"in-place", as long as you have the necessary prerequisites available.
Required software:
-* Web server with PHP 5.5.9 or higher.
+* Web server with PHP 7.0.0 or HHVM 3.18.5 or higher.
* A SQL server, the following types are supported
** MySQL 5.5.8 or higher
** PostgreSQL 9.2 or higher
* …
== Compatibility ==
-MediaWiki 1.32 requires PHP 5.5.9 or later. Although HHVM 3.18.5 or later is
-supported, it is generally advised to use PHP 5.5.9 or later for long term
+MediaWiki 1.32 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
+supported, it is generally advised to use PHP 7.0.0 or later for long term
support.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
"pear/mail": "1.4.1",
"pear/mail_mime": "1.10.2",
"pear/mail_mime-decode": "1.5.5.2",
- "php": ">=5.5.9",
+ "php": ">=5.6.99",
"psr/log": "1.0.2",
"wikimedia/assert": "0.2.2",
"wikimedia/at-ease": "1.2.0",
use Wikimedia\ScopedCallback;
use Wikimedia\Rdbms\DBReplicationWaitError;
-// Hide compatibility functions from Doxygen
-/// @cond
-/**
- * Compatibility functions
- *
- * We support PHP 5.5.9 and up.
- * Re-implementations of newer functions or functions in non-standard
- * PHP extensions may be included here.
- */
-
-// hash_equals function only exists in PHP >= 5.6.0
-// https://secure.php.net/hash_equals
-if ( !function_exists( 'hash_equals' ) ) {
- /**
- * Check whether a user-provided string is equal to a fixed-length secret string
- * without revealing bytes of the secret string through timing differences.
- *
- * The usual way to compare strings (PHP's === operator or the underlying memcmp()
- * function in C) is to compare corresponding bytes and stop at the first difference,
- * which would take longer for a partial match than for a complete mismatch. This
- * is not secure when one of the strings (e.g. an HMAC or token) must remain secret
- * and the other may come from an attacker. Statistical analysis of timing measurements
- * over many requests may allow the attacker to guess the string's bytes one at a time
- * (and check his guesses) even if the timing differences are extremely small.
- *
- * When making such a security-sensitive comparison, it is essential that the sequence
- * in which instructions are executed and memory locations are accessed not depend on
- * the secret string's value. HOWEVER, for simplicity, we do not attempt to minimize
- * the inevitable leakage of the string's length. That is generally known anyway as
- * a chararacteristic of the hash function used to compute the secret value.
- *
- * Longer explanation: http://www.emerose.com/timing-attacks-explained
- *
- * @codeCoverageIgnore
- * @param string $known_string Fixed-length secret string to compare against
- * @param string $user_string User-provided string
- * @return bool True if the strings are the same, false otherwise
- */
- function hash_equals( $known_string, $user_string ) {
- // Strict type checking as in PHP's native implementation
- if ( !is_string( $known_string ) ) {
- trigger_error( 'hash_equals(): Expected known_string to be a string, ' .
- gettype( $known_string ) . ' given', E_USER_WARNING );
-
- return false;
- }
-
- if ( !is_string( $user_string ) ) {
- trigger_error( 'hash_equals(): Expected user_string to be a string, ' .
- gettype( $user_string ) . ' given', E_USER_WARNING );
-
- return false;
- }
-
- $known_string_len = strlen( $known_string );
- if ( $known_string_len !== strlen( $user_string ) ) {
- return false;
- }
-
- $result = 0;
- for ( $i = 0; $i < $known_string_len; $i++ ) {
- $result |= ord( $known_string[$i] ) ^ ord( $user_string[$i] );
- }
-
- return ( $result === 0 );
- }
-}
-/// @endcond
-
/**
* Load an extension
*
'version' => PHP_VERSION,
'vendor' => 'the PHP Group',
'upstreamSupported' => '5.6.0',
- 'minSupported' => '5.5.9',
+ 'minSupported' => '7.0.0',
'upgradeURL' => 'https://secure.php.net/downloads.php',
);
}
. "MediaWiki $this->mwVersion needs {$phpInfo['implementation']}"
. " $minimumVersion or higher or {$otherInfo['implementation']} version "
. "{$otherInfo['minSupported']}.\n\nCheck if you have a"
- . " newer php executable with a different name, such as php5.\n\n";
+ . " newer php executable with a different name.\n\n";
// phpcs:disable Generic.Files.LineLength
$longHtml = <<<HTML
// Don't interpret POST parameters starting with '@' as file uploads, because this
// makes it impossible to POST plain values starting with '@' (and causes security
// issues potentially exposing the contents of local files).
