- Remove track_vars - it is now always on

- Make the various $HTTP_*_VARS[] arrays be defined always,
  even if they're empty
- Fix Win32 build and warnings

ext/session/session.c

@@ -244,16 +244,14 @@ static void php_set_session_var(char *name, size_t namelen,
 	zval_copy_ctor(state_val_copy);
 	state_val_copy->refcount = 0;
 
-	if (PG(register_globals) && PG(track_vars)) {
+	if (PG(register_globals)) {
 		zend_set_hash_symbol(state_val_copy, name, namelen, 0, 2, PS(http_session_vars)->value.ht, &EG(symbol_table));
 	} else {
 		if (PG(register_globals)) {
 			zend_set_hash_symbol(state_val_copy, name, namelen, 0, 1, &EG(symbol_table));
 		}
 
-		if (PG(track_vars)) {
-			zend_set_hash_symbol(state_val_copy, name, namelen, 0, 1, PS(http_session_vars)->value.ht);
-		}
+		zend_set_hash_symbol(state_val_copy, name, namelen, 0, 1, PS(http_session_vars)->value.ht);
 	}
 }
 
@@ -261,7 +259,7 @@ static int php_get_session_var(char *name, size_t namelen, zval ***state_var PLS
 {
 	HashTable *ht = &EG(symbol_table);
 
-	if (!PG(register_globals) && PG(track_vars))
+	if (!PG(register_globals))
 		ht = PS(http_session_vars)->value.ht;
 
 	return zend_hash_find(ht, name, namelen + 1, (void **)state_var);
@@ -523,8 +521,7 @@ static void _php_session_decode(const char *val, int vallen PSLS_DC)
 {
 	PLS_FETCH();
 
-	if (PG(track_vars))
-		php_session_track_init();
+	php_session_track_init();
 	if (PS(serializer)->decode(val, vallen PSLS_CC) == FAILURE) {
 		_php_session_destroy(PSLS_C);
 		php_error(E_WARNING, "Failed to decode session object. Session has been destroyed.");
@@ -844,8 +841,6 @@ static void _php_session_start(PSLS_D)
 	char *p;
 	int send_cookie = 1;
 	int define_sid = 1;
-	zend_bool register_globals;
-	zend_bool track_vars;
 	int module_number = PS(module_number);
 	int nrand;
 	int lensess;
@@ -856,39 +851,13 @@ static void _php_session_start(PSLS_D)
 
 	lensess = strlen(PS(session_name));
 	
-	register_globals = INI_BOOL("register_globals");
-	track_vars = INI_BOOL("track_vars");
 
-	if (!register_globals && !track_vars) {
-		php_error(E_ERROR, "The session module will not work if you have disabled track_vars and register_globals. At least one of them must be enabled.");
-		return;
-	}
-
-	if (!track_vars && PS(use_cookies))
-		php_error(E_NOTICE, "Because track_vars is disabled, the session module will not be able to determine whether the user has sent a cookie. SID will always be defined.");
-	
 	/*
-	 * If our only resource is the global symbol_table, then check it.
-	 * If track_vars are enabled, we prefer these, because they are more
-	 * reliable, and we always know whether the user has accepted the 
-	 * cookie.
-	 */
-	
-	if (register_globals && 
-			!track_vars &&
-			!PS(id) &&
-			zend_hash_find(&EG(symbol_table), PS(session_name),
-				lensess + 1, (void **) &ppid) == SUCCESS) {
-		PPID2SID;
-		send_cookie = 0;
-	}
-	
-	/*
-     * Now check the track_vars. Cookies are preferred, because initially
+     * Cookies are preferred, because initially
 	 * cookie and get variables will be available. 
 	 */
 
