They'll be posted within a couple of days. Zeev
At 07:42 11/12/2001, MindHunter wrote: >Where do we get the Windows Binaries? > >Cheers >MH > >Zeev Suraski <[EMAIL PROTECTED]> wrote in message >5.1.0.14.2.20011210234236.0516bec0@localhost">news:5.1.0.14.2.20011210234236.0516bec0@localhost... > > After a lengthy QA process, PHP 4.1.0 is finally out. Download at > > http://www.php.net/downloads.php ! > > > > PHP 4.1.0 includes several other key improvements: > > - A new input interface for improved security (read below) > > - Highly improved performance in general > > - Revolutionary performance and stability improvements under Windows. The > > multithreaded server modules under Windows (ISAPI, Apache, etc.) perform >as > > much as 30 times faster under load! We want to thank Brett Brewer and his > > team in Microsoft for working with us to improve PHP for Windows. > > - Versioning support for extensions. Right now it's barely being used, >but > > the infrastructure was put in place to support separate version numbers >for > > different extensions. The negative side effect is that loading extensions > > that were built against old versions of PHP will now result in a crash, > > instead of in a nice clear message. Make sure you only use extensions > > built with PHP 4.1.0. > > - Turn-key output compression support > > - *LOTS* of fixes and new functions > > > > As some of you may notice, this version is quite historical, as it's the > > first time in history we actually incremented the middle digit! :) The >two > > key reasons for this unprecedented change were the new input interface, >and > > the broken binary compatibility of modules due to the versioning support. > > > > Following is a description of the new input mechanism. For a full list of > > changes in PHP 4.1.0, scroll down to the end of this section. > > > > ----------------------------------- > > > > SECURITY: NEW INPUT MECHANISM > > > > First and foremost, it's important to stress that regardless of anything > > you may read in the following lines, PHP 4.1.0 *supports* the old input > > mechanisms from older versions. Old applications should go on working >fine > > without modification! > > > > Now that we have that behind us, let's move on :) > > > > For various reasons, PHP setups which rely on register_globals being on > > (i.e., on form, server and environment variables becoming a part of the > > global namespace, automatically) are very often exploitable to various > > degrees. For example, the piece of code: > > > > <?php > > if (authenticate_user()) { > > $authenticated = true; > > } > > ... > > ?> > > > > May be exploitable, as remote users can simply pass on 'authenticated' as >a > > form variable, and then even if authenticate_user() returns false, > > $authenticated will actually be set to true. While this looks like a > > simple example, in reality, quite a few PHP applications ended up being > > exploitable by things related to this misfeature. > > > > While it is quite possible to write secure code in PHP, we felt that the > > fact that PHP makes it too easy to write insecure code was bad, and we've > > decided to attempt a far-reaching change, and deprecate > > register_globals. Obviously, because the vast majority of the PHP code in > > the world relies on the existence of this feature, we have no plans to > > actually remove it from PHP anytime in the foreseeable future, but we've > > decided to encourage people to shut it off whenever possible. > > > > To help users build PHP applications with register_globals being off, >we've > > added several new special variables that can be used instead of the old > > global variables. There are 7 new special arrays: > > > > $_GET - contains form variables sent through GET > > $_POST - contains form variables sent through POST > > $_COOKIE - contains HTTP cookie variables > > $_SERVER - contains server variables (e.g., REMOTE_ADDR) > > $_ENV - contains the environment variables > > $_REQUEST - a merge of the GET variables, POST variables and Cookie > > variables. In other words - all the information that is coming from the > > user, and that from a security point of view, cannot be trusted. > > $_SESSION - contains HTTP variables registered by the session module > > > > Now, other than the fact that these variables contain this special > > information, they're also special in another way - they're automatically > > global in any scope. This means that you can access them anywhere, >without > > having to 'global' them first. For example: > > > > function example1() > > { > > print $_GET["name"]; // works, 'global $_GET;' is not necessary! > > } > > > > would work fine! We hope