OpenSwoole 4.12.0 released with PHP 8.2 support and new features

Published:

OpenSwoole 4.12.0 is release including compatibility improvements for PHP 8.2 and new features.

Official OpenSwoole version 4.12.0Official OpenSwoole version 4.12.0

Compatible with the upcoming PHP 8.2

There are major changes to support the upcoming official PHP 8.2 releases. OpenSwoole v4.12.0 has tested with the recent released PHP8.2RC3 on 29 September 2022.

PHP 8.2 will be released on November 24, 2022.

New server config: enable_server_token

Start from OpenSwoole v4.12.0, OpenSwoole server hide server token by default as a security improvement. You can enable it explicitly by:

<?php
$server->set(['enable_server_token' => true]);

Changelog

. New server option: enable_server_token, disable by default
. Compatible with PHP 8.2 latest changes (PHP-8.2-RC3)
. Fix: ignore user set encoding if it is not supported
. Fix: Remove illegal http header
. Fix convert double sec to long microseconds in hooked usleep by @shandyDev

Changes at OpenSwoole Docker images

. Upgrade PHP to latest versions: PHP7.4.32, PHP8.0.24, PHP8.1.11
. Drop support for PHP7.2, PHP7.3

Upgrade to the latest PHP versions

It is recommended to upgrade to the latest PHP versions: PHP7.4.32, PHP8.0.24, PHP8.1.11.

  • In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

  • In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

  • In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

  • In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

  • In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

  • In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Thanks the OpenSwoole Community Contributors

  • @shandyDev Fix convert double sec to long microseconds in hooked usleep

You can upgrade to OpenSwoole v4.12.0 now:

pecl install openswoole

Or use Docker images:

docker pull openswoole/swoole:latest

If you need to install Open Swoole or look at other update methods, checkout the installation documentation and how to update Open Swoole.