iBlog - Ilia Alshanetsky

I've packaged what looks the be the final RC for the 5.2.1 release, RC4. This release fixes another dozen or so bugs since the last release and from the given feedback looks to be regression free. That said I'd like to ask everyone to take a few minutes and try this RC with their code to make sure it really is as good as it seems and to ensure no new issues are introduced.

If you come across any issue please let me know via http://bugs.php.net, this blog, or internals mailing list.

The tarballs for this release can be found here:

http://downloads.php.net/ilia/php-5.2.1RC4.tar.bz2 (md5sum: f50578276f653b1f523150e3ff987f03)
http://downloads.php.net/ilia/php-5.2.1RC4.tar.gz (md5sum: 361197eb2b21b36e2e20cb132da2cf16)

Sometimes the things you'll find on a bookshelves of your local book store can be quite unusual and downright weird. Consider the following super-hero themed series of books on Windows products by O'Reilly.

The 3rd release candidate for PHP 5.2.1 is now available for download. The tarballs can be found here:

http://downloads.php.net/ilia/php-5.2.1RC3.tar.bz2 (d3889eda8c3471ce7cf2adb35a4de736)
http://downloads.php.net/ilia/php-5.2.1RC3.tar.gz (c5b3e5540d1951d4c4b976b8a39c09ab)

and the Win32 binaries will be available in short order.

Since the last release, there are over 20 different bug fixes resolving some annoying engine issues such as the tempval leak inside foreach(). We do not anticipate any regressions to be introduced by this RC, but I would still like to ask everyone to take a few minutes and test it against their code base. If you come across any issues please report them at http://bugs.php.net/.

Depending on the stability of this release it may either be followed by a final release or another RC, therefor your feedback is critical to determining whether or not the code is stable enough to warrant the 5.2.1 final.

Thanks to Steph's hard work the last few months of weeklies are now available for reading. If you don't have the time or keep an eye on what's going on in the PHP community, especially on the developer mailing lists, weeklies are a quick shortcut to getting yourself up to date.

After a few month break since the last release, a new version of FUDforum is once again in the works. This is primarily a feature enhancement release with a slew of new functionality designed to improve the forum. Aside from the new feature a fair number of bug fixes is also available, so something for everyone

As you can tell from the version, this is release candidate, so its not quite perfect yet, but I am hoping that within a month the release process can be wrapped up and stable be released.

The install script can be found here and the upgrade script here.

The release announcement detailing all of the major changes can be found here.

As you may already know or soon will find out MySQL had released a new version of their community server, 5.0.33. First all congratulations to developers, any release is a lot of work and finally pushing it out the public is definitely an achievement.

There are however some interesting and in my eyes less then positive developments pertaining to this release. As you can see from Kaj's announcement as well as the state of the MySQL's download page pre-compiled binaries are no longer offered. The only files available for MySQL 5.0.33 are sources for *NIX and Windows platforms.

While this is not an issue for *NIX users where lack of binaries will be resolved by distros and if not, the compiler is always available and compiling MySQL is big issue, it does pose a major problem for Windows users who generally do not have access to a C/C++ compiler. This means that all the people who develop on Win32 and then deploy on *NIX machines will need to stick to older versions of the database for the dev environments or rely on someone other then MySQL to provide binaries (which may result is less then stable, trustworthy packages going around). This also may affect adoption rates since many companies insist (and rightly so) on using same version of DB on production and development.

Interestingly enough the "For maximum stability and performance, we recommend that you use the binaries we provide." statement on the download page still remains. I guess the suggestion is that if we (the users) want stability we need to go for the Enterprise edition.

Every web developer knows how to make a GET redirect, in fact they've probably done it numerous times. However very few people know the same can be done for POST requests, in some instances completely transparently to the user. This by itself make not seem like an issue, but when you combine it with XSS it can be a very powerful to used to scam users.

Consider the following scenario. A user goes to a trusted site where XSS had modified the action field of the login POST form, pointing it to http://p0wn3d.com/post.php. When user submits a request it goes to a 3rd party site, which captures the login credentials and then redirects the POST data to the original site. In the end to the user has no clue something sinister had happened because they never see p0wn3d.com. In fact the everything appears to have worked as intended.

So how does this work. Ability to redirect POST comes as a courtesy of the little known 307 redirect code. Which in PHP can be forced in the following manner:



Now, according to the RFC

"If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued."

Alas, unlike the Opera and FireFox developers, the IE developers have never read the spec, and even the latest, most secure IE7 will redirect the POST request from domain A to domain B without any warnings or confirmation dialogs! Safari also acts in an interesting manner, while it does not raise a confirmation dialog and performs the redirect, it throws away the POST data, effectively changing 307 redirect into the more common 302.

The 2nd release candidate for PHP 5.2.1 is now available for download. The tarballs can be found here:

http://downloads.php.net/ilia/php-5.2.1RC2.tar.bz2 (cc6024531e3d4058e32cf740e2fe535f)
http://downloads.php.net/ilia/php-5.2.1RC2.tar.gz (3f89c31687762a39f1360b380dd315b4)

Since the last release over 30 different bug fixes were made and the two pending patches relating to is_numeric_string() optimization and internal heap protection for the Zend Engine allocator were added. Another important change was the fact that the memory limit is now always enabled and to accommodate this change the default limit value was raised to 128 megabytes to avoid script breakage. We do not anticipate any regressions to be introduced by this RC, but I would still like to ask everyone to take a few minutes and test it against their code base. If you come across any issues report them via http://bugs.php.net/ or reply to this blog post.