that this fact would ease the pain in migrating > > old code to new code a bit, and we're confident it's going to make writing > > new code easier. Another neat trick is that creating new entries in the > > $_SESSION array will automatically register them as session variables, as > > if you called session_register(). This trick is limited to the session > > module only - for example, setting new entries in $_ENV will *not* perform > > an implicit putenv(). > > > > PHP 4.1.0 still defaults to have register_globals set to on. It's a > > transitional version, and we encourage application authors, especially > > public ones which are used by a wide audience, to change their >applications > > to work in an environment where register_globals is set to off. Of >course, > > they should take advantage of the new features supplied in PHP 4.1.0 that > > make this transition much easier. > > > > As of the next semi-major version of PHP, new installations of PHP will > > default to having register_globals set to off. No worries! Existing > > installations, which already have a php.ini file that has register_globals > > set to on, will not be affected. Only when you install PHP on a brand new > > machine (typically, if you're a brand new user), will this affect you, and > > then too - you can turn it on if you choose to. > > > > Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These > > names still work, but we encourage users to switch to the new shorter, and > > auto-global versions. > > > > Thanks go to Shaun Clowes ([EMAIL PROTECTED]) for pointing out > > this problem and for analyzing it. > > > > ------------------------------------- > > > > FULL LIST OF CHANGES > > > > 10 Dec 2001, Version 4.1.0 > > - Worked around a bug in the MySQL client library that could cause PHP to >hang > > when using unbuffered queries. (Zeev) > > - Fixed a bug which caused set_time_limit() to affect all subsequent >requests > > to running Apache child process. (Zeev) > > - Removed the sablotron extension in favor of the new XSLT extension. > > (Sterling) > > - Fixed a bug in WDDX deserialization that would sometimes corrupt the >root > > element if it was a scalar one. (Andrei) > > - Make ImageColorAt() and ImageColorsForIndex() work with TrueColor >images. > > (Rasmus) > > - Fixed a bug in preg_match_all() that would return results under improper > > indices in certain cases. (Andrei) > > - Fixed a crash in str_replace() that would happen if search parameter was >an > > array and one of the replacements resulted in subject string being >empty. > > (Andrei) > > - Fixed MySQL extension to work with MySQL 4.0. (Jani) > > - Fixed a crash bug within Cobalt systems. Patch by [EMAIL PROTECTED] >(Jani) > > - Bundled Dan Libby's xmlrpc-epi extension. > > - Introduced extension version numbers. (Stig) > > - Added version_compare() function. (Stig) > > - Fixed pg_last_notice() (could cause random crashes in PostgreSQL > > applications, even if they didn't use pg_last_notice()). (Zeev) > > - Fixed DOM-XML's error reporting, so E_WARNING errors are given instead >of > > E_ERROR error's, this allows you to trap errors thrown by DOMXML >functions. > > (Sterling) > > - Fixed a bug in the mcrypt extension, where list destructors were not > > properly being allocated. (Sterling) > > - Better Interbase blob, null and error handling. (Patch by Jeremy Bettis) > > - Fixed a crash bug in array_map() if the input arrays had string or > > non-sequential keys. Also modified it so that if a single array is >passed, > > its keys are preserved in the resulting array. (Andrei) > > - Fixed a crash in dbase_replace_record. (Patch by >[EMAIL PROTECTED]) > > - Fixed a crash in msql_result(). (Zeev) > > - Added support for single dimensional SafeArrays and Enumerations. > > Added an is_enum() function to check if a component implements an > > enumeration. (Alan, Harald) > > - Fixed a bug in dbase_get_record() and dbase_get_record_with_names(). > > boolean fields are now returned correctly. > > Patch by Lawrence E. Widman <[EMAIL PROTECTED]> (Jani) > > - Added --version option to php-config. (Stig) > > - Improved support for thttpd-2.21b by incorporating patches for all known > > bugs. (Sascha) > > - Added ircg_get_username, a roomkey argument to ircg_join, error fetching > > infrastructure, a tokenizer to speed up message processing, and fixed > > a lot of bugs in the IRCG extension. (Sascha) > > - Improved speed of the serializer/deserializer. (Thies, Sascha) > > - Floating point numbers are better detected when converting from strings. > > (Zeev, Zend Engine) > > - Replaced php.ini-optimized with php.ini-recommended. As the name >implies, > > it's warmly