PHP 4.1.0 出版公告(中英对照版)1

80酷酷网    80kuku.com

  PHP 4.1.0 Release Announcement

PHP 4.1.0 出版公告(1)

After a lengthy QA process, PHP 4.1.0 is finally out.
Download at http://www.php.net/downloads.php !

PHP 4.1.0 includes several other key improvements:
- A new input interface for improved security (read below)

一个新的输入界面来提高安全性

- Highly improved performance in general

极大提高了性能

- Revolutionary performance and stability improvements under
Windows. The multithreaded server modules under Windows (ISAPI,
Apache, etc.) perform as much as 30 times faster under load! We
want to thank Brett Brewer and his team in Microsoft for working
with us to improve PHP for Windows.

Windows 下革命性的性能和稳定性。多线程服务器模块提供了快30倍的性能。

- Versioning support for extensions. Right now it's barely being
used, but the infrastructure was put in place to support separate
version numbers for different extensions. The negative side effect
is that loading extensions that were built against old versions of
PHP will now result in a crash, instead of in a nice clear message.
Make sure you only use extensions built with PHP 4.1.0.

扩展翻译支持,现在他还很少用到,但是放置了基础构造来支持某些不同版本号的扩展模块。负面影响是他和老版本的扩展模块冲突。你需要确定使用了 php4.1.0的扩展模块。

- Turn-key output compression support

支持 Turn-key 输出压缩

- *LOTS* of fixes and new functions

修正了很多地方,增加了许多函数。

As some of you may notice, this version is quite historical, as it's
the first time in history we actually incremented the middle digit! :)
The two key reasons for this unprecedented change were the new input
interface, and the broken binary compatibility of modules due to the
versioning support.

{没看懂!!呵呵!以后看懂了再翻译}

Following is a description of the new input mechanism. For a full
list of changes in PHP 4.1.0, scroll down to the end of this section.

下面是新的输入机制的描述。完整的更改列表请看后面

-----------------------------------

SECURITY: NEW INPUT MECHANISM

安全:新的输入机制

First and foremost, it's important to stress that regardless of
anything you may read in the following lines, PHP 4.1.0 *supports*
the old input mechanisms from older versions. Old applications
should go on working fine without modification!

首先,也是最重要的,必须强调对下面内容足够重视是非常重要的。php 4.1.0 支持旧的输入机制。老的应用程序仍然可以运行,不用修改。

Now that we have that behind us, let's move on :)

下面是内容

For various reasons, PHP setups which rely on register_globals
being on (i.e., on form, server and environment variables becoming
a part of the global namespace, automatically) are very often
exploitable to various degrees. For example, the piece of code:

由于各种原因,PHP需要设置 register_globlas ON(例如在标单,服务器,环境变量自动成为全局命名空间的一部分),他们经常被不同程度的干扰。下面是一段代码:

<?php
if (authenticate_user()) {
$authenticated = true;
}
...
?>

May be exploitable, as remote users can simply pass on 'authenticated'
as a form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this misfeature.

可以通过表单里面传送 authenticated 变量来欺骗,即使 authenticate_user()返回false,$authenticated 仍然被设置为true.这只是一个非常简单的例子,实际上,相当多的程序被类似的错误特性欺骗

While it is quite possible to write secure code in PHP, we felt that the
fact that PHP makes it too easy to write insecure code was bad, and we've
decided to attempt a far-reaching change, and deprecate register_globals.
Obviously, because the vast majority of the PHP code in the world relies
on the existence of this feature, we have no plans to actually remove it
from PHP anytime in the foreseeable future, but we've decided to encourage
people to shut it off whenever possible.

当然,完全可以书写安全的PHP代码,我们觉得事实上,PHP使得书写不安全代码变得非常容易是非常糟糕的事情。我们决定尝试一个 far-reaching 改变。反对 register_globals.很显然,由于多数代码依赖于这个特征,我们没有办法在将来的某个时刻真正删除它。但是我们决定鼓励人们关闭它

To help users build PHP applications with register_globals being off,
we've added several new special variables that can be used instead of the
old global variables. There are 7 new special arrays:

为了在关闭 register_globals 情况下帮助用户创建 PHP 应用程序,我们增加了一些新的特殊变量来代替老的全局变量使用。他们是7个新的特殊数组:

$_GET - contains form variables sent through GET

包含着通过GET发来的变量

$_POST - contains form variables sent through POST

包含着通过POST发送来的变量

$_COOKIE - contains HTTP cookie variables

包含着HTTP cookie 的变量

$_SERVER - contains server variables (e.g., REMOTE_ADDR)

包含着服务器变量(如 REMOTE_ADDR)

$_ENV - contains the environment variables

包含着环境变量

$_REQUEST - a merge of the GET variables, POST variables and Cookie variables.
In other words - all the information that is coming from the user,
and that from a security point of view, cannot be trusted.

是 GET/POST/Cookie 变量的集合,也就是说,所有的来自用户和安全表单的信息。但是从安全角度来看,不能够信任它们。

$_SESSION - contains HTTP variables registered by the session module

包含着所有session模块注册的HTTP变量

Now, other than the fact that these variables contain this special information,
they're also special in another way - they're automatically global in any
scope. This means that you can access them anywhere, without having to
'global' them first. For example:

现在,事实上这些变量包含着特殊的信息,他们在任何环境下同样是自动的全局变量。也就是说你可以在任何地方存取他们,不需要全局化他们。例如:

function example1()
{
print $_GET["name"]; // works, 'global $_GET;' is not necessary!