-	if (!PS(id) && track_vars) {
+	if (!PS(id)) {
 		if (zend_hash_find(&EG(symbol_table), "HTTP_COOKIE_VARS",
 					sizeof("HTTP_COOKIE_VARS"), (void **) &data) == SUCCESS &&
 				(*data)->type == IS_ARRAY &&
@@ -1244,7 +1213,7 @@ static void php_register_var(zval** entry PSLS_DC PLS_DC)
 	} else {
 		convert_to_string_ex(entry);
 
-		if (!PG(track_vars) || strcmp((*entry)->value.str.val, "HTTP_SESSION_VARS") != 0)
+		if (strcmp((*entry)->value.str.val, "HTTP_SESSION_VARS") != 0)
 			PS_ADD_VARL((*entry)->value.str.val, (*entry)->value.str.len);
 	}
 }

main/main.c

@@ -225,7 +225,6 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("short_open_tag",		"1",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateBool,			short_tags,				zend_compiler_globals,	compiler_globals)
 	STD_PHP_INI_BOOLEAN("sql.safe_mode",		"0",		PHP_INI_SYSTEM,		OnUpdateBool,			sql_safe_mode,			php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("track_errors",			"0",		PHP_INI_ALL,		OnUpdateBool,			track_errors,			php_core_globals,	core_globals)
-	STD_PHP_INI_BOOLEAN("track_vars",			"1",		PHP_INI_ALL,		OnUpdateBool,			track_vars,				php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("y2k_compliance",		"0",		PHP_INI_ALL,		OnUpdateBool,			y2k_compliance,			php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("arg_separator",			"&",		PHP_INI_ALL,		OnUpdateStringUnempty,	arg_separator,			php_core_globals,	core_globals)
@@ -922,12 +921,10 @@ static inline void php_register_server_variables(ELS_D SLS_DC PLS_DC)
 {
 	zval *array_ptr=NULL;
 
-	if (PG(track_vars)) {
-		ALLOC_ZVAL(array_ptr);
-		array_init(array_ptr);
-		INIT_PZVAL(array_ptr);
-		PG(http_globals).server = array_ptr;
-	}
+	ALLOC_ZVAL(array_ptr);
+	array_init(array_ptr);
+	INIT_PZVAL(array_ptr);
+	PG(http_globals)[TRACK_VARS_SERVER] = array_ptr;
 
 	/* Server variables */
 	if (sapi_module.register_server_variables) {
@@ -954,8 +951,31 @@ static int php_hash_environment(ELS_D SLS_DC PLS_DC)
 	char *p;
 	unsigned char _gpc_flags[3] = {0,0,0};
 	zend_bool have_variables_order;
+	zval *dummy_track_vars_array;
+	zend_bool initialized_dummy_track_vars_array=0;
+	int i;
+	char *track_vars_names[] = {
+		"HTTP_POST_VARS",
+		"HTTP_GET_VARS",
+		"HTTP_COOKIE_VARS",
+		"HTTP_SERVER_VARS",
+		"HTTP_ENV_VARS",
+		"HTTP_POST_FILES",
+		NULL
+	};
+	int track_vars_names_length[] = {
+		sizeof("HTTP_POST_VARS"),
+		sizeof("HTTP_GET_VARS"),
+		sizeof("HTTP_COOKIE_VARS"),
+		sizeof("HTTP_SERVER_VARS"),
+		sizeof("HTTP_ENV_VARS"),
+		sizeof("HTTP_POST_FILES")
+	};
 
-	PG(http_globals).post = PG(http_globals).get = PG(http_globals).cookie = PG(http_globals).server = PG(http_globals).environment = PG(http_globals).post_files = NULL;
+
+	for (i=0; i<6; i++) {
+		PG(http_globals)[i] = NULL;
+	}
 
 	if (PG(variables_order)) {
 		p = PG(variables_order);
@@ -1008,25 +1028,18 @@ static int php_hash_environment(ELS_D SLS_DC PLS_DC)
 		php_register_server_variables(ELS_C SLS_CC PLS_CC);
 	}
 