- // The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
- // but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
- if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
- $this->curlOptions[CURLOPT_SAFE_UPLOAD] = true;
- } elseif ( is_array( $postData ) ) {
- // In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
- // is an array, but not if it's a string. So convert $req['body'] to a string
- // for safety.
- $postData = wfArrayToCgi( $postData );
- }
+ $this->curlOptions[CURLOPT_SAFE_UPLOAD] = true;
$this->curlOptions[CURLOPT_POSTFIELDS] = $postData;
// Suppress 'Expect: 100-continue' header, as some servers
$certLocations = [];
if ( $this->caInfo ) {
$certLocations = [ 'manual' => $this->caInfo ];
- } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
- // Default locations, based on
- // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
- // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves.
- // PHP 5.6+ gets the CA location from OpenSSL as long as it is not set manually,
- // so we should leave capath/cafile empty there.
- $certLocations = array_filter( [
- getenv( 'SSL_CERT_DIR' ),
- getenv( 'SSL_CERT_PATH' ),
- '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al
- '/etc/ssl/certs', # Debian et al
- '/etc/pki/tls/certs/ca-bundle.trust.crt',
- '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
- '/System/Library/OpenSSL', # OSX
- ] );
}
foreach ( $certLocations as $key => $cert ) {
$scriptTypes = [
'php' => [
"<?php echo 'ex' . 'ec';",
- "#!/var/env php5\n<?php echo 'ex' . 'ec';",
+ "#!/var/env php\n<?php echo 'ex' . 'ec';",
],
];
// Match these three variants separately to avoid broken urls when
// e.g. a double quoted url contains a parenthesis, or when a
// single quoted url contains a double quote, etc.
+ // FIXME: Simplify now we only support PHP 7.0.0+
// Note: PCRE doesn't support multiple capture groups with the same name by default.
// - PCRE 6.7 introduced the "J" modifier (PCRE_INFO_JCHANGED for PCRE_DUPNAMES).
// https://secure.php.net/manual/en/reference.pcre.pattern.modifiers.php
// Don't interpret POST parameters starting with '@' as file uploads, because this
// makes it impossible to POST plain values starting with '@' (and causes security
// issues potentially exposing the contents of local files).
- // The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
- // but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
- if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
- curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true );
- } elseif ( is_array( $req['body'] ) ) {
- // In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
- // is an array, but not if it's a string. So convert $req['body'] to a string
- // for safety.
- $req['body'] = http_build_query( $req['body'] );
- }
+ curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $req['body'] );
} else {
if ( is_resource( $req['body'] ) || $req['body'] !== '' ) {
}
private function getRecentChangeFieldsFromRow( stdClass $row ) {
- // This can be simplified to single array_filter call filtering by key value,
- // once we stop supporting PHP 5.5
+ // FIXME: This can be simplified to single array_filter call filtering by key value,
+ // now we have stopped supporting PHP 5.5
$allFields = get_object_vars( $row );
$rcKeys = array_filter(
array_keys( $allFields ),
* @covers IPTC::parse
*/
public function testIPTCParseForcedUTFButInvalid() {
- if ( version_compare( PHP_VERSION, '5.5.26', '<' )
- || ( version_compare( PHP_VERSION, '5.6.0', '>' )
- && version_compare( PHP_VERSION, '5.6.10', '<' )
- )
- ) {
- $this->markTestSkipped( 'Test fails on pre-PHP 5.5.25. See T124574/T39665 for details.' );
- }
$iptcData = "Photoshop 3.0\08BIM\4\4\0\0\0\0\0\x11\x1c\x02\x19\x00\x04\xC3\xC3\xC3\xB8"
. "\x1c\x01\x5A\x00\x03\x1B\x25\x47";
$res = IPTC::parse( $iptcData );