diff options
Diffstat (limited to 'UPGRADING')
| -rwxr-xr-x | UPGRADING | 216 |
1 files changed, 195 insertions, 21 deletions
@@ -1,6 +1,6 @@ $Id$ -PHP X.Y UPGRADE NOTES +PHP 5.6 UPGRADE NOTES 1. Backward Incompatible Changes 2. New Features @@ -28,8 +28,8 @@ PHP X.Y UPGRADE NOTES containing non-lowercase values inside JSON arrays or objects has never been accepted. -- openssl: - To prevent Man-in-the-Middle attacks against encrypted transfers client +- OpenSSL: + To prevent man-in-the-middle attacks against encrypted transfers client streams now verify peer certificates by default. Previous versions required users to manually enable peer verification. As a result of this change, existing code using ssl:// or tls:// stream wrappers (e.g. @@ -37,10 +37,15 @@ PHP X.Y UPGRADE NOTES connect successfully without manually disabling peer verification via the stream context's "verify_peer" setting. Encrypted transfers delegate to operating system certificate stores by default if not overridden via the - new openssl.cafile/openssl.cafile ini directives or call-time SSL context - options, so many/most users *should* be unaffected by this transparent + new openssl.cafile and openssl.cafile ini directives or via call-time SSL + context options, so most users should be unaffected by this transparent security enhancement. (https://wiki.php.net/rfc/tls-peer-verification) +- Mcrypt: + The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no + longer accept keys or IVs with incorrect sizes. Furthermore an IV is now + required if the used block cipher mode requires it. + ======================================== 2. New Features ======================================== @@ -54,12 +59,11 @@ PHP X.Y UPGRADE NOTES - Added support for argument unpacking to complement the variadic syntax. (https://wiki.php.net/rfc/argument_unpacking) -- Added T_POW (**) operator. +- Added an exponentiation operator (**). (https://wiki.php.net/rfc/pow-operator) - Added unified default encoding. default_charset=UTF-8 and functions/extensions use encoding settings honor default_charset. - (https://wiki.php.net/rfc/default_encoding) - The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0. @@ -67,7 +71,10 @@ PHP X.Y UPGRADE NOTES - Added use function and use const. (https://wiki.php.net/rfc/use_function) -- Added gost-crypto (CryptoPro S-box) hash algo. +- Added a function for timing attack safe string comparison + (https://wiki.php.net/rfc/timing_attack) + +- Added gost-crypto (CryptoPro S-box) hash algorithm. - Stream wrappers verify peer certificates and host names by default in encrypted client streams. @@ -102,6 +109,9 @@ PHP X.Y UPGRADE NOTES . "reneg_window" (renegotiation time window in seconds) . "reneg_limit_callback" (optional notification callback on limiting) +- Encrypted TLS servers now support the server name indication (SNI) TLS + extension via the new "SNI_server_certs" SSL context option. + - Added "crypto_method" SSL context option for use in encrypted streams. - Added "peer_name" SSL context option to better reflect peer certificate @@ -120,13 +130,22 @@ PHP X.Y UPGRADE NOTES - Stream crypto method specification now accepts flags instead of values allowing support for multiple discrete protocols in a given stream. +- PostgreSQL database connections may now be established asynchronously using + new constants and polling functions in ext/pgsql. + +- Non-blocking read/write query behavior now optionally available in database + operations using the ext/pgsql extension. + ======================================== 2. Changes in SAPI modules ======================================== -- Added phpdbg sapi. +- Added phpdbg SAPI. (https://wiki.php.net/rfc/phpdbg) +- Support for FPM workers changing the apparmor profile through the pool configuration. + (https://wiki.php.net/rfc/fpm_change_hat) + ======================================== 3. Deprecated Functionality ======================================== @@ -135,12 +154,26 @@ PHP X.Y UPGRADE NOTES Instance calls from an incompatible context are now deprecated and issue E_DEPRECATED instead of E_STRICT. See https://wiki.php.net/rfc/incompat_ctx -- The "CN_match" SSL context option is deprecated in favor of the new - "peer_name" option. Name verification now checks certificate SAN names as - well as the CN field and "CN_match" is deprecated to avoid confusion. Its - use triggers E_DEPRECATED but continues to work as before. If both values - are specified "CN_match" takes precedence. Otherwise, the two options are - interchangeable. +- The "CN_match" and "SNI_server_name" SSL context options are deprecated in + favor of the new "peer_name" option. Name