PHP 5.1.3. Release Announcement

The PHP development team is proud to announce the release of PHP 5.1.3. This release combines small number of feature enhancements with a significant amount of bug fixes and resolves a number of security issues. All PHP users are encouraged to upgrade to this release as soon as possible.

The security issues resolved include the following:

• Disallow certain characters in session names.
• Fixed a buffer overflow inside the wordwrap() function.
• Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
• Enforce safe_mode for the source parameter of the copy() function.
• Fixed cross-site scripting inside the phpinfo() function.
• Fixed offset/length parameter validation inside the substr_compare() function.
• Fixed a heap corruption inside the session extension.
• Fixed a bug that would allow variable to survive unset().

The feature enhancements include the following notables:

• The use of the var keyword to declare properties no longer raises a deprecation E_STRICT.
• FastCGI interface was completely reimplemented.
• Multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions.
• Support for many additional date formats added to the strtotime() function.
• A number of performance improvements added to the engine and the core extensions.
• Added imap_savebody() that allows message body to be written to a file.
• Added lchown() and lchgrp() to change user/group ownership of symlinks.
• Upgraded bundled PCRE library to version 6.6

The release also includes over 120 bug fixes with a focus on:

• Make auto_globals_jit work without too many INI changes.
• Fixed tiger hash algorithm generating wrong results on big endian platforms.
• Fixed a number of errors in the SOAP extension.
• Fixed recursion handling in the serialize() functionality.
• Make is_*() function account of open_basedir restrictions.
• Fixed a number of crashes in the DOM and PDO extensions.
• Addressed a number of regressions in the strtotime() function.
• Make memory_limit work in Win32 systems.
• Fixed a deadlock in the sqlite extension caused by the sqlite_fetch_column_types() function.
• Fixed memory leaks in the realpath() cache.

For a full list of changes in PHP 5.1.3, see the ChangeLog.