What’s new in PHP 8.1.11?

PHP is actively developed, and the latest minor version of line eight introduces some very nice bug fixes.

Denial of service with a file

Especially the fix for phar wrapper cough my attention. PHAR is a software to bundle PHP files into apps.

It occurs that the PHP wrapper for PHAR can in a specific situation go into an infinite loop. The bug became important to fix because it affects all file methods like file_exists etc.

To exploit the behavior user has to upload a file to the PHP server. The file has to have a specific construction, and that’s what is interesting about.

Self containing gzip archive

So, you have not known about it, but gzip archives can be manipulated into becoming quines. So, instead of containing only compressed data, a gzip file can act as a self containing application. It can include operations, and a deeper level archives.

Years ago the concept of self containing apps was used heavily in the demoscene world. In the Golden Times of software engineering this particular feature was used to squeeze as much as possible from every byte of information. To a point where such animations required only 256 bytes of information: