From bc475ada134af6bf9530ffbcda494ed6f37a3c98 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Sat, 9 Aug 2025 20:59:30 +0200 Subject: [PATCH 1/6] Fix non-canonical casts They may be deprecated, but they should still produce the correct type... --- Zend/tests/type_casts/non_canonical_binary_cast.phpt | 2 +- Zend/tests/type_casts/non_canonical_boolean_cast.phpt | 2 +- Zend/tests/type_casts/non_canonical_double_cast.phpt | 2 +- Zend/zend_language_scanner.l | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Zend/tests/type_casts/non_canonical_binary_cast.phpt b/Zend/tests/type_casts/non_canonical_binary_cast.phpt index 2a24ef5f721c4..fc7aa59ac9084 100644 --- a/Zend/tests/type_casts/non_canonical_binary_cast.phpt +++ b/Zend/tests/type_casts/non_canonical_binary_cast.phpt @@ -8,4 +8,4 @@ var_dump((binary) 42); ?> --EXPECTF-- Deprecated: Non-canonical cast (binary) is deprecated, use the (string) cast instead in %s on line %d -int(42) +string(2) "42" diff --git a/Zend/tests/type_casts/non_canonical_boolean_cast.phpt b/Zend/tests/type_casts/non_canonical_boolean_cast.phpt index 4d549a93ea064..e0db0eec475fd 100644 --- a/Zend/tests/type_casts/non_canonical_boolean_cast.phpt +++ b/Zend/tests/type_casts/non_canonical_boolean_cast.phpt @@ -8,4 +8,4 @@ var_dump((boolean) 42); ?> --EXPECTF-- Deprecated: Non-canonical cast (boolean) is deprecated, use the (bool) cast instead in %s on line %d -int(42) +bool(true) diff --git a/Zend/tests/type_casts/non_canonical_double_cast.phpt b/Zend/tests/type_casts/non_canonical_double_cast.phpt index 043517cd1be98..91769a206a475 100644 --- a/Zend/tests/type_casts/non_canonical_double_cast.phpt +++ b/Zend/tests/type_casts/non_canonical_double_cast.phpt @@ -8,4 +8,4 @@ var_dump((double) 42); ?> --EXPECTF-- Deprecated: Non-canonical cast (double) is deprecated, use the (float) cast instead in %s on line %d -int(42) +float(42) diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l index 7bbfd2b34e771..d298ae8b9eac4 100644 --- a/Zend/zend_language_scanner.l +++ b/Zend/zend_language_scanner.l @@ -1648,7 +1648,7 @@ OPTIONAL_WHITESPACE_OR_COMMENTS ({WHITESPACE}|{MULTI_LINE_COMMENT}|{SINGLE_LINE_ if (PARSER_MODE()) { zend_error(E_DEPRECATED, "Non-canonical cast (double) is deprecated, use the (float) cast instead"); } - RETURN_TOKEN(T_INT_CAST); + RETURN_TOKEN(T_DOUBLE_CAST); } "("{TABS_AND_SPACES}"real"{TABS_AND_SPACES}")" { @@ -1667,7 +1667,7 @@ OPTIONAL_WHITESPACE_OR_COMMENTS ({WHITESPACE}|{MULTI_LINE_COMMENT}|{SINGLE_LINE_ if (PARSER_MODE()) { zend_error(E_DEPRECATED, "Non-canonical cast (binary) is deprecated, use the (string) cast instead"); } - RETURN_TOKEN(T_INT_CAST); + RETURN_TOKEN(T_STRING_CAST); } "("{TABS_AND_SPACES}"array"{TABS_AND_SPACES}")" { @@ -1686,7 +1686,7 @@ OPTIONAL_WHITESPACE_OR_COMMENTS ({WHITESPACE}|{MULTI_LINE_COMMENT}|{SINGLE_LINE_ if (PARSER_MODE()) { zend_error(E_DEPRECATED, "Non-canonical cast (boolean) is deprecated, use the (bool) cast instead"); } - RETURN_TOKEN(T_INT_CAST); + RETURN_TOKEN(T_BOOL_CAST); } "("{TABS_AND_SPACES}("unset"){TABS_AND_SPACES}")" { From c8d7318daf38f9c0e093a37241e0abf51348afc4 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 9 Aug 2025 20:07:23 +0200 Subject: [PATCH 2/6] Fix GH-19369: openssl_sign() - support for alias digest algs broken Closes GH-19436 --- NEWS | 4 ++++ ext/openssl/openssl_backend_v3.c | 6 ++++++ ext/openssl/tests/gh19369.phpt | 24 ++++++++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 ext/openssl/tests/gh19369.phpt diff --git a/NEWS b/NEWS index de97768a35fd0..69914a762eb53 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,10 @@ PHP NEWS - MySQLi: . The mysqli_execute() alias function has been deprecated. (timwolla) +- OpenSSL: + . Fixed bug GH-19369 (8.5 | Regression in openssl_sign() - support for alias + algorithms appears to be broken). (Jakub Zelenka) + - PDO: . The "uri:" DSN scheme has been deprecated due to security concerns with DSNs coming from remote URIs. (timwolla) diff --git a/ext/openssl/openssl_backend_v3.c b/ext/openssl/openssl_backend_v3.c index 1b00581e7df59..84af6dcde10dd 100644 --- a/ext/openssl/openssl_backend_v3.c +++ b/ext/openssl/openssl_backend_v3.c @@ -713,6 +713,12 @@ zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pu const EVP_MD *php_openssl_get_evp_md_by_name(const char *name) { + const EVP_MD *dp = (const EVP_MD *) OBJ_NAME_get(name, OBJ_NAME_TYPE_MD_METH); + + if (dp != NULL) { + return dp; + } + return EVP_MD_fetch(PHP_OPENSSL_LIBCTX, name, PHP_OPENSSL_PROPQ); } diff --git a/ext/openssl/tests/gh19369.phpt b/ext/openssl/tests/gh19369.phpt new file mode 100644 index 0000000000000..cef15fb0994f4 --- /dev/null +++ b/ext/openssl/tests/gh19369.phpt @@ -0,0 +1,24 @@ +--TEST-- +GH-19369: openssl_sign with alias algorithms +--EXTENSIONS-- +openssl +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(true) From 066a977840f9993d375c18bcd043cf0c2920bb09 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 9 Aug 2025 23:02:46 +0200 Subject: [PATCH 3/6] Clean up test for GH-19369 - openssl_sign issue --- ext/openssl/tests/gh19369.phpt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ext/openssl/tests/gh19369.phpt b/ext/openssl/tests/gh19369.phpt index cef15fb0994f4..3568bbbfeaff1 100644 --- a/ext/openssl/tests/gh19369.phpt +++ b/ext/openssl/tests/gh19369.phpt @@ -10,10 +10,6 @@ if (!in_array('sha256WithRSAEncryption', openssl_get_md_methods(true))) { ?> --FILE-- Date: Sat, 9 Aug 2025 20:49:49 +0200 Subject: [PATCH 4/6] Fix OpenSSL fetching of alias ciphers This does not seem like an issue as the aliases seem to be already fetched most of the time. But there might be cases when it could be failing like it was failing for MD in GH-19369. It should be noted that the test does not fail without this change but it seems useful anyway so it is added as part of this change. I actually have not found the case where alias is not fetched for cipher but there might be some. Closes GH-19437 --- ext/openssl/openssl_backend_v3.c | 6 ++++++ ext/openssl/tests/openssl_encrypt_cbc.phpt | 12 ++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 ext/openssl/tests/openssl_encrypt_cbc.phpt diff --git a/ext/openssl/openssl_backend_v3.c b/ext/openssl/openssl_backend_v3.c index 84af6dcde10dd..952257c2edcf9 100644 --- a/ext/openssl/openssl_backend_v3.c +++ b/ext/openssl/openssl_backend_v3.c @@ -775,6 +775,12 @@ static const char *php_openssl_cipher_names[] = { const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *name) { + const EVP_CIPHER *cp = (const EVP_CIPHER *) OBJ_NAME_get(name, OBJ_NAME_TYPE_CIPHER_METH); + + if (cp != NULL) { + return cp; + } + return EVP_CIPHER_fetch(PHP_OPENSSL_LIBCTX, name, PHP_OPENSSL_PROPQ); } diff --git a/ext/openssl/tests/openssl_encrypt_cbc.phpt