verification now checks certificate + SAN names as well as the CN field and the specific name fields are deprecated + to avoid confusion. Their use triggers E_DEPRECATED but continues to work as + before. If specified, the specific values take precedence over the general + "peer_name" value. + +- Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an + undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES. + +- Deprecated INIs: Following INIs are deprecated in favour of new + internal_encoding/input_encoding/output_encoding. Refer to "Changes to + encodings in PHP 5.6" in "11. Other Changes" section for more details. + + iconv.input_encoding + iconv.output_encoding + iconv.internal_encoding + mbstring.http_input + mbstring.http_output + mbstring.internal_encoding ======================================== 4. Changed Functions @@ -150,16 +183,38 @@ PHP X.Y UPGRADE NOTES CURLOPT_SAFE_UPLOAD is now turned on by default and uploads with @file do not work unless it is explicitly set to false. + curl_setopt() now supports the following nullable settings (>= 5.5.11): + . CURLOPT_CUSTOMREQUEST + . CURLOPT_FTPPORT + . CURLOPT_RANGE + . CURLOPT_FTP_ACCOUNT + . CURLOPT_RTSP_SESSION_ID + . CURLOPT_KRBLEVEL + . CURLOPT_KRB4LEVEL + +- Strings: + substr_compare() now allows $length to be zero. + - Crypt: crypt() will now raise an E_NOTICE error if the salt parameter is omitted. See: https://wiki.php.net/rfc/crypt_function_salt +- Mcrypt: + The $source parameter of mcrypt_create_iv() now defaults to + MCRYPT_DEV_URANDOM instead of MCRYPT_DEV_RANDOM. + - XMLReader: XMLReader::getAttributeNs and XMLReader::getAttributeNo now return NULL if the attribute could not be found, just like XMLReader::getAttribute. - Pgsql: pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL. + The following functions no longer block until query write completion if the + socket stream underlying a database connection is set to non-blocking mode: + . pg_send_execute() + . pg_send_prepare() + . pg_send_query() + . pg_send_query_params() ======================================== 5. New Functions @@ -168,7 +223,10 @@ PHP X.Y UPGRADE NOTES - GMP: Added gmp_root($a, $nth) and gmp_rootrem($a, $nth) for calculating nth roots. -- Openssl: +- Hash + Added hash_equals($known_string, $user_string) + +- OpenSSL: Added string openssl_x509_fingerprint($x509, $type, $binary). Added string openssl_spki_new($private_key, $challenge, $algorithm) Added bool openssl_spki_verify($spkac) @@ -178,11 +236,25 @@ PHP X.Y UPGRADE NOTES - LDAP: Added ldap_escape($value, $ignore = "", $flags = 0). - Added ldap_modify_batch($link_identifier, $dn, $modifications) described in https://wiki.php.net/rfc/ldap_modify_batch. + Added ldap_modify_batch($link_identifier, $dn, $modifications) described in + https://wiki.php.net/rfc/ldap_modify_batch. + +- Pgsql: + Added pg_socket($connection) to allow async connections and non-blocking IO + Added pg_connect_poll($connection) for establishing async connections + Added pg_consume_input($connection) for non-blocking query result consumption + Added pg_flush($connection) for non-blocking query write completion + +- PDO_pgsql + Added PDO::pgsqlGetNotify($result_type = PDO::FETCH_USE_DEFAULT, $ms_timeout = 0) + Added PDO::pgsqlGetPid() - Zip: Added ZipArchive::setPassword($password) +- SPL + Added SplFileObject::fread($length) to complement fwrite() method (>= 5.5.11) + ======================================== 6. New Classes and Interfaces ======================================== @@ -197,6 +269,16 @@ PHP X.Y UPGRADE NOTES 8. Other Changes to Extensions ======================================== +- cURL: + - The following constants have been removed as they are now marked "obsolete" + in the underlying library and never had any effect to begin with: + . CURLOPT_CLOSEPOLICY + . CURLCLOSEPOLICY_CALLBACK + . CURLCLOSEPOLICY_LEAST_RECENTLY_USED + . CURLCLOSEPOLICY_LEAST_TRAFFIC + . CURLCLOSEPOLICY_OLDEST + . CURLCLOSEPOLICY_SLOWEST + - GMP: The GMP extension now uses objects as the underlying data structure, rather than resources. GMP instances now support dumping, serialization, cloning, @@ -209,10 +291,20 @@ PHP X.Y UPGRADE NOTES - Using 'oci_execute($s, OCI_NO_AUTO_COMMIT)' for a SELECT no longer unnecessarily initiates an internal ROLLBACK during connection close. + - Multi-row OCI_RETURN_LOB queries require fewer "round trips" to the database. - Added DTrace probes enabled with PHP's generic --enable-dtrace - The oci_internal_debug() function is now a no-op. - The phpinfo() output format for OCI8 has changed. +- OpenSSL: + - The "SNI_enabled" SSL stream context option is now set to TRUE