//不需要声明 $_GET 是全局变量
}

would work fine! We hope that this fact would ease the pain in migrating
old code to new code a bit, and we're confident it's going to make writing
new code easier. Another neat trick is that creating new entries in the
$_SESSION array will automatically register them as session variables, as
if you called session_register(). This trick is limited to the session
module only - for example, setting new entries in $_ENV will *not* perform
an implicit putenv().

运行的很好。我们希望这个情况可以使得旧代码移植能够容易一些,我们确信它能使书写新代码更容易。另外一个窍门是创建新的 $_SESSION 数组入口会自动注册他们为session b变量,就好像调用 session_register()一样。这个窍门仅适用于 session 模块。例如,设置新的 $_ENV 入口不会隐含执行 putenv()。

PHP 4.1.0 still defaults to have register_globals set to on. It's a
transitional version, and we encourage application authors, especially
public ones which are used by a wide audience, to change their applications
to work in an environment where register_globals is set to off. Of course,
they should take advantage of the new features supplied in PHP 4.1.0 that
make this transition much easier.

PHP 4.1.0 默认还是设置 register_globals 为On,她是过渡版本,我们程序做着,特别是被广泛接受的,改变他们的应用程序,使得在 register_globals 为 off 情况下也能工作。当然,他们需要使用 PHP 4.1.0 的新特征来使得转换更容易些。

As of the next semi-major version of PHP, new installations of PHP will
default to having register_globals set to off. No worries! Existing
installations, which already have a php.ini file that has register_globals
set to on, will not be affected. Only when you install PHP on a brand new
machine (typically, if you're a brand new user), will this affect you, and
then too - you can turn it on if you choose to.

在下一个不完全版本力,将会魔人设置 register_globals 为off.不用担心,已经安装好的,php.ini 里面已经设置 register_globals 为on 的,不会受到影响。只有在你安装php为一个新机器时(一般是一个新用户)才会影响你,你可以选择打开它。

Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names
still work, but we encourage users to switch to the new shorter, and
auto-global versions.

注意:这些数组中的几个有老的名字,例如 $HTTP_GET_VARS. 这些名字依然工作。我们建议使用新的更短的自动全局化的变量。

Thanks go to Shaun Clowes (shaunsecurereality.com.au) for pointing out this
problem and for analyzing it.

-------------------------------------

FULL LIST OF CHANGES

完整的改变列表

10 Dec 2001, Version 4.1.0
- Worked around a bug in the MySQL client library that could cause PHP to hang
when using unbuffered queries. (Zeev)

处理了在MySQL客户端库里使用未缓冲的查询引起PHP挂起的问题。

- Fixed a bug which caused set_time_limit() to affect all subsequent requests to running Apache child process. (Zeev)

修正了使得set_time_limit()影响所有的子请求来运行Apache子进程的问题

- Removed the sablotron extension in favor of the new XSLT extension. (Sterling)

去掉了 sablotron 模块,使用新的 XSLT 扩展模块

- Fixed a bug in WDDX deserialization that would sometimes corrupt the root element if it was a scalar one. (Andrei)

修正了 WDDX 反序列化时如果是标量可能破坏根元素的问题

- Make ImageColorAt() and ImageColorsForIndex() work with TrueColor images. (Rasmus)

使得 ImageColorAt 和 ImageColorsForIndex()可以工作于 TryeColor 图像

- Fixed a bug in preg_match_all() that would return results under improper indices in certain cases. (Andrei)

修正了preg_match_all()在某些情况下返回不恰当索引的结果

- Fixed a crash in str_replace() that would happen if search parameter was an array and one of the replacements resulted in subject string being empty. (Andrei)

修正了一个str_replace()的隐患,在搜索参数是一个数组,条件字符串替换结果中的一个是空的时候发生。

- Fixed MySQL extension to work with MySQL 4.0. (Jani)

修正了 MySQL 扩展模块,可以工作于 MySQL 4.0

- Fixed a crash bug within Cobalt systems. Patch by tomctripac.com. (Jani)

修正了一个 Cobalt 系统力的漏洞

- Bundled Dan Libby's xmlrpc-epi extension.

捆绑了 Dan Libby 的 xmlrpc-epi 扩展模块

- Introduced extension version numbers. (Stig)

引入了许多扩展模块

- Added version_compare() function. (Stig)

增加了 version_compare() 函数

- Fixed pg_last_notice() (could cause random crashes in PostgreSQL applications, even if they didn't use pg_last_notice()). (Zeev)

修正了 pg_last_notice()(可能在 PostgreSQL 应用程序引起随机的崩溃,即使没有使用这个函数

- Fixed DOM-XML's error reporting, so E_WARNING errors are given instead of E_ERROR error's, this allows you to trap errors thrown by DOMXML functions. (Sterling)

修正了 DOM-XML 的错误报告, 使用 E_WARNING 错误代替 E_ERROR 的错误。这让你可以使用 DOMXML 函数捕捉异常

- Fixed a bug in the mcrypt extension, where list destructors were not properly being allocated.(Sterling)

修正了 mcrypt 扩展的错误,列表析构没有正确的定位

- Better Interbase blob, null and error handling. (Patch by Jeremy Bettis)

更好的 Intercase 的 blob,null 和 错误处理

- Fixed a crash bug in array_map() if the input arrays had string or non-sequential keys. Also modified it so that if a single array is passed, its keys are preserved in the resulting array. (Andrei)

修正了 array_map() 在输入数组有字符串或者不连续关键字的崩溃错误。同时修改了在传递单个数组时,结果数组将保留她的关键字。

- Fixed a crash in dbase_replace_record. (Patch by robin.marlowdps-int.com)

修正了 dbase_replace_record 的缺陷

- Fixed a crash in msql_result(). (Zeev)

修正了 msql_result() 的一个缺陷



分享到
  • 微信分享
  • 新浪微博
  • QQ好友
  • QQ空间
点击: