Merge branch 'master' into typed-constant-in-intl-extension

Author: jorgsowa

NEWS

@@ -25,6 +25,7 @@ Standard:
   . Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
     (timwolla)
   . Fix GH-12252 (round(): Validate the rounding mode). (timwolla)
+  . Increase the default BCrypt cost to 12. (timwolla)
 
 XSL:
   . Implement request #64137 (XSLTProcessor::setParameter() should allow both

UPGRADING

@@ -43,6 +43,8 @@ PHP 8.4 UPGRADE NOTES
   . XSLTProcessor::setParameter() will now throw a ValueError when its arguments
     contain null bytes. This never actually worked correctly in the first place,
     which is why it throws an exception nowadays.
+  . The typed properties XSLTProcessor::$cloneDocument and
+    XSLTProcessor::$doXInclude are now declared.
 
 ========================================
 2. New Features
@@ -80,6 +82,10 @@ PHP 8.4 UPGRADE NOTES
     would have resulted in 1.0 instead of the correct result 0.0. Additional
     inputs might also be affected and result in different outputs compared to
     earlier PHP versions.
+  . The default value of the 'cost' option for PASSWORD_BCRYPT for password_hash()
+    has been increased from '10' to '12'.
+
+    RFC: https://wiki.php.net/rfc/bcrypt_cost_2023
 
 ========================================
 6. New Functions
@@ -103,6 +109,9 @@ PHP 8.4 UPGRADE NOTES
 - Intl:
   . The class constants are typed now.
 
+- Spl:
+  . The class constants are typed now.
+
 ========================================
 10. New Global Constants
 ========================================

UPGRADING.INTERNALS

@@ -36,6 +36,11 @@ PHP 8.4 INTERNALS UPGRADE NOTES
      instead of int.
    - The macros DOM_NO_ARGS() and DOM_NOT_IMPLEMENTED() have been removed.
 
+ b. ext/random
+   - The macro RAND_RANGE_BADSCALING() has been removed. The implementation
+     should either be inlined and undefined behavior fixed or it should be
+     replaced by a non-biased scaler.
+
 ========================
 4. OpCode changes
 ========================

docs/release-process.md

@@ -904,6 +904,25 @@ feature development that cannot go into the new version.
    there is only a single section about PHP X.Y.0, instead of individual
    sections for each pre-release.
 
+4. On the announcement day for the initial stable version (or shortly before),
+   update the `Expires` field in the <https://www.php.net/.well-known/security.txt>
+   file. The `Expires` field should be set to the expected date of the next X.Y.0
+   release (following the one currently being prepared), which is usually the
+   fourth Thursday of November in the next year.
+
+   Following the recommendation of [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116),
+   we maintain an `Expires` time of about a year for our security policies. This
+   provides security researchers with confidence they are using our most
+   up-to-date reporting policies.
+
+   The `security.txt` file is located in the [web-php repository](https://github.com/php/web-php)
+   under the `.well-known/` directory. We may make changes to this file at other
+   times, as needed, but we will always advance the `Expires` timestamp on a
+   yearly cadence, coinciding with our X.Y.0 releases.
+
+   Please see the instructions for
+   [making changes to security.txt](security-policies.md#making-changes-to-securitytxt).
+
 
