCAPED_LINE_TERMINATORS to restore the previous behaviour
LDAP
Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error
Mcrypt
mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized
Mysqli
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error
OpenSSL
Bumped a minimal version to 1.0.1
Dropped support for SSL2
Implemented error storing to the global queue and cleaning up the OpenSSL error queue
Pcntl
Implemented asynchronous signal handling without TICKS
Added pcntl_signal_get_handler() that returns the current signal handler for a particular signal. Addresses FR
Add signinfo to pcntl_signal() handler args
PCRE
Downgraded to PCRE 8.38
Upgraded to PCRE 8.39
PDO_DBlib
Allow PDO::setAttribute() to set query timeouts
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions
Add common PDO test suite
Free error and message strings when cleaning up PDO instances
phpdbg
Added generator command for inspection of currently alive generators
Reflection
Undo backwards compatiblity break in ReflectionType->__toString() and deprecate via documentation instead
Reverted prepending for class names
invoke() and invokeArgs() static method calls should match
Add ReflectionNamedType::getName(). This method should be used instead of ReflectionType::__toString()
Prepend for class names and ? for nullable types returned from ReflectionType::__toString()
Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error
Session
Implemented session_gc()
Implemented session_create_id()
Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID
An invalid setting for session.hash_function will throw an instance of Error instead of resulting in a fatal error when a session ID is created
SimpleXML
Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error
SPL
Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error
Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error
SQLite3
Update to SQLite 3.15.1
Standard
array_multisort now uses zend_sort instead zend_qsort
assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error
Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error
Added is_iterable() function
Additional validation for parse_url() for login/pass components)
unpack() function accepts an additional optional argument $offset
Implemented stream context socket option tcp_nodelay
Tidy
Implemented support for libtidy 5.0.0 and above
Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error
Wddx
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error
XMLRPC
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error
Zip
ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available

Changelog Quelle php.net

Anzeige