Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6: Improved fix for bug #68063 (Empty session IDs do still start sessions).
2025-08-16 05:58:45 +02:00 · 2016-01-15 10:19:01 +09:00 · 2016-01-15 10:19:01 +09:00 · 132d919c85
commit 132d919c85
parent 4ab7d6a5e1 8c37a086c7
3 changed files with 14 additions and 11 deletions
--- a/1
+++ b/1
@ -44,6 +44,7 @@ PHP                                                                        NEWS
    immediately). (Laruence)

 - Session:
+  . Improved fix for bug #68063 (Empty session IDs do still start sessions). (Yasuo)
  . Fixed bug #71038 (session_start() returns TRUE on failure).
    Session save handlers must return 'string' always for successful read.
    i.e. Non-existing session read must return empty string. PHP 7.0 is made
--- a/ext/session/session.c
+++ b/ext/session/session.c
@ -522,7 +522,10 @@ static void php_session_initialize(void) /* {{{ */
 	}

 	/* If there is no ID, use session module to create one */
-	if (!PS(id)) {
+	if (!PS(id) || !ZSTR_VAL(PS(id))[0]) {
+		if (PS(id)) {
+			efree(PS(id));
+		}
 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
 		if (!PS(id)) {
 			php_session_abort();
@ -2282,11 +2285,6 @@ static PHP_FUNCTION(session_start)
 		RETURN_FALSE;
 	}

-	if (PS(id) && !(ZSTR_LEN(PS(id)))) {
-		php_error_docref(NULL, E_WARNING, "Cannot start session with empty session ID");
-		RETURN_FALSE;
-	}
-
 	/* set options */
 	if (options) {
 		ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(options), num_idx, str_idx, value) {
--- a/ext/session/tests/bug68063.phpt
+++ b/ext/session/tests/bug68063.phpt
@ -3,18 +3,22 @@ Bug #68063 (Empty session IDs do still start sessions)
 --SKIPIF--
 <?php include('skipif.inc'); ?>
 --INI--
+session.use_strict_mode=0
+session.hash_function=1
+session.hash_bits_per_character=4
 --FILE--
 <?php
+// Empty session ID may happen by browser bugs
+
 // Could also be set with a cookie like "PHPSESSID=; path=/"
 session_id('');

-// Will still start the session and return true
+// Start the session with empty string should result in new session ID
 var_dump(session_start());

-// Returns an empty string
+// Returns newly created session ID
 var_dump(session_id());
 ?>
 --EXPECTF--
-Warning: session_start(): Cannot start session with empty session ID in %s on line %d
-bool(false)
-string(0) ""
+bool(true)
+string(40) "%s"