by default + if supported by the underlying openssl library. + +- PCRE: + - The information collected by the (*MARK) backtracking control verb is now + collected into the "MARK" index of the $matches array for preg_match(), + preg_match_all() and preg_replace_callback(). + - Pgsql: - pg_insert()/pg_select()/pg_update()/pg_delete()/pg_meta_data()/pg_convert() are no longer EXPERIMENTAL @@ -223,6 +315,19 @@ PHP X.Y UPGRADE NOTES - pg_select() returns PostgreSQL query resource when query is executed. - Added extended flag parameter for pg_meta_data(). pg_meta_data() always returns "is enum" attribute. + - The new pg_socket() function returns a socket stream with no behavior other + than to allow IO-readiness polling on a DB connection socket. Calling + stream_set_blocking() on its result enables non-blocking behavior. + - Passing the new PGSQL_CONNECT_ASYNC flag to pg_connect() allows applications + to poll for IO readiness via pg_connect_poll() and establish connections + asynchronously. + +- PDO_pgsql: + - Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries + without preparing them, while still passing parameters separately from + the command text using PQexecParams. + - Added LISTEN/NOTIFY support via PDO::pgsqlGetNotify / PDO::pgsqlGetPid() + as described in https://bugs.php.net/bug.php?id=42614. ======================================== 9. New Global Constants @@ -234,8 +339,20 @@ PHP X.Y UPGRADE NOTES - Pgsql: PGSQL_DML_ESCAPE int(4096) - -- Openssl: + PGSQL_CONNECT_ASYNC + PGSQL_CONNECTION_STARTED + PGSQL_CONNECTION_MADE + PGSQL_CONNECTION_AWAITING_RESPONSE + PGSQL_CONNECTION_AUTH_OK + PGSQL_CONNECTION_SSL_STARTUP + PGSQL_CONNECTION_SETENV + PGSQL_POLLING_FAILED + PGSQL_POLLING_READING + PGSQL_POLLING_WRITING + PGSQL_POLLING_OK + PGSQL_POLLING_ACTIVE + +- OpenSSL: STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT int(9) STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT int(17) STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT int(33) @@ -252,10 +369,22 @@ PHP X.Y UPGRADE NOTES - Core: Changed always_populate_raw_post_data to throw a deprecation warning when - enabled and to recognize ohe value -1 for never populating the global + enabled and to recognize the value -1 for never populating the global $HTTP_RAW_POST_DATA variable, which will be default in future PHP versions. -- Openssl: + default_charset is set to UTF-8. It was empty previously. default_charset + is used where it is applicable. Iconv/Mbstring/htmlentities/htmlspecialchars/ + html_entity_decode use default_charset as default encoding. + + internal_encoding/input_encoding/output_encoding is added for encoding + handling modules. Refer to "Changes to encodings in PHP 5.6" in "11. Other Changes" + section for more details. + +- cURL: + If the new openssl.cafile ini directive is specified ext/curl will give the + openssl path precedence over its own curl.cainfo directive. + +- OpenSSL: openssl.cafile and openssl.capath ini directives have been added to allow global CA default specification as necessary. @@ -270,6 +399,51 @@ PHP X.Y UPGRADE NOTES HTTP 1.1 requests now include a Connection: close header unless explicitly overridden by setting a Connection header via the header context option. +- PDO_pgsql + A libpq version providing PQexecParams, PQprepare, PQescapeStringConn, + PQescapeByteaConn is now required. According to the release notes that means + 8.0.8+ or 8.1.4+. + - Zip: New --with-libzip option allow to use system libzip. Version > 0.11 required, Version >= 0.11.2 recommended for all features. + +- Changes to encodings in PHP 5.6 + The default value of default_charset is now UTF-8 when it is not + explicitly set in php.ini + + The following php.ini parameters were added: + internal_encoding + input_encoding + output_encoding + + The values of the following php.ini parameters have become empty in + PHP 5.6 (previously they were all ISO-8859-1) + + iconv.input_encoding + iconv.output_encoding + iconv.internal_encoding + + Changes were made to character set handling in: + - the iconv and mbstring extensions, + - and htmlentities(), htmlspecialchars(), html_entity_decode() functions + + The precedence for these is now: + + default_charset < internal/input/output_encoding < (mbstring.* || iconv.*) < function parameter + + For example, the easiest way to use the UTF-8 encoding is to set + default_charset=UTF-8 and leave the following php.ini parameters + + empty: + + iconv.input_encoding + iconv.output_encoding + iconv.internal_encoding + mbstring.http_input + mbstring.http_output + mbstring.internal_encoding + internal_encoding + input_encoding + output_encoding + |