b/ext/openssl/tests/openssl_encrypt_cbc.phpt new file mode 100644 index 0000000000000..5ac526afaa09c --- /dev/null +++ b/ext/openssl/tests/openssl_encrypt_cbc.phpt @@ -0,0 +1,12 @@ +--TEST-- +openssl_encrypt() CBC and its alias +--EXTENSIONS-- +openssl +--FILE-- + +--EXPECTF-- +string(48) "7a654459353452676f6c6b6a446b75455a6c4c6b4f513d3d" +string(48) "7a654459353452676f6c6b6a446b75455a6c4c6b4f513d3d" From 284e622506f47fab4aa96d458cf3a517acf8e099 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Sat, 9 Aug 2025 22:55:53 +0100 Subject: [PATCH 5/6] ext/openssl: Deprecate $key_length parameter of openssl_pkey_derive() (#19421) RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_key_length_parameter_of_openssl_pkey_derive --- ext/openssl/openssl.c | 8 ++++ ext/openssl/tests/gh19428.phpt | 3 +- ...ey_derive_deprecated_key_length_param.phpt | 45 +++++++++++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 ext/openssl/tests/openssl_pkey_derive_deprecated_key_length_param.phpt diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 2f9e160b57e58..ff4abea39d50b 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2356,6 +2356,14 @@ PHP_FUNCTION(openssl_pkey_derive) RETURN_THROWS(); } + if (ZEND_NUM_ARGS() == 3) { + php_error_docref(NULL, E_DEPRECATED, + "the $key_length parameter is deprecated as it is either ignored or truncates the key"); + if (UNEXPECTED(EG(exception))) { + RETURN_THROWS(); + } + } + if (key_len < 0) { zend_argument_value_error(3, "must be greater than or equal to 0"); RETURN_THROWS(); diff --git a/ext/openssl/tests/gh19428.phpt b/ext/openssl/tests/gh19428.phpt index 5d290f32e62a5..373b49b525319 100644 --- a/ext/openssl/tests/gh19428.phpt +++ b/ext/openssl/tests/gh19428.phpt @@ -40,5 +40,6 @@ dtlkbGbtoDOnxeNnN93gwQZngGYZYciu var_dump(openssl_pkey_derive($pub, $priv, 10)); ?> ---EXPECT-- +--EXPECTF-- +Deprecated: openssl_pkey_derive(): the $key_length parameter is deprecated as it is either ignored or truncates the key in %s on line %d bool(false) diff --git a/ext/openssl/tests/openssl_pkey_derive_deprecated_key_length_param.phpt b/ext/openssl/tests/openssl_pkey_derive_deprecated_key_length_param.phpt new file mode 100644 index 0000000000000..b6a4c91675359 --- /dev/null +++ b/ext/openssl/tests/openssl_pkey_derive_deprecated_key_length_param.phpt @@ -0,0 +1,45 @@ +--TEST-- +openssl_pkey_derive() DH +--EXTENSIONS-- +openssl +--FILE-- + +--EXPECTF-- +Deprecated: openssl_pkey_derive(): the $key_length parameter is deprecated as it is either ignored or truncates the key in %s on line %d +string(512) "10aed66ad96a65f50543aa9adbc18ea169bf98521c682c49fb8b7daeb9e8fbe6b9a800199ffe1123cc36fc358829cbbc5d21bf1eb8ce3cf644538b357f478361a284c27fbe31fc94d431562786dd7314613cd70e6d76ca1ab3c1f31556ed07162f243dcc1a43ea98c454fb6e891eaec7a14158d54cd33d3fbbbc75f1ea8ff5deaab25d5deb657c7c43004252df301b195207d01614e7cb833e0e8d785ba2ecfe16ad7a9634784fdb8db8afe049476b58743575725ee99c761a59a7d7b9e709fff84c8d427e2bc07953a7c2408eb3f8f7e0ebc2f901c6889955874ae79a3de19921757d69424145a35dbe5af778b080dada55bdfce8fb0319f2de39110f58e05d" From e990b691c5c52801d7f4fec9a0545638077ece0b Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Sat, 9 Aug 2025 23:12:05 +0100 Subject: [PATCH 6/6] Update NEWS and UPGRADING for recent deprecation merges --- NEWS | 7 +++++++ UPGRADING | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/NEWS b/NEWS index 