 ## Prime the selection of release managers for the next version
 

docs/security-policies.md

@@ -0,0 +1,90 @@
+# PHP Security Policies and Process
+
+> [!IMPORTANT]
+> This is a meta document discussing PHP security policies and processes. For the actual
+> PHP security policy, see the PHP [Vulnerability Disclosure Policy][] document.
+
+## PHP.net security.txt file
+
+PHP.net includes a [security.txt][] file that complements the
+[Vulnerability Disclosure Policy][], aiding security vulnerability disclosure.
+This file implements the standard defined in [RFC 9116][], and more information
+is available at <https://securitytxt.org>.
+
+RFC 9116 requires an `Expires` field in `security.txt`, and its recommendation
+is for the `Expires` field to be less than a year in the future. This provides
+security researchers with confidence they are using our most up-to-date
+reporting policies. To facilitate yearly updates to the `Expires` field and
+ensure freshness of the information in `security.txt`, the PHP release managers
+[update the `Expires` field as part of the X.Y.0 GA release][expires-update].
+
+From time-to-time, we may update `security.txt` with new information, outside
+of the yearly changes to the `Expires` field.
+
+### Making changes to security.txt
+
+All changes to `security.txt` must be signed by a PHP release manager for a
+[currently supported version of PHP][supported-versions] (at the time of the
+changes). Release managers are the most logical choice for signing this file,
+since we already [publish their PGP keys][rm-pgp-keys].
+
+To make changes to `security.txt`:
+
+1. Go to your local clone of [web-php][].
+
+   ```bash
+   cd /path/to/web-php/.well-known
+   ```
+
+2. Remove the PGP signature that wraps the body of `security.txt`:
+
+   ```bash
+   gpg --decrypt --output security.txt security.txt
+   ```
+
+   > [!NOTE]
+   > To "decrypt" `security.txt`, you will need the public key of the release
+   > manager who last signed it in your GPG keychain.
+
+3. Make and save your changes to this file, e.g., update the `Expires` timestamp.
+
+   There should be a "Signed by" comment in the file that looks similar to this:
+
+   ```
+   # Signed by Ben Ramsey <ramsey@php.net> on 2023-09-28.
+   ```
+
+   Update this line with your name, the email address associated with the key
+   you're using to sign the file, and the current date.
+
+4. Sign your changes:
+
+   ```bash
+   gpg --clearsign --local-user YOU@php.net --output security.txt.asc security.txt
+   ```
+
+   > [!WARNING]
+   > You cannot use `--output` to output the signature to the same file as the
+   > input file or `gpg` will result in a signature wrapped around empty content.
+
+5. Last, replace `security.txt` with `security.txt.asc` and commit your changes:
+
+   ```bash
+   mv security.txt.asc security.txt
+   git commit security.txt
+   ```
+
+> [!NOTE]
+> You may verify the signature with the following command:
+>
+> ```bash
+> gpg --verify security.txt
+> ```
+
+[security.txt]: https://www.php.net/.well-known/security.txt
+[vulnerability disclosure policy]: https://github.com/php/php-src/security/policy
+[rfc 9116]: https://www.rfc-editor.org/rfc/rfc9116
+[expires-update]: release-process.md#preparing-for-the-initial-stable-version-php-xy0
+[supported-versions]: https://www.php.net/supported-versions.php
+[rm-pgp-keys]: https://www.php.net/gpg-keys.php
+[web-php]: https://github.com/php/web-php

ext/pcre/php_pcre.c

@@ -34,8 +34,6 @@
 #define PREG_SPLIT_DELIM_CAPTURE	(1<<1)
 #define PREG_SPLIT_OFFSET_CAPTURE	(1<<2)
 
-#define PREG_REPLACE_EVAL			(1<<0)
-
 #define PREG_GREP_INVERT			(1<<0)
 
 #define PREG_JIT                    (1<<3)
@@ -737,14 +735,12 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 				break;
 			case 'J':	coptions |= PCRE2_DUPNAMES;		break;
 
-			/* Custom preg options */
-			case 'e':	poptions |= PREG_REPLACE_EVAL;	break;
-
 			case ' ':
 			case '\n':
 			case '\r':
 				break;
 
+			case 'e': /* legacy eval */
 			default:
 				if (pp[-1]) {
 					php_error_docref(NULL, E_WARNING, "Unknown modifier '%c'", pp[-1]);
@@ -760,16 +756,6 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 		}
 	}
 
-	if (poptions & PREG_REPLACE_EVAL) {
-		php_error_docref(NULL, E_WARNING, "The /e modifier is no longer supported, use preg_replace_callback instead");
-		pcre_handle_exec_error(PCRE2_ERROR_INTERNAL);
-		efree(pattern);
-		if (key != regex) {
-			zend_string_release_ex(key, 0);
-		}
-		return NULL;
-	}
-
 	if (key != regex) {
 		tables = (uint8_t *)zend_hash_find_ptr(&char_tables, BG(ctype_string));
 		if (!tables) {

ext/pcre/tests/002.phpt

@@ -24,5 +24,5 @@ string(12) "a${1b${1c${1"
 Warning: preg_replace(): Compilation failed: missing terminating ] for character class at offset 8 in %s002.php on line %d
 NULL
 
-Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in %s on line %d
+Warning: preg_replace(): Unknown modifier 'e' in %s on line %d
 NULL

ext/pcre/tests/null_bytes.phpt

@@ -27,8 +27,6 @@ var_dump(preg_match("[abc\0def]", "abc"));
 var_dump(preg_match("[abc\0def]", "abc\0def"));
 var_dump(preg_match("[abc\0def]", "abc\0fed"));
 
-preg_replace("/foo/e\0/i", "echo('Eek');", "");
-
 ?>
 --EXPECTF--
 Warning: preg_match(): Delimiter must not be alphanumeric, backslash, or NUL in %snull_bytes.php on line 3
@@ -62,5 +60,3 @@ int(0)
 int(0)
 int(1)
 int(0)
-
-Warning: preg_replace(): NUL is not a valid modifier in %snull_bytes.php on line 27

ext/random/php_random.h

@@ -35,34 +35,6 @@
 
 PHPAPI double php_combined_lcg(void);
 
-/*
- * A bit of tricky math here.  We want to avoid using a modulus because
- * that simply tosses the high-order bits and might skew the distribution
- * of random values over the range.  Instead we map the range directly.
- *
- * We need to map the range from 0...M evenly to the range a...b
- * Let n = the random number and n' = the mapped random number
- *
- * Then we have: n' = a + n(b-a)/M
- *
- * We have a problem here in that only n==M will get mapped to b which
- * means the chances of getting b is much much less than getting any of
- * the other values in the range.  We can fix this by increasing our range
- * artificially and using:
- *
- *               n' = a + n(b-a+1)/M
- *
- * Now we only have a problem if n==M which would cause us to produce a
- * number of b+1 which would be bad.  So we bump M up by one to make sure
- * this will never happen, and the final algorithm looks like this:
- *
- *               n' = a + n(b-a+1)/(M+1)
- *
- * -RL
- */
-# define RAND_RANGE_BADSCALING(__n, __min, __max, __tmax) \
-	(__n) = (__min) + (zend_long) ((double) ( (double) (__max) - (__min) + 1.0) * ((__n) / ((__tmax) + 1.0)))
-
 # ifdef PHP_WIN32
 #  define GENERATE_SEED() (((zend_long) ((zend_ulong) time(NULL) * (zend_ulong) GetCurrentProcessId())) ^ ((zend_long) (1000000.0 * php_combined_lcg())))
 # else

ext/spl/spl_array.stub.php

@@ -4,16 +4,10 @@
 
 class ArrayObject implements IteratorAggregate, ArrayAccess, Serializable, Countable
 {
-    /**
-     * @var int
-     * @cvalue SPL_ARRAY_STD_PROP_LIST
-     */
-    const STD_PROP_LIST = UNKNOWN;
-    /**
-     * @var int
-     * @cvalue SPL_ARRAY_ARRAY_AS_PROPS
-     */
-    const ARRAY_AS_PROPS = UNKNOWN;
+    /** @cvalue SPL_ARRAY_STD_PROP_LIST */
+    public const int STD_PROP_LIST = UNKNOWN;
+    /** @cvalue SPL_ARRAY_ARRAY_AS_PROPS */
+    public const int ARRAY_AS_PROPS = UNKNOWN;
 
     public function __construct(array|object $array = [], int $flags = 0, string $iteratorClass = ArrayIterator::class) {}
 
@@ -92,16 +86,10 @@ public function __debugInfo(): array {}
 
 class ArrayIterator implements SeekableIterator, ArrayAccess, Serializable, Countable
 {
-    /**
-     * @var int
-     * @cvalue SPL_ARRAY_STD_PROP_LIST
-     */
-    public const STD_PROP_LIST = UNKNOWN;
-    /**
-     * @var int
-     * @cvalue SPL_ARRAY_ARRAY_AS_PROPS
-     */
-    public const ARRAY_AS_PROPS = UNKNOWN;
+    /** @cvalue SPL_ARRAY_STD_PROP_LIST */
+    public const int STD_PROP_LIST = UNKNOWN;
+    /** @cvalue SPL_ARRAY_ARRAY_AS_PROPS */
+    public const int ARRAY_AS_PROPS = UNKNOWN;
 
     public function __construct(array|object $array = [], int $flags = 0) {}
 
@@ -246,11 +234,8 @@ public function __debugInfo(): array {}
 
 class RecursiveArrayIterator extends ArrayIterator implements RecursiveIterator
 {
-    /**
-     * @var int
-     * @cvalue SPL_ARRAY_CHILD_ARRAYS_ONLY
-     */
-    public const CHILD_ARRAYS_ONLY = UNKNOWN;
+    /** @cvalue SPL_ARRAY_CHILD_ARRAYS_ONLY */
+    public const int CHILD_ARRAYS_ONLY = UNKNOWN;
 
     /** @tentative-return-type */
     public function hasChildren(): bool {}