-	if (PG(http_globals).post) {
-		zend_hash_update(&EG(symbol_table), "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), &PG(http_globals).post, sizeof(zval *), NULL);
+	for (i=0; i<6; i++) {
+		if (!PG(http_globals)[i] && !initialized_dummy_track_vars_array) {
+			ALLOC_ZVAL(dummy_track_vars_array);
+			array_init(dummy_track_vars_array);
+			INIT_PZVAL(dummy_track_vars_array);
+			initialized_dummy_track_vars_array = 1;
+		} else {
+			dummy_track_vars_array->refcount++;
+			PG(http_globals)[i] = dummy_track_vars_array;
+		}
+		zend_hash_update(&EG(symbol_table), track_vars_names[i], track_vars_names_length[i], &PG(http_globals)[i], sizeof(zval *), NULL);
 	}
-	if (PG(http_globals).get) {
-		zend_hash_update(&EG(symbol_table), "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), &PG(http_globals).get, sizeof(zval *), NULL);
-	}
-	if (PG(http_globals).cookie) {
-		zend_hash_update(&EG(symbol_table), "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), &PG(http_globals).cookie, sizeof(zval *), NULL);
-	}
-	if (PG(http_globals).server) {
-		zend_hash_update(&EG(symbol_table), "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), &PG(http_globals).server, sizeof(zval *), NULL);
-	}
-	if (PG(http_globals).environment) {
-		zend_hash_update(&EG(symbol_table), "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), &PG(http_globals).environment, sizeof(zval *), NULL);
-	}
-	if (PG(http_globals).post_files) {
-		zend_hash_update(&EG(symbol_table), "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), &PG(http_globals).post_files, sizeof(zval *),NULL);
-	}
-
 	return SUCCESS;
 }
 
@@ -1036,9 +1049,6 @@ static void php_build_argv(char *s, zval *track_vars_array ELS_DC PLS_DC)
 	pval *arr, *argc, *tmp;
 	int count = 0;
 	char *ss, *space;
-
-	if (!PG(register_globals) && !PG(track_vars))
-		return;
 	
 	ALLOC_ZVAL(arr);
 	array_init(arr);
@@ -1084,15 +1094,12 @@ static void php_build_argv(char *s, zval *track_vars_array ELS_DC PLS_DC)
 		zend_hash_add(&EG(symbol_table), "argc", sizeof("argc"), &argc, sizeof(zval *), NULL);
 	}
 
-	if (PG(track_vars)) {
-		if (PG(register_globals)) {
-			arr->refcount++;
-			argc->refcount++;
-		}
-		zend_hash_update(track_vars_array->value.ht, "argv", sizeof("argv"), &arr, sizeof(pval *), NULL);
-		zend_hash_update(track_vars_array->value.ht, "argc", sizeof("argc"), &argc, sizeof(pval *), NULL);
+	if (PG(register_globals)) {
+		arr->refcount++;
+		argc->refcount++;
 	}
-
+	zend_hash_update(track_vars_array->value.ht, "argv", sizeof("argv"), &arr, sizeof(pval *), NULL);
+	zend_hash_update(track_vars_array->value.ht, "argc", sizeof("argc"), &argc, sizeof(pval *), NULL);
 }
 
 

main/network.c

@@ -37,8 +37,12 @@
 #include <netinet/in.h>
 #include <netdb.h>
 #include <arpa/inet.h>
+#else
+int		 inet_aton(const char *, struct in_addr *);
 #endif
 
+#include "php_network.h"
+
 #ifdef PHP_WIN32
 #undef AF_UNIX
 #endif
@@ -150,7 +154,7 @@ static int php_network_getaddresses(const char *host, struct sockaddr ***sal)
  * port, returns the created socket on success, else returns -1.
  * timeout gives timeout in seconds, 0 means blocking mode.
  */
-int php_hostconnect(char *host, int port, int socktype, int timeout)
+int php_hostconnect(char *host, unsigned short port, int socktype, int timeout)
 {	
 	int s;
 	struct sockaddr **sal, **psal;

main/php_globals.h

@@ -42,14 +42,13 @@ extern PHPAPI int core_globals_id;
 extern ZEND_API struct _php_core_globals core_globals;
 #endif
 