recommended to use this file as the basis for your PHP > > configuration, rather than php.ini-dist. (Zeev) > > - Restore xpath_eval() and php_xpathptr_eval() for 4.0.7. There > > are still some known leaks. (Joey) > > - Added import_request_variables(), to allow users to safely import form > > variables to the global scope (Zeev) > > - Introduced a new $_REQUEST array, which includes any GET, POST or COOKIE > > variables. Like the other new variables, this variable is also >available > > regardless of the context. (Andi & Zeev) > > - Introduced $_GET, $_POST, $_COOKIE, $_SERVER and $_ENV variables, which > > deprecate the old $HTTP_*_VARS arrays. In addition to be much shorter >to > > type - these variables are also available regardless of the scope, and > > there's no need to import them using the 'global' statement. (Andi & >Zeev) > > - Added vprintf() and vsprintf() functions that allow passing all >arguments > > after format as an array. (Andrei) > > - Added support for GD2 image type for ImageCreateFromString() (Jani) > > - Added ImageCreateFromGD(), ImageCreateFromGD2(), >ImageCreateFromGD2part(), > > ImageGD() and ImageGD2() functions (Jani) > > - addcslashes now warns when charlist is invalid. The returned string > > remained the same (Jeroen) > > - Added optional extra argument to gmp_init(). The extra argument > > indicates which number base gmp should use when converting a > > string to the gmp-number. (Troels) > > - Added the Cyrus-IMAP extension, which allows a direct interface to >Cyrus' > > more advanced capabilities. (Sterling) > > - Enhance read_exif_data() to support multiple comment tags (Rasmus) > > - Fixed a crash bug in array_map() when NULL callback was passed in. >(Andrei) > > - Change from E_ERROR to E_WARNING in the exif extension (Rasmus) > > - New pow() implementation, which returns an integer when possible, > > and warnings on wrong input (jeroen) > > - Added optional second parameter to trim, chop and ltrim. You can > > now specify which characters to trim (jeroen) > > - Hugely improved the performance of the thread-safe version of PHP, >especially > > under Windows (Andi & Zeev) > > - Improved request-shutdown performance significantly (Andi & Zeev, Zend > > Engine) > > - Added a few new math functions. (Jesus) > > - Bump bundled expat to 1.95.2 (Thies) > > - Improved the stability of OCIPlogon() after a database restart. (Thies) > > - Fixed __FILE__ in the CGI & Java servlet modes when used in the main >script. > > It only worked correctly in included files before this fix (Andi) > > - Improved the Zend hash table implementation to be much faster (Andi, >Zend > > Engine) > > - Updated PHP's file open function (used by include()) to check in the >calling > > script's directory in case the file can't be found in the include_path > > (Andi) > > - Fixed a corruption bug that could cause constants to become corrupted, >and > > possibly prevent resources from properly being cleaned up at the end of > > a request (Zeev) > > - Added optional use of Boyer-Moore algorithm to str_replace() (Sascha) > > - Fixed and improved shared-memory session storage module (Sascha) > > - Add config option (always_populate_raw_post_data) which when enabled > > will always populate $HTTP_RAW_POST_DATA regardless of the post mime > > type (Rasmus) > > - Added support for socket and popen file types to ftp_fput (Jason) > > - Fixed various memory leaks in the LDAP extension (Stig Venaas) > > - Improved interactive mode - it is now available in all builds of PHP, >without > > any significant slowdown (Zeev, Zend Engine) > > - Fixed crash in iptcparse() if the supplied data was bogus. (Thies) > > - Fixed return value for a failed snmpset() - now returns false (Rasmus) > > - Added hostname:port support to snmp functions ([EMAIL PROTECTED], >Rasmus) > > - Added fdf_set_encoding() function (Masaki YATSU, Rasmus) > > - Reversed the destruction-order of resources. This fixes the reported >OCI8 > > "failed to rollback outstanding transactions!" message (Thies, Zend >Engine) > > - Added option for returning XMLRPC fault packets. (Matt Allen, Sascha > > Schumann) > > - Improved range() function to support range('a','z') and range(9,0) types >of > > ranges. (Rasmus) > > - Added getmygid() and safe_mode_gid ini directive to allow safe mode to >do > > a gid check instead of a uid check. (James E. Flemer, Rasmus) > > - Made assert() accept the array(&$obj, 'methodname') syntax. (Thies) > > - Made sure that OCI8 outbound variables are always zero-terminated. >(Thies) > > - Fixed a bug that allowed users to spawn processes while using the 5th > > parameter to mail(). (Derick) > > - Added nl_langinfo() (when OS