69914a762eb53..66c635f9e14fd 100644 --- a/NEWS +++ b/NEWS @@ -10,12 +10,15 @@ PHP NEWS - FileInfo . The finfo_close() function has been deprecated. (timwolla) + . The $context parameter of the finfo_buffer() function has been deprecated + as it is ignored. (Girgias) - Intl: . Intl's internal error mechanism has been modernized so that it indicates more accurately which call site caused what error. Moreover, some ext/date exceptions have been wrapped inside a IntlException now. (Girgias) + . The intl.error_level INI setting has been deprecated. (Girgias) - MySQLi: . The mysqli_execute() alias function has been deprecated. (timwolla) @@ -23,6 +26,8 @@ PHP NEWS - OpenSSL: . Fixed bug GH-19369 (8.5 | Regression in openssl_sign() - support for alias algorithms appears to be broken). (Jakub Zelenka) + . The $key_length parameter for openssl_pkey_derive() has been deprecated. + (Girgias) - PDO: . The "uri:" DSN scheme has been deprecated due to security concerns with @@ -47,6 +52,8 @@ PHP NEWS - Standard: . The socket_set_timeout() alias function has been deprecated. (timwolla) + . Passing null to to readdir(), rewinddir(), and closedir() to use the last + opened directory has been deprecated. (Girgias) 31 Jul 2025, PHP 8.5.0alpha4 diff --git a/UPGRADING b/UPGRADING index bef28840c2a16..3a2a63795eef0 100644 --- a/UPGRADING +++ b/UPGRADING @@ -327,17 +327,32 @@ PHP 8.5 UPGRADE NOTES . The finfo_close() function has been deprecated. As finfo objects are freed automatically. RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_finfo_close + . The $context parameter of the finfo_buffer() function has been deprecated + as it is ignored. + RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_the_context_parameter_for_finfo_buffer - Hash: . The MHASH_* constants have been deprecated. These have been overlooked when the mhash*() function family has been deprecated per https://wiki.php.net/rfc/deprecations_php_8_1#mhash_function_family +- Intl: + . The intl.error_level INI setting has been deprecated. + Errors should either be checked manually or exceptions should be enabled + by using the intl.use_exceptions INI setting. + RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_intlerror_level_ini_setting + - MySQLi: . The mysqli_execute() alias function has been deprecated. Use mysqli_stmt_execute() instead. RFC: https://wiki.php.net/rfc/deprecations_php_8_5#formally_deprecate_mysqli_execute +- OpenSSL: + . The $key_length parameter for openssl_pkey_derive() has been deprecated. + This is because it is either ignored, or truncates the key, which can be + a vulnerability. + RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_key_length_parameter_of_openssl_pkey_derive + - PDO: . The "uri:" DSN scheme has been deprecated due to security concerns with DSNs coming from remote URIs. @@ -365,6 +380,10 @@ PHP 8.5 UPGRADE NOTES . The socket_set_timeout() alias function has been deprecated. Use stream_set_timeout() instead. RFC: https://wiki.php.net/rfc/deprecations_php_8_5#formally_deprecate_socket_set_timeout + . Passing null to to readdir(), rewinddir(), and closedir() to use the last + opened directory has been deprecated. Provide the last opened directory + explicitly instead. + RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_passing_null_to_readdir_rewinddir_and_closedir ======================================== 5. Changed Functions