Release: PHP 7.0.15, 7.1.1, 5.6.30

PHP (PHP: Hypertext Preprocessor) Logo

PHP has released security updates for versions 7, 7.1, and 5.6. Since these are security releases it is HIGHLY recommended you update to them. I also heavily recommend you update to them as there are some odd bugs fixed in earlier versions for rare cases that could cause hangs or segfaults (crashes) in some cases where minor coding errors are made.

Highlights for Version 5.6.30

  • An issue was fixed where a TIFF or JPEG with malicious or invalid metadata tag can cause PHP to terminate prematurely on Intel CPUs (not necessarily a security issue but could break some code)
  • Use-after-free memory access for images passed as an input argument to a GD image output function
  • Fixed a DOS vulnerability in gdImageCreateFromGd2Ctx()
  • Fixed integer overflow in gd_io.c
  • Fixed an issue where a hostile or corrupt compressed PHAR file could leak memory, corrupt memory, or crash PHP
  • Fixed issue where, under certain cases, a hostile serialized string could be used to access freed memory (use-after-free)
  • Fixed an issue where a hostile serialized string can read out-of-bounds memory

While some of these issues require specific cases, there also appears to be some easily utilized security issues where proper input sanitization is not met as well as some possible image upload security issues.

http://php.net/ChangeLog-5.php#5.6.30

Highlights for Version 7.0.15

  • Fixed a few of the same serialized string issues fixed in version 5.6.30
  • Fixed issue where for each value parameter passed back as reference where no reference exists causes a crash
  • Fixed issue where unpacked arrays do not properly advance using next()
  • Fixed null pointer dereference under certain conditions when unpacking serialized object
  • Fixed an issue where, with maliciously crafted code, a read-after-free can occur with the properties storage table when unserializing objects which could allow an attacker to execute arbitrary code
  • Fixed the same GD and EXIF metadata issues that were fixed in version 5.6.30
  • Fixed memory leak in preg_*() regular expression functions
  • Fixed same PHAR issues that were fixed in version 5.6.30
  • Fixed reflection class stored as object property not being properly freed/destroyed when the class is destroyed (memory leak)
  • Fixed crash where object with __sleep() method is serialized
  • Fixed issue where get_browser() runs slow/longer under certain conditions or loading browsercap.ini uses a lot of memory at startup
  • Fixed issue where get_defined_functions() returned functions that were disabled via settings/php.ini

Essentially, __wakeup and serialized strings and objects have become a target for hostile intent. This is a fairly large security issue since many libraries and CMSes use serialized data and many pieces of code utilize the wakeup method – even if hostile intent needs to be done under certain conditions which many not occur very often.

http://php.net/ChangeLog-7.php#7.0.15

Highlights for Version 7.1.1

  • Majority of the same issues fixed in 7.0.15 were also fixed in this version

Since 7.1 shares a very similar codebase to 7.0.x, there were not any additional bugs that stood out to me other than those that were fixed as part of version 7.0.15 that were also fixed in this version.

http://php.net/ChangeLog-7.php#7.1.1

PHPMailer Vulnerability

PHP (PHP: Hypertext Preprocessor) Logo

A new Remote Code Execution (RCE) vulnerability has been reported on Christmas but details were only recently released. PHPMailer has already issued a patch (though they are not 100% confident in it), and WordPress (which uses PHPMailer) is considering issuing a security patch for current versions as well.

The vulnerability allows the FROM address, when passed as a variable into into PHPMailer with escaped shell arguments, will be passed to the mail function and allows an attacker to put executable code into the root.’

Note that as of now there are no known working exploits for this. Also note that this exploit may not work on all systems due to different mail functions being used having different arguments available.

Also, as long as the email address passed to the FROM variable is more strictly validated (not allowing the escaped quotes and whitespace in email addresses), it is not an issue. Some feel that the strictness of not following the RFC exactly will prevent valid emails but many point out that it would only block VERY FEW valid emails and argue that the RFC should not allow such characters – most well-known email systems do not allow such characters anyway.

The code that I write always validates the email using the filter_var function (which is strict and prevents the issue from occuring). I checked Gravity Forms and they also use the filer_var function. I don’t know about JetPack. It is also likely that, if they have not already, CloudFlare and WP Engine will add an input filter for this.

If you are using a custom build of PHPMailer in any extensions/add-ons or external code is is HIGHLY RECOMMENDED that you upgrade to PHPMailer version 5.2.18 or newer which has escaping added to the FROM address.

WordPress 4.7 “Vaughan” Released

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress (WP) has released version 4.7 of their blogging and content management software. It has been codenamed in honor of the legendary jazz vocalist Sarah “Sassy” Vaughan. Here are some of the new features:

Twenty Seventeen

As always, new version, new theme…

WordPress 4.7's default theme: Twenty Seventeen. Twenty Seventeen focuses on business sites and features a customizable front page with multiple sections. Personalize it with widgets, navigation, social menus, a logo, custom colors, and more. Our default theme for 2017 works great in many languages, on any device, and for a wide range of users.
WordPress 4.7’s default theme: Twenty Seventeen

Theme Starter Content

When you setup a new theme with no content, the theme can provide some starter content to show off it’s capabilities.

Edit Shortcuts

New icons appear in the Customizer to show what content can be changed in real-time within the live preview.

Video Headers

Video headers can be added to themes with a video selector that shows up in the Customizer.

Blank Pages During Menu Creation

If you don’t have content for your site yet but know how you want your menu structured, the menu editor now allows creating blank pages on the fly while setting up the menu.

Custom CSS

Custom CSS can be added through the Customizer (note that such file-editing features are often disabled on most hosts as they often are the source of exploits and malware).

PDF Thumbnail Previews

PDFs that are uploaded now generate image previews just like images:

Image showing a PDF file with an image preview in the media library.

Dashboard in your language

The admin can now have it’s own per-user language set.

REST API Content Endpoints

Endpoints for posts, comments, terms, users, meta, and settings are provided by default in this version as they continue to build in the API components.

Post Type Templates for All

Post type templates are now available for all custom post types.

Custom Bulk Actions

One of the most-often requested features is now available in this version. In the past, adding custom bulk actions required a lot of hacking and going around the existing code. Now there are built-in functions to assist with adding custom actions that can be applied to many posts at once.

WP_Hook

The code that runs the actions and hooks has been rewritten, fixed a number of bugs, and added a few new capabilities.

Settings Registration API

The register_setting() function has been updated to include type, description, and REST API visibility.

Customizer Changesets

A new post status (customize_changeset) that is created when something is changed in the Customizer prior to being published. [More Information]

 

PHP 7.1 Released

PHP (PHP: Hypertext Preprocessor) Logo

PHP version 7.1 was released with a few new features and corrections. Nothing massive (like the major performance increase of version 7) was added so don’t expect hosts to make any major steps to support it.

Nullable Types

Function & method return types can have a question mark (?) placed in front of it to identify that the return value can be either what was identified or a null value. If something other than those values are returned an error is issued.

Void Return Type

Identifying a void return value will only allow nothing to be returned from the function or method. Any other type returned will issue an error.

Iterable Pseudo-Type

A new function or method argument type (or return type) identifier of “iterable” requires an array or object that implements the Traversable interface. If a variable that is not of those types is passed to the function or method an error is issued.

Class Constant Visibility

Class constants can not have a public, private, or protected identifier just like properties.

Square Bracket Syntax for list()

Short-form array syntax can now be used intead of the list() function.

Catch Multiple Exception Type

Similar to if/elseif/else syntax can be used in try/catch blocks to catch more than one type of exception.

Asynchronous Signal Handling

While this cannot be used directly within PHP, certain behind-the-scenes code is being replaced to use asynchronous signals instead of ticks. This will likely a first step to asynchronous process handling in later versions of PHP.

Closure From Callable Function

Callables will be converted to closures automatically when necessary.

HTTP/2 Server Push Support in cURL

A few other smaller features and a number of fixes were also included.

PHP 7: Release Candidate 2

PHP (PHP: Hypertext Preprocessor) Logo

The next version of the popular open-source scripting language is set to be released in early November 2015 – just a few months from time of writing! The second release candidate has been set free with a few bug and security fixes.

The upcoming version includes new features such as full and consistent 64-bit support across platforms (which also adds support for larger file sizes), removal of a number of old/dead SAPI extensions (including deprecation of mysql in favor of mysqlnd/mysqli or PDO), added support for null coalescing (also known as the isset ternary) and combined comparison operators, return and scalar type declarations, and anonymous classes.

However, the biggest change was speed. PHP 7 benchmarks are shown to be up to twice as fast as the current 5.6 version and nearly as fast as HHVM. My own benchmarks of RC 1 have shown an average 95% increase in performance on a 64-bit Windows 7 machine running benchmark scripts. The biggest performance gain was seen in string manipulation which is what many scripts rely on. However, perception is the real key and there it does not disappoint as either. Local installs of WordPress, upon first run, have gone from ~4 seconds to ~2 seconds. Subsequent runs are nearly instantaneous (1 second or less). Running them in production on Linux servers will definitely be even faster.

Backward In-Compatibility

While the majority of scripts wrote to support the PHP 5.x branch will work perfectly fine on PHP 7, there are some fixes that remain. Most notably, a number of scripts still use the old PHP 4-style constructors. They are being phased out and issue a deprecation warning. Instead of using a method with the same name as the class, you should instead create a method called “__construct” (two underscores followed by “construct”) to create constructor methods. The old mysql (mysql_* functions) are in the same boat. The old mysql extension is deprecated and will be removed in upcoming PHP versions. Scripts need to be updated to use mysqlnd (MySQL Native Driver) through the use of mysqli (mysqli_* functions) or PDO.

The other major change some scripts may run into trouble with, only if Object-Oriented Programming (OOP) is used, is how class variables are returned. According to the upgrade document:

* Indirect variable, property and method references are now interpreted with left-to-right semantics. Some examples:

To restore the previous behavior add explicit curly braces:

Errorpocolypse

The last major difference which may confuse developers is with error display and handling. The entire error handling system has been ported to use exceptions and will now only show an error in a few cases. Most errors, including most fatal errors, will now issue exceptions which do not display like errors do in version 5. You may run into an empty or blank white display or have a partially-rendered page. This is normal for PHP 7. What is happening is that a fatal error was encountered but instead of showing the typical error message and backtrace it simply halts with most scripts as they are currently written. Instead of an error an exception is thrown. A number of developers are not used to using exceptions and will become confused.

In a future post (to be linked here) I will go more in-depth into the changes made to the error system in PHP 7 as well as how to handle them (now using exceptions) and get more information from them while developing scripts.