Hello!
The PHP development team announces the immediate availability of PHP 5.6.6.
This release fixes several bugs and addresses CVE-2015-0235 and
CVE-2015-0273.
All PHP 5.6 users are encouraged to upgrade to this version.
For source downloads of PHP 5.6.6 please visit our
downloads page: http://www.php.net/downloads.php
Windows binaries can be found on http://windows.php.net/download/
The list of changes is recorded in the ChangeLog:
http://www.php.net/ChangeLog-5.php#5.6.6
Ferenc Kovacs & Julien Pauli
Hi Ferenc,
Ferenc Kovacs tyrael@php.net writes:
Hello!
The PHP development team announces the immediate availability of PHP 5.6.6.
This release fixes several bugs and addresses CVE-2015-0235 and
CVE-2015-0273.
All PHP 5.6 users are encouraged to upgrade to this version.For source downloads of PHP 5.6.6 please visit our
downloads page: http://www.php.net/downloads.phpWindows binaries can be found on http://windows.php.net/download/
The list of changes is recorded in the ChangeLog:
http://www.php.net/ChangeLog-5.php#5.6.6
Taken from the changelog:
Removed support for multi-line headers, as the are deprecated by RFC
Isn't this a BC break?
Ferenc Kovacs & Julien Pauli
Cheers,
Florian Margaine
On Fri, Feb 20, 2015 at 8:54 AM, Florian Margaine florian@margaine.com
wrote:
Hi Ferenc,
Ferenc Kovacs tyrael@php.net writes:
Hello!
The PHP development team announces the immediate availability of PHP
5.6.6.
This release fixes several bugs and addresses CVE-2015-0235 and
CVE-2015-0273.
All PHP 5.6 users are encouraged to upgrade to this version.For source downloads of PHP 5.6.6 please visit our
downloads page: http://www.php.net/downloads.phpWindows binaries can be found on http://windows.php.net/download/
The list of changes is recorded in the ChangeLog:
http://www.php.net/ChangeLog-5.php#5.6.6Taken from the changelog:
Removed support for multi-line headers, as the are deprecated by RFC
Isn't this a BC break?
Ferenc Kovacs & Julien Pauli
Cheers,
Florian Margaine
cc'ing Stas as he was the author for this change.
but from my understanding this isn't a problem as we disallow setting
multiple headers in a single header() call for years (even though we had a
regression at one point).
the current change was made to address
https://bugs.php.net/bug.php?id=68978&edit=1 which was an IE specific
problem which was allowed by header().
maybe we should re-word the NEWS entry to make this a bit more clear.
Hi,
Le 20 févr. 2015 14:34, "Ferenc Kovacs" tyrael@php.net a écrit :
On Fri, Feb 20, 2015 at 8:54 AM, Florian Margaine florian@margaine.com
wrote:Hi Ferenc,
Ferenc Kovacs tyrael@php.net writes:
Hello!
The PHP development team announces the immediate availability of PHP
5.6.6.
This release fixes several bugs and addresses CVE-2015-0235 and
CVE-2015-0273.
All PHP 5.6 users are encouraged to upgrade to this version.For source downloads of PHP 5.6.6 please visit our
downloads page: http://www.php.net/downloads.phpWindows binaries can be found on http://windows.php.net/download/
The list of changes is recorded in the ChangeLog:
http://www.php.net/ChangeLog-5.php#5.6.6Taken from the changelog:
Removed support for multi-line headers, as the are deprecated by RFC
Isn't this a BC break?
Ferenc Kovacs & Julien Pauli
Cheers,
Florian Margaine
cc'ing Stas as he was the author for this change.
but from my understanding this isn't a problem as we disallow setting
multiple headers in a singleheader()call for years (even though we had a
regression at one point).
the current change was made to address
https://bugs.php.net/bug.php?id=68978&edit=1 which was an IE specific
problem which was allowed byheader().
maybe we should re-word the NEWS entry to make this a bit more clear.
Fair enough then. The changelog makes it look like a BC break without any
reason.
Cheers,
Florian Margaine
Hi!
cc'ing Stas as he was the author for this change.
but from my understanding this isn't a problem as we disallow setting
multiple headers in a singleheader()call for years (even though we had
a regression at one point).
Well, we allowed multiline headers but it is an extremely exotic feature
which is now dropped from the HTTP/1.1 standard, and also it causes
security issues with IE users since IE never supported that feature
properly. So given that I've decided to remove it even though strictly
speaking it is a BC break (same goes for the HTTP standard).
Stas Malyshev
smalyshev@gmail.com
On Fri, Feb 20, 2015 at 3:45 PM, Stanislav Malyshev smalyshev@gmail.com
wrote:
Hi!
cc'ing Stas as he was the author for this change.
but from my understanding this isn't a problem as we disallow setting
multiple headers in a singleheader()call for years (even though we had
a regression at one point).Well, we allowed multiline headers but it is an extremely exotic feature
which is now dropped from the HTTP/1.1 standard, and also it causes
security issues with IE users since IE never supported that feature
properly. So given that I've decided to remove it even though strictly
speaking it is a BC break (same goes for the HTTP standard).
duh, should have checked the commit first.
so since php 5.1.2 we were disallowing multiple headers to be set in the
same header() call (as in header("Foo: bar\r\nBaz: foo");) but we still
kept the ability to have multiline headers (as in header("Foo: bar\r\n
baz");)
which still caused some problem for some browser, so we had a discussion
about removing multiline header support altogether:
http://comments.gmane.org/gmane.comp.php.devel/88039
so Florian is correct that this is a BC break (albeit in a less
known/discouraged feature which was causing security problems over the
years).