-typedef struct _php_http_globals {
-	zval *post;
-	zval *get;
-	zval *cookie;
-	zval *server;
-	zval *environment;
-	zval *post_files;
-} php_http_globals;
+
+#define TRACK_VARS_POST		1
+#define TRACK_VARS_GET		2
+#define TRACK_VARS_COOKIE	3
+#define TRACK_VARS_SERVER	4
+#define TRACK_VARS_ENV		5
+#define TRACK_VARS_FILES	6
 
 struct _php_tick_function_entry;
 
@@ -103,11 +102,10 @@ struct _php_core_globals {
 
 	zend_llist tick_functions;
 
-	php_http_globals http_globals;
+	zval *http_globals[6];
 
 	zend_bool expose_php;
 
-	zend_bool track_vars;
 	zend_bool register_globals;
 	zend_bool register_argc_argv;
 

main/php_network.h

@@ -17,7 +17,12 @@
  */
 /* $Id$ */
 
-int php_hostconnect(char *host, int port, int socktype, int timeout);
+#ifndef _PHP_NETWORK_H
+#define _PHP_NETWORK_H
+
+int php_hostconnect(char *host, unsigned short port, int socktype, int timeout);
+
+#endif /* _PHP_NETWORK_H */
 
 /*
  * Local variables:

main/php_variables.c

@@ -57,7 +57,7 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
 	zend_bool free_index;
 	HashTable *symtable1=NULL;
 	HashTable *symtable2=NULL;
-	
+
 	if (PG(register_globals)) {
 		symtable1 = EG(active_symbol_table);
 	}
@@ -69,7 +69,7 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
 		}
 	}
 	if (!symtable1) {
-		/* we don't need track_vars, and we're not setting GPC globals either. */
+		/* Nothing to do */
 		zval_dtor(val);
 		return;
 	}
@@ -220,23 +220,19 @@ void php_treat_data(int arg, char *str ELS_DC PLS_DC SLS_DC)
 		case PARSE_POST:
 		case PARSE_GET:
 		case PARSE_COOKIE:
-			if (PG(track_vars)) {
-				ALLOC_ZVAL(array_ptr);
-				array_init(array_ptr);
-				INIT_PZVAL(array_ptr);
-				switch (arg) {
-					case PARSE_POST:
-						PG(http_globals).post = array_ptr;
-						break;
-					case PARSE_GET:
-						PG(http_globals).get = array_ptr;
-						break;
-					case PARSE_COOKIE:
-						PG(http_globals).cookie = array_ptr;
-						break;
-				}
-			} else {
-				array_ptr=NULL;
+			ALLOC_ZVAL(array_ptr);
+			array_init(array_ptr);
+			INIT_PZVAL(array_ptr);
+			switch (arg) {
+				case PARSE_POST:
+					PG(http_globals)[TRACK_VARS_POST] = array_ptr;
+					break;
+				case PARSE_GET:
+					PG(http_globals)[TRACK_VARS_GET] = array_ptr;
+					break;
+				case PARSE_COOKIE:
+					PG(http_globals)[TRACK_VARS_COOKIE] = array_ptr;
+					break;
 			}
 			break;
 		default:
@@ -309,12 +305,10 @@ void php_import_environment_variables(ELS_D PLS_DC)
 	char **env, *p, *t;
 	zval *array_ptr=NULL;
 
-	if (PG(track_vars)) {
-		ALLOC_ZVAL(array_ptr);
-		array_init(array_ptr);
-		INIT_PZVAL(array_ptr);
-		PG(http_globals).environment = array_ptr;
-	}
+	ALLOC_ZVAL(array_ptr);
+	array_init(array_ptr);
+	INIT_PZVAL(array_ptr);
+	PG(http_globals)[TRACK_VARS_ENV] = array_ptr;
 
 	for (env = environ; env != NULL && *env != NULL; env++) {
 		p = strchr(*env, '=');

main/rfc1867.c

@@ -102,12 +102,10 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
 
 	zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0);
 
