archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  ext/session: Fix GH-17541 (ext/session NULL pointer dereferencement during ID reset)
This commit is contained in:
Gina Peter Banyard 2025-01-24 14:10:00 +00:00
commit d35904adf2
No known key found for this signature in database
GPG key ID: F30F8C1ACF51943F
5 changed files with 50 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -77,6 +77,8 @@ PHP NEWS
- Session: - Session:
. Fix type confusion with session SID constant. (nielsdos) . Fix type confusion with session SID constant. (nielsdos)
. Fixed bug GH-17541 (ext/session NULL pointer dereferencement during
ID reset). (Girgias)
- SimpleXML: - SimpleXML:
. Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730). (nielsdos) . Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730). (nielsdos)

21
ext/session/session.c
View file

@ -94,6 +94,7 @@ zend_class_entry *php_session_update_timestamp_iface_entry;
} }
#define SESSION_FORBIDDEN_CHARS "=,;.[ \t\r\n\013\014" #define SESSION_FORBIDDEN_CHARS "=,;.[ \t\r\n\013\014"
#define SESSION_FORBIDDEN_CHARS_FOR_ERROR_MSG "=,;.[ \\t\\r\\n\\013\\014"
#define APPLY_TRANS_SID (PS(use_trans_sid) && !PS(use_only_cookies)) #define APPLY_TRANS_SID (PS(use_trans_sid) && !PS(use_only_cookies))
@ -682,7 +683,12 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */
SESSION_CHECK_OUTPUT_STATE; SESSION_CHECK_OUTPUT_STATE;
/* Numeric session.name won't work at all */ /* Numeric session.name won't work at all */
if ((!ZSTR_LEN(new_value) || is_numeric_string(ZSTR_VAL(new_value), ZSTR_LEN(new_value), NULL, NULL, 0))) { if (
ZSTR_LEN(new_value) == 0
|| zend_str_has_nul_byte(new_value)
|| is_numeric_str_function(new_value, NULL, NULL)
|| strpbrk(ZSTR_VAL(new_value), SESSION_FORBIDDEN_CHARS) != NULL
) {
int err_type; int err_type;
if (stage == ZEND_INI_STAGE_RUNTIME || stage == ZEND_INI_STAGE_ACTIVATE || stage == ZEND_INI_STAGE_STARTUP) { if (stage == ZEND_INI_STAGE_RUNTIME || stage == ZEND_INI_STAGE_ACTIVATE || stage == ZEND_INI_STAGE_STARTUP) {
@ -693,7 +699,7 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */
/* Do not output error when restoring ini options. */ /* Do not output error when restoring ini options. */
if (stage != ZEND_INI_STAGE_DEACTIVATE) { if (stage != ZEND_INI_STAGE_DEACTIVATE) {
php_error_docref(NULL, err_type, "session.name \"%s\" cannot be numeric or empty", ZSTR_VAL(new_value)); php_error_docref(NULL, err_type, "session.name \"%s\" must not be numeric, empty, contain null bytes or any of the following characters \"" SESSION_FORBIDDEN_CHARS_FOR_ERROR_MSG "\"", ZSTR_VAL(new_value));
} }
return FAILURE; return FAILURE;
} }
@ -1421,11 +1427,7 @@ static zend_result php_session_send_cookie(void) /* {{{ */
return FAILURE; return FAILURE;
} }
/* Prevent broken Set-Cookie header, because the session_name might be user supplied */ ZEND_ASSERT(strpbrk(PS(session_name), SESSION_FORBIDDEN_CHARS) == NULL);
if (strpbrk(PS(session_name), SESSION_FORBIDDEN_CHARS) != NULL) { /* man isspace for \013 and \014 */
php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,;.[ \\t\\r\\n\\013\\014'");
return FAILURE;
}
/* URL encode id because it might be user supplied */ /* URL encode id because it might be user supplied */
e_id = php_url_encode(ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id))); e_id = php_url_encode(ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)));
@ -1545,7 +1547,10 @@ PHPAPI zend_result php_session_reset_id(void) /* {{{ */
} }
if (PS(use_cookies) && PS(send_cookie)) { if (PS(use_cookies) && PS(send_cookie)) {
php_session_send_cookie(); zend_result cookies_sent = php_session_send_cookie();
if (UNEXPECTED(cookies_sent == FAILURE)) {
return FAILURE;
}
PS(send_cookie) = 0; PS(send_cookie) = 0;
} }

2
ext/session/tests/bug66481.phpt
View file

@ -15,6 +15,6 @@ var_dump(session_name("foo"));
var_dump(session_name("bar")); var_dump(session_name("bar"));
?> ?>
--EXPECT-- --EXPECT--
Warning: PHP Startup: session.name "" cannot be numeric or empty in Unknown on line 0 Warning: PHP Startup: session.name "" must not be numeric, empty, contain null bytes or any of the following characters "=,;.[ \t\r\n\013\014" in Unknown on line 0
string(9) "PHPSESSID" string(9) "PHPSESSID"
string(3) "foo" string(3) "foo"

24
ext/session/tests/gh17541.phpt Normal file
View file

@ -0,0 +1,24 @@
--TEST--
GH-17541 (ext/session NULL pointer dereferencement during ID reset)
--EXTENSIONS--
session
--SKIPIF--
<?php include('skipif.inc'); ?>
--FILE--
<?php
function errorHandler($errorNumber, $errorMessage, $fileName, $lineNumber) {
// Destroy session while emitting warning from the bogus session name in session_start
session_destroy();
}
set_error_handler('errorHandler');
ob_start();
var_dump(session_name("\t"));
var_dump(session_start());
?>
--EXPECTF--
Warning: session_destroy(): Trying to destroy uninitialized session in %s on line %d
string(9) "PHPSESSID"
bool(true)

22
ext/session/tests/session_name_variation1.phpt
View file

@ -32,20 +32,18 @@ ob_end_flush();
?> ?>
--EXPECTF-- --EXPECTF--
*** Testing session_name() : variation *** *** Testing session_name() : variation ***
Warning: session_name(): session.name " " must not be numeric, empty, contain null bytes or any of the following characters "=,;.[ \t\r\n\013\014" in %s on line %d
string(9) "PHPSESSID"
bool(true)
string(9) "PHPSESSID"
bool(true)
string(9) "PHPSESSID" string(9) "PHPSESSID"
Warning: session_start(): session.name cannot contain any of the following '=,;.[ \t\r\n\013\014' in %s on line %d Warning: session_name(): session.name "" must not be numeric, empty, contain null bytes or any of the following characters "=,;.[ \t\r\n\013\014" in %s on line %d
string(9) "PHPSESSID"
bool(true) bool(true)
string(1) " " string(9) "PHPSESSID"
bool(true) bool(true)
string(1) " " string(9) "PHPSESSID"
Warning: session_name(): session.name "" cannot be numeric or empty in %s on line %d
string(1) " "
Warning: session_start(): session.name cannot contain any of the following '=,;.[ \t\r\n\013\014' in %s on line %d
bool(true)
string(1) " "
bool(true)
string(1) " "
Done Done