@@ -52,11 +52,16 @@ PHP 7.2 UPGRADE NOTES
5252 . The hash_hmac(), hash_hmac_file(), hash_pbkdf2() and hash_init() (with
5353 HASH_HMAC) functions no longer accept non-cryptographic hashes.
5454
55- - JSON
55+ - JSON:
5656 . The json_decode() option JSON_OBJECT_AS_ARRAY is used if the second
5757 parameter (assoc) is null. Previously JSON_OBJECT_AS_ARRAY was always
5858 ignored.
5959
60+ - SAPI:
61+ . Starting with 7.2.34, incoming cookie names are not url-decoded. This was never
62+ required by the standard, outgoing cookie names aren't encoded and this leads
63+ to security issues (CVE-2020-7070).
64+
6065- Session:
6166 . Removed register_globals related code and "!" can be used as $_SESSION key name.
6267 . Session is made to manage session status correctly and prevents invalid operations.
@@ -69,7 +74,7 @@ PHP 7.2 UPGRADE NOTES
6974 session_unset(), session_write_close()/session_commit(), session_abort(),
7075 session_reset()
7176 . Functions prohibit invalid operations with regard to session status and
72- HTTP header status, returns correct bool return value.
77+ HTTP header status, return correct bool return value.
7378 session_start(), session_set_cookie_params(), session_name(), session_module_name(),
7479 session_set_save_handler(), session_regenerate_id(), session_cache_limiter(),
7580 session_cache_expire(), session_unset(), session_destroy(),
@@ -88,7 +93,7 @@ PHP 7.2 UPGRADE NOTES
8893 session_start()
8994 . When headers are already sent and try to set new INI values, session_name(),
9095 session_module_name(), session_save_path(), session_cache_limiter() and
91- session_cache_expire() are no longer works . Older PHPs accepts new values even
96+ session_cache_expire() no longer work . Older PHPs accept new values even
9297 if new values will not be effective.
9398 This new corrected behavior may affect command line mode CLI scripts that manage
9499 sessions. Use output buffer just like web applications to resolve problems on
0 commit comments