From 7cdd1302c380dfaeb62ac926c94a2e2850d25411 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 12 Oct 2024 10:25:18 +0200
Subject: [PATCH] Fix GH-16385: Unexpected null returned by
 session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while this
   function can only return booleans. An exception seems not acceptable
   in stable versions, but a warning may do.

Closes GH-16386.
---
 NEWS                           |  4 ++++
 ext/session/session.c          |  9 +++++----
 ext/session/tests/gh16385.phpt | 13 +++++++++++++
 3 files changed, 22 insertions(+), 4 deletions(-)
 create mode 100644 ext/session/tests/gh16385.phpt

diff --git a/NEWS b/NEWS
index ee8d50896af..8281a0865fc 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,10 @@ PHP                                                                        NEWS
 - PHPDBG:
   . Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)
 
+- Session:
+  . Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
+    (nielsdos)
+
 - XMLReader:
   . Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
     (nielsdos)
diff --git a/ext/session/session.c b/ext/session/session.c
index 8b95b31e8fe..0ebdf51251a 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1668,10 +1668,6 @@ PHP_FUNCTION(session_set_cookie_params)
 	zend_result result;
 	int found = 0;
 
-	if (!PS(use_cookies)) {
-		return;
-	}
-
 	ZEND_PARSE_PARAMETERS_START(1, 5)
 		Z_PARAM_ARRAY_HT_OR_LONG(options_ht, lifetime_long)
 		Z_PARAM_OPTIONAL
@@ -1681,6 +1677,11 @@ PHP_FUNCTION(session_set_cookie_params)
 		Z_PARAM_BOOL_OR_NULL(httponly, httponly_null)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (!PS(use_cookies)) {
+		php_error_docref(NULL, E_WARNING, "Session cookies cannot be used when session.use_cookies is disabled");
+		RETURN_FALSE;
+	}
+
 	if (PS(session_status) == php_session_active) {
 		php_error_docref(NULL, E_WARNING, "Session cookie parameters cannot be changed when a session is active");
 		RETURN_FALSE;
diff --git a/ext/session/tests/gh16385.phpt b/ext/session/tests/gh16385.phpt
new file mode 100644
index 00000000000..4ede457315f
--- /dev/null
+++ b/ext/session/tests/gh16385.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-16385 (Unexpected null returned by session_set_cookie_params)
+--EXTENSIONS--
+session
+--INI--
+session.use_cookies=0
+--FILE--
+<?php
+var_dump(session_set_cookie_params(3600, "/foo"));
+?>
+--EXPECTF--
+Warning: session_set_cookie_params(): Session cookies cannot be used when session.use_cookies is disabled in %s on line %d
+bool(false)