Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4:
  Fix #80774: session_name() problem with backslash

NEWS

@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #80763 (msgfmt_format() does not accept DateTime references).
     (cmb)
 
+- Session:
+  . Fixed bug #80774 (session_name() problem with backslash). (cmb)
+
 18 Feb 2021, PHP 8.0.3
 
 - Core:

ext/session/session.c

@@ -1264,13 +1264,11 @@ static void php_session_remove_cookie(void) {
 	zend_llist_element *next;
 	zend_llist_element *current;
 	char *session_cookie;
-	zend_string *e_session_name;
 	size_t session_cookie_len;
 	size_t len = sizeof("Set-Cookie")-1;
 
-	e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)));
+	ZEND_ASSERT(strpbrk(PS(session_name), "=,; \t\r\n\013\014") == NULL);
-	spprintf(&session_cookie, 0, "Set-Cookie: %s=", ZSTR_VAL(e_session_name));
+	spprintf(&session_cookie, 0, "Set-Cookie: %s=", PS(session_name));
-	zend_string_free(e_session_name);
 
 	session_cookie_len = strlen(session_cookie);
 	current = l->head;
@@ -1302,7 +1300,7 @@ static int php_session_send_cookie(void) /* {{{ */
 {
 	smart_str ncookie = {0};
 	zend_string *date_fmt = NULL;
-	zend_string *e_session_name, *e_id;
+	zend_string *e_id;
 
 	if (SG(headers_sent)) {
 		const char *output_start_filename = php_output_get_start_filename();
@@ -1316,16 +1314,20 @@ static int php_session_send_cookie(void) /* {{{ */
 		return FAILURE;
 	}
 
-	/* URL encode session_name and id because they might be user supplied */
+	/* Prevent broken Set-Cookie header, because the session_name might be user supplied */
-	e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name)));
+	if (strpbrk(PS(session_name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
+		php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,; \\t\\r\\n\\013\\014'");
+		return FAILURE;
+	}
+
+	/* URL encode id because it might be user supplied */
 	e_id = php_url_encode(ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)));
 
 	smart_str_appendl(&ncookie, "Set-Cookie: ", sizeof("Set-Cookie: ")-1);
-	smart_str_appendl(&ncookie, ZSTR_VAL(e_session_name), ZSTR_LEN(e_session_name));
+	smart_str_appendl(&ncookie, PS(session_name), strlen(PS(session_name)));
 	smart_str_appendc(&ncookie, '=');
 	smart_str_appendl(&ncookie, ZSTR_VAL(e_id), ZSTR_LEN(e_id));
 
-	zend_string_release_ex(e_session_name, 0);
 	zend_string_release_ex(e_id, 0);
 
 	if (PS(cookie_lifetime) > 0) {

ext/session/tests/bug80774.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #80774 (session_name() problem with backslash)
+--SKIPIF--
+<?php
+if (!extension_loaded('session')) die("skip session extension not available");
+?>
+--FILE--
+<?php
+session_name("foo\\bar");
+session_id('12345');
+session_start();
+?>
+--EXPECTHEADERS--
+Set-Cookie: foo\bar=12345; path=/
+--EXPECT--

ext/session/tests/session_name_variation1.phpt

@@ -42,6 +42,8 @@ string(9) "PHPSESSID"
 bool(true)
 string(9) "PHPSESSID"
 string(9) "PHPSESSID"
+
+Warning: session_start(): session.name cannot contain any of the following '=,; \t\r\n\013\014' in %s on line %d
 bool(true)
 string(1) "	"
 bool(true)
@@ -49,6 +51,8 @@ string(1) "	"
 
 Warning: session_name(): session.name "" cannot be numeric or empty in %s on line %d
 string(1) "	"
+
+Warning: session_start(): session.name cannot contain any of the following '=,; \t\r\n\013\014' in %s on line %d
 bool(true)
 string(1) "	"
 bool(true)