Merge branch 'master' into improve-explode-error-message

Author: diegoasales

.github/actions/setup-windows/action.yml

@@ -16,5 +16,6 @@ runs:
     - name: Setup PostgreSQL
       shell: pwsh
       run: |
-        Set-Service -Name "postgresql-x64-14" -StartupType manual -Status Running
+        $postgresService = if ($env:PHP_BUILD_CRT -eq "vs18") { "postgresql-x64-17" } else { "postgresql-x64-14" }
+        Set-Service -Name $postgresService -StartupType manual -Status Running
         pwsh -Command { $env:PGPASSWORD="root"; & "$env:PGBIN\psql" -U postgres -c "ALTER USER postgres WITH PASSWORD 'Password12!';" }

.github/matrix.php

@@ -61,7 +61,6 @@ function select_jobs($repository, $trigger, $nightly, $labels, $php_version, $re
     $test_macos = in_array('CI: macOS', $labels, true);
     $test_msan = in_array('CI: MSAN', $labels, true);
     $test_opcache_variation = in_array('CI: Opcache Variation', $labels, true);
-    $test_pecl = in_array('CI: PECL', $labels, true);
     $test_solaris = in_array('CI: Solaris', $labels, true);
     $test_windows = in_array('CI: Windows', $labels, true);
 
@@ -137,9 +136,6 @@ function select_jobs($repository, $trigger, $nightly, $labels, $php_version, $re
     if ($all_jobs || $test_opcache_variation) {
         $jobs['OPCACHE_VARIATION'] = true;
     }
-    if (($all_jobs && $ref === 'master') || $test_pecl) {
-        $jobs['PECL'] = true;
-    }
     if (version_compare($php_version, '8.6', '>=') && ($all_jobs || $test_solaris)) {
         $jobs['SOLARIS'] = true;
     }
@@ -153,9 +149,11 @@ function select_jobs($repository, $trigger, $nightly, $labels, $php_version, $re
             }
         }
         $jobs['WINDOWS']['matrix'] = ['include' => $matrix];
-        $jobs['WINDOWS']['config'] = version_compare($php_version, '8.4', '>=')
-            ? ['vs_crt_version' => 'vs17']
-            : ['vs_crt_version' => 'vs16'];
+        $jobs['WINDOWS']['config'] = match (true) {
+            version_compare($php_version, '8.6', '>=') => ['vs_crt_version' => 'vs18', 'runs_on' => 'windows-2025-vs2026'],
+            version_compare($php_version, '8.4', '>=') => ['vs_crt_version' => 'vs17', 'runs_on' => 'windows-2022'],
+            default => ['vs_crt_version' => 'vs16', 'runs_on' => 'windows-2022'],
+        };
     }
     if ($all_jobs || !$no_jobs || $test_freebsd) {
         $jobs['FREEBSD']['matrix'] = $all_variations && version_compare($php_version, '8.3', '>=')

.github/scripts/download-bundled/uriparser.sh

@@ -5,7 +5,7 @@ cd "$(dirname "$0")/../../.."
 tmp_dir=/tmp/php-src-download-bundled/uriparser
 rm -rf "$tmp_dir"
 
-revision=refs/tags/uriparser-1.0.1
+revision=refs/tags/uriparser-1.0.2
 
 git clone --depth 1 --revision="$revision" https://github.com/uriparser/uriparser.git "$tmp_dir"
 

.github/scripts/windows/find-vs-toolset.bat

@@ -3,14 +3,15 @@
 setlocal enabledelayedexpansion
 
 if "%~1"=="" (
-  echo ERROR: Usage: %~nx0 [vc14^|vc15^|vs16^|vs17]
+  echo ERROR: Usage: %~nx0 [vc14^|vc15^|vs16^|vs17^|vs18]
   exit /b 1
 )
 
 set "toolsets_vc14=14.0"
 set "toolsets_vc15="
 set "toolsets_vs16="
 set "toolsets_vs17="
+set "toolsets_vs18="
 
 
 for /f "usebackq tokens=*" %%I in (`vswhere.exe -latest -find "VC\Tools\MSVC"`) do set "MSVCDIR=%%I"
@@ -30,8 +31,10 @@ for /f "delims=" %%D in ('dir /b /ad "%MSVCDIR%"') do (
         set "toolsets_vc15=%%D"
       ) else if !min! LEQ 29 (
         set "toolsets_vs16=%%D"
-      ) else (
+      ) else if !min! LEQ 49 (
         set "toolsets_vs17=%%D"
+      ) else (
+        set "toolsets_vs18=%%D"
       )
     )
   )