-	if (PG(track_vars)) {
-		ALLOC_ZVAL(http_post_files);
-		array_init(http_post_files);
-		INIT_PZVAL(http_post_files);
-		PG(http_globals).post_files = http_post_files;
-	}
+	ALLOC_ZVAL(http_post_files);
+	array_init(http_post_files);
+	INIT_PZVAL(http_post_files);
+	PG(http_globals)[TRACK_VARS_POST] = http_post_files;
 
 	ptr = buf;
 	rem = cnt;

php.ini-dist

@@ -181,6 +181,7 @@ warn_plus_overloading	=	Off		; warn if the + operator is used with strings
 ;;;;;;;;;;;;;;;;;
 ; Data Handling ;
 ;;;;;;;;;;;;;;;;;
+; Note - track_vars is ALWAYS enabled as of PHP 4.0.3
 variables_order		=	"EGPCS"	; This directive describes the order in which PHP registers
 								; GET, POST, Cookie, Environment and Built-in variables (G, P,
 								; C, E & S respectively, often referred to as EGPCS or GPC).
@@ -192,12 +193,14 @@ register_globals	=	On		; Whether or not to register the EGPCS variables as globa
 								; most sense when coupled with track_vars - in which case you can
 								; access all of the GPC variables through the $HTTP_*_VARS[],
 								; variables.
+								; You should do your best to write your scripts so that they do
+								; not require register_globals to be on;  Using form variables
+								; as globals can easily lead to possible security problems, if
+								; the code is not very well thought of.
 register_argc_argv	=	On		; This directive tells PHP whether to declare the argv&argc
 								; variables (that would contain the GET information).  If you
 								; don't use these variables, you should turn it off for
 								; increased performance
-track_vars			=	On		; enable the $HTTP_*_VARS[] arrays, where * is one of
-								; ENV, POST, GET, COOKIE or SERVER.
 gpc_order			=	"GPC"	; This directive is deprecated.  Use variables_order instead.
 
 ; Magic quotes

php.ini-optimized

@@ -182,9 +182,8 @@ register_globals	=	Off		; Whether or not to register the EGPCS variables as glob
 register_argc_argv	=	Off		; This directive tells PHP whether to declare the argv&argc
 								; variables (that would contain the GET information).  If you
 								; don't use these variables, you should turn it off for
-								; increased performance
-track_vars			=	On		; enable the $HTTP_*_VARS[] arrays, where * is one of
-								; ENV, POST, GET, COOKIE or SERVER.
+								; increased performance (you should try not to use it anyway,
+								; for less likelihood of security bugs in your code).
 gpc_order			=	"GPC"	; This directive is deprecated.  Use variables_order instead.
 
 ; Magic quotes

php.ini-recommended

@@ -182,9 +182,8 @@ register_globals	=	Off		; Whether or not to register the EGPCS variables as glob
 register_argc_argv	=	Off		; This directive tells PHP whether to declare the argv&argc
 								; variables (that would contain the GET information).  If you
 								; don't use these variables, you should turn it off for
-								; increased performance
-track_vars			=	On		; enable the $HTTP_*_VARS[] arrays, where * is one of
-								; ENV, POST, GET, COOKIE or SERVER.
+								; increased performance (you should try not to use it anyway,
+								; for less likelihood of security bugs in your code).
 gpc_order			=	"GPC"	; This directive is deprecated.  Use variables_order instead.
 
 ; Magic quotes

win32/php4dllts.dsp

@@ -153,6 +153,10 @@ SOURCE=..\main\mergesort.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\main\network.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\main\php_content_types.c
 # End Source File
 # Begin Source File