provides it) that returns locale. > > - Fixed a major memory corruption bug in the thread safe version. (Zeev) > > - Fixed a crash when using the CURLOPT_WRITEHEADER option. (Sterling) > > - Added optional suffix removal parameter to basename(). (Hartmut) > > - Added new parameter UDM_PARAM_VARDIR ha in Udm_Set_Agent_Param() >function to > > support alternative search data directory. This requires mnogoSearch >3.1.13 > > or later. > > - Fixed references in sessions. This doesn't work when using the WDDX > > session-serializer. Also improved speed of sessions. (Thies) > > - Added new experimental module pcntl (Process Control). (Jason) > > - Fixed a bug when com.allow_dcom is set to false. (phanto) > > - Added a further parameter to the constructor to load typelibs from file >when > > instantiating components (e.g. DCOM Components without local >registration). > > (phanto) > > - Added the possibility to specify typelibs by full name in the typelib >file > > (Alan Brown) > > - Renamed the ZZiplib extension to the Zip extension, function names have >also > > changed accordingly, functionality, has stayed constant. (Sterling) > > - Made the length argument (argument 2) to pg_loread() optional, if not > > specified data will be read in 1kb chunks. (Sterling) > > - Added a third argument to pg_lowrite() which is the length of the data >to > > write. (Sterling) > > - Added the CONNECTION_ABORTED, CONNECTION_TIMEOUT and CONNECTION_NORMAL > > constants. (Zak) > > - Assigning to a string offset beyond the end of the string now >automatically > > increases the string length by padding it with spaces, and performs the > > assignment. (Zeev, Zend Engine) > > - Added warnings in case an uninitialized string offset is read. (Zeev, >Zend > > Engine) > > - Fixed a couple of overflow bugs in case of very large negative integer > > numbers. (Zeev, Zend Engine) > > - Fixed a crash bug in the string-offsets implementation (Zeev, Zend >Engine) > > - Improved the implementation of parent::method_name() for classes which >use > > run-time inheritance. (Zeev, Zend Engine) > > - Added 'W' flag to date() function to return week number of year using >ISO > > 8601 standard. (Colin) > > - Made the PostgreSQL driver do internal row counting when iterating >through > > result sets. ([EMAIL PROTECTED]) > > - Updated ext/mysql/libmysql to version 3.23.39; Portability fixes, minor > > bug fixes. ([EMAIL PROTECTED]) > > - Added get_defined_constants() function to return an associative array of > > constants mapped to their values. (Sean) > > - New mailparse extension for parsing and manipulating MIME mail. (Wez) > > - Define HAVE_CONFIG_H when building standalone DSO extensions. (Stig) > > - Added the 'u' modifier to printf/sprintf which prints unsigned longs. > > (Derick) > > - Improved IRIX compatibility. (Sascha) > > - Fixed crash bug in bzopen() when specifying an invalid file. (Andi) > > - Fixed bugs in the mcrypt extension that caused crashes. (Derick) > > - Added the IMG_ARC_ROUNDED option for the ImageFilledArc() function, >which > > specified that the drawn curve should be rounded. (Sterling) > > - Updated the sockets extension to use resources instead of longs for the > > socket descriptors. The socket functions have been renamed to conform >with > > the PHP standard instead of their C counterparts. The sockets >extension is > > now usable under Win32. (Daniel) > > - Added disk_total_space() to return the total size of a filesystem. > > (Patch from Steven Bower) > > - Renamed diskfreespace() to disk_free_space() to conform to established > > naming conventions. (Jon) > > - Fixed #2181. Now zero is returned instead of an unset value for > > 7-bit encoding and plain text body type. (Vlad) > > - Fixed a bug in call_user_*() functions that would not allow calling > > functions/methods that accepted parameters by reference. (Andrei) > > - Added com_release($obj) and com_addref($obj) functions and the related >class > > members $obj->Release() and $obj->AddRef() to gain more control over >the > > used > > COM components. (phanto) > > - Added an additional parameter to dotnet_load to specify the codepage >(phanto) > > - Added peak memory logging. Use --enable-memory-limit to create a new >Apache > > 1.x logging directive "{mod_php_memory_usage}n" which will log the peak > > amount of memory used by the script. (Thies) > > - Made fstat() and stat() provide identical output by returning a >numerical and > > string indexed array. (Jason) > > - Fixed memory leak upon re-registering constants. (Sascha, Zend Engine) > > > > ----------------------------------- > > > > Zeev > > > > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
