The PHP development team is proud to announce the release of PHP 5.1.3. This release combines small number of feature enhancements with a significant amount of bug fixes and resolves a number of security issues. All PHP users are encouraged to upgrade to this release as soon as possible.
The security issues resolved include the following:
- Disallow certain characters in session names.
- Fixed a buffer overflow inside the wordwrap() function.
- Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
- Enforce safe_mode for the source parameter of the copy() function.
- Fixed cross-site scripting inside the phpinfo() function.
- Fixed offset/length parameter validation inside the substr_compare() function.
- Fixed a heap corruption inside the session extension.
- Fixed a bug that would allow variable to survive unset().
The feature enhancements include the following notables:
- The use of the var keyword to declare properties no longer raises a deprecation E_STRICT.
- FastCGI interface was completely reimplemented.
- Multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions.
- Support for many additional date formats added to the strtotime() function.
- A number of performance improvements added to the engine and the core extensions.
- Added imap_savebody() that allows message body to be written to a file.
- Added lchown() and lchgrp() to change user/group ownership of symlinks.
- Upgraded bundled PCRE library to version 6.6
The release also includes over 120 bug fixes with a focus on:
- Make auto_globals_jit work without too many INI changes.
- Fixed tiger hash algorithm generating wrong results on big endian platforms.
- Fixed a number of errors in the SOAP extension.
- Fixed recursion handling in the serialize() functionality.
- Make is_*() function account of open_basedir restrictions.
- Fixed a number of crashes in the DOM and PDO extensions.
- Addressed a number of regressions in the strtotime() function.
- Make memory_limit work in Win32 systems.
- Fixed a deadlock in the sqlite extension caused by the sqlite_fetch_column_types() function.
- Fixed memory leaks in the realpath() cache.
For a full list of changes in PHP 5.1.3, see the
ChangeLog