.github/workflows/test-suite.yml

@@ -827,126 +827,18 @@ jobs:
         uses: ./.github/actions/test-libmysqlclient
       - name: Verify generated files are up to date
         uses: ./.github/actions/verify-generated-files
-  PECL:
-    if: ${{ fromJson(inputs.branch).jobs.PECL }}
-    runs-on: ubuntu-24.04
-    steps:
-      - name: git checkout PHP
-        uses: actions/checkout@v6
-        with:
-          path: php
-          ref: ${{ fromJson(inputs.branch).ref }}
-      # Used for ccache action
-      - name: Move .github
-        run: mv php/.github .
-      - name: git checkout apcu
-        uses: actions/checkout@v6
-        with:
-          repository: krakjoe/apcu
-          path: apcu
-      - name: git checkout imagick
-        uses: actions/checkout@v6
-        with:
-          repository: Imagick/imagick
-          path: imagick
-      - name: git checkout memcached
-        uses: actions/checkout@v6
-        with:
-          repository: php-memcached-dev/php-memcached
-          path: memcached
-      - name: git checkout redis
-        if: ${{ false }}
-        uses: actions/checkout@v6
-        with:
-          repository: phpredis/phpredis
-          path: redis
-      - name: git checkout xdebug
-        uses: actions/checkout@v6
-        with:
-          repository: xdebug/xdebug
-          path: xdebug
-      - name: git checkout yaml
-        uses: actions/checkout@v6
-        with:
-          repository: php/pecl-file_formats-yaml
-          path: yaml
-      - name: apt
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
-            ccache \
-            libmemcached-dev \
-            imagemagick \
-            libmagickwand-dev \
-            bison \
-            re2c
-      - name: ccache
-        uses: ./.github/actions/ccache
-        with:
-          name: "${{ github.job }}"
-          php_directory: php
-      - name: build PHP
-        run: |
-          cd php
-          ./buildconf --force
-          ./configure \
-            --enable-option-checking=fatal \
-            --prefix=/opt/php \
-            --enable-cli \
-            --disable-all \
-            --enable-session \
-            --enable-werror
-          make -j$(/usr/bin/nproc)
-          sudo make install
-      - name: build apcu
-        run: |
-          cd apcu
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build imagick
-        run: |
-          cd imagick
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build memcached
-        run: |
-          cd memcached
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build redis
-        if: ${{ false }}
-        run: |
-          cd redis
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build xdebug
-        run: |
-          cd xdebug
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build yaml
-        run: |
-          cd yaml
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
   WINDOWS:
     if: ${{ fromJson(inputs.branch).jobs.WINDOWS }}
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(inputs.branch).jobs.WINDOWS.matrix }}
     name: "WINDOWS_${{ matrix.x64 && 'X64' || 'X86' }}_${{ matrix.zts && 'ZTS' || 'NTS' }}${{ matrix.asan && '_ASAN' || ''}}${{ matrix.clang && '_CLANG' || ''}}"
-    runs-on: windows-2022
+    runs-on: ${{ fromJson(inputs.branch).jobs.WINDOWS.config.runs_on }}
     env:
       PHP_BUILD_CACHE_BASE_DIR: C:\build-cache
       PHP_BUILD_OBJ_DIR: C:\obj
       PHP_BUILD_CACHE_SDK_DIR: C:\build-cache\sdk
-      PHP_BUILD_SDK_BRANCH: php-sdk-2.5.0
+      PHP_BUILD_SDK_BRANCH: php-sdk-2.7.1
       PHP_BUILD_CRT: ${{ fromJson(inputs.branch).jobs.WINDOWS.config.vs_crt_version }}
       PLATFORM: ${{ matrix.x64 && 'x64' || 'x86' }}
       THREAD_SAFE: "${{ matrix.zts && '1' || '0' }}"

CONTRIBUTING.md

@@ -91,7 +91,7 @@ repository. Mailing list subscription is explained on the
 [mailing lists page](https://www.php.net/mailing-lists.php).
 
 You may also want to read
-[The Mysterious PHP RFC Process](https://blogs.oracle.com/opal/post/the-mysterious-php-rfc-process-and-how-you-can-change-the-web)
+[The Mysterious PHP RFC Process](https://web.archive.org/web/20210621140006/https://blogs.oracle.com/opal/the-mysterious-php-rfc-process-and-how-you-can-change-the-web)
 for additional notes on the best way to approach submitting an RFC.
 
 ## Technical resources

NEWS

@@ -18,6 +18,9 @@ PHP                                                                        NEWS
     initialization). (Arnaud)
   . Enabled the TAILCALL VM on Windows when compiling with Clang >= 19 x86_64.
     (henderkes)
+  . Deprecate specifying a nullable return type for __debugInfo(). (timwolla)
+  . Fixed bug GH-22142 (Assertion failure in zendi_try_get_long() on IS_UNDEF).
+    (David Carlier)
 
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)
@@ -51,6 +54,8 @@ PHP                                                                        NEWS
   . gmp_fact() reject values larger than unsigned long. (David Carlier)
   . gmp_pow/binomial/root/rootrem and shift/pow operators reject values
     larger than unsigned long. (David Carlier)
+  . GMP exponentiation and shift operators now emit a deprecation warning
+    when converting a float right operand to int loses precision. (Weilin Du)
 
 - Hash:
   . Upgrade xxHash to 0.8.2. (timwolla)
@@ -62,6 +67,12 @@ PHP                                                                        NEWS
   . Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message
     suggests missing constants). (DanielEScherzer)
   . Added grapheme_strrev (Yuya Hamada)
+  . Passing a non-stringable object as a time zone to Intl time zone
+    argument handling now raises TypeError instead of Error. (Weilin Du)
+  . IntlBreakIterator::getLocale() now raises ValueError for invalid locale
+    types. (Weilin Du)
+  . Fixed MessageFormatter::parse() and parseMessage() returning PHP_INT_MIN
+    as float rather than int on 64-bit platforms. (Weilin Du)
 
 - JSON:
   . Enriched JSON last error / exception message with error location.
@@ -98,6 +109,8 @@ PHP                                                                        NEWS
     openssl_x509_parse() output). (StephenWall)
   . Added TLS session resumption support for streams with new context options
     and Openssl\Session class. (Jakub Zelenka)
+  . Added TLS external PSK support for streams with new context options and
+    Openssl\Psk class. (Jakub Zelenka)
 
 - PCNTL:
   . pcntl_exec() now throws a ValueError if the $args array is not a list
@@ -122,6 +135,10 @@ PHP                                                                        NEWS
   . Support reference values in Phar::mungServer(). (ndossche)
   . Invalid values now throw in Phar::mungServer() instead of being silently
     ignored. (ndossche)
+  . Fixed a bypass of the magic ".phar" directory protection in
+    Phar::addEmptyDir() for paths starting with "/.phar". (Weilin Du)
+  . Phar::addEmptyDir() now allows non-magic directory names that merely
+    share the ".phar" prefix. (Weilin Du)
   . Support overridden methods in SplFileInfo for getMTime() and getPathname()
     when building a phar. (ndossche)
   . Mark Phar::buildFromIterator() base directory argument as a path.
@@ -143,6 +160,16 @@ PHP                                                                        NEWS
 - Session:
   . Fixed bug 71162 (updateTimestamp never called when session data is empty).
     (Girgias)
+  . Null bytes in session.cookie_path, session.cookie_domain, and
+    session.cache_limiter are now rejected with a warning. (jorgsowa)
+  . session.cookie_samesite now rejects invalid values with a warning; only
+    "Strict", "Lax", "None", or "" are accepted. (jorgsowa)
+  . session.cookie_lifetime now rejects non-integer and out-of-range values
+    with a warning. (jorgsowa)
+  . Session file GC now recursively cleans nested subdirectories when
+    session.save_path uses the dirdepth prefix. (jorgsowa)
+  . Changed defaults of session.use_strict_mode (now 1), session.cookie_httponly
+    (now 1) and session.cookie_samesite (now "Lax"). (jorgsowa)
 
 - Soap:
   . Soap::__setCookie() when cookie name is a digit is now not stored and
@@ -168,6 +195,8 @@ PHP                                                                        NEWS
     with re-entrant getHash()). (Pratik Bhujel)
   . Fix bugs GH-8561, GH-8562, GH-8563, and GH-8564 (Fixing various
     SplFileObject iterator desync bugs). (iliaal)
+  . Fix bug GH-22062 (SplDoublyLinkedList iterator UAF
+    via destructor releasing next node). (David Carlier)
 
 - Sqlite3:
   . Fix NUL byte truncation in sqlite3 TEXT column handling. (ndossche)
@@ -201,6 +230,8 @@ PHP                                                                        NEWS
     null bytes. (Weilin Du)
   . proc_open() now raises a ValueError when the $cwd argument contains
     null bytes. (Weilin Du)
+  . ini_get_all() now includes the built-in default value in the details.
+    (sebastian)
 
 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
@@ -216,6 +247,12 @@ PHP                                                                        NEWS
   . Fixed bug #49874 (ftell() and fseek() inconsistency when using stream
     filters). (Jakub Zelenka)
 
+- URI:
+  . Added Uri\Rfc3986\Uri:getUriType() and Uri\WhatWg\Url:isSpecialScheme().
+    (kocsismate)
+  . Added Uri\Rfc3986\Uri:getHostType() and Uri\WhatWg\Url:getHostType().
+    (kocsismate)
+
 - Zip:
   . Fixed ZipArchive callback being called after executor has shut down.
     (ilutov)

SECURITY.md

@@ -11,6 +11,29 @@ Vulnerability reports remain private until published. When published, you will
 be credited as a contributor, and your contribution will reflect the MITRE
 Credit System.
 
+# Classification
+
+Issues commonly reported that are _not_ considered security issues include (but
+are not limited to):
+
+- Invocation of specially crafted, malicious code intended to cause memory
+  violations. This commonly includes malicious error handlers, destructors or
+  `__toString()` functions. PHP does not offer sandboxing, and the execution of
+  untrusted code is always considered unsafe. Such issues are bugs, but not
+  security issues. They may still be reported, though please avoid reporting
+  the known issues.
+
+- Passing malicious arguments to functions clearly not intended to receive
+  unsanitized values, e.g. `mysqli_query()`. `escapeshellarg()` on the other
+  hand should clearly be hardened against unsafe inputs.
+
+- The use of legacy APIs or settings known to be insecure, particularly those
+  documented as such, or those with a secure alternative.
+
+- The use of FFI.
+
+- `open_basedir` or `disable_functions` bypasses.
+
 # Vulnerability Policy
 
 Our full policy is described at