archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
123521 commits 526 branches 1434 tags 864 MiB
Commit graph

911 commits

Author SHA1 Message Date
George Peter Banyard
499fbcd679
Actually fix GH-9583 
The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set
Add another regression test to ensure current working behaviour is not broken (which was by the previous incorrect fix)

Closes GH-9638
 2022-10-06 14:29:13 +01:00
George Peter Banyard
8b115254c0
Fix GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method 2022-09-27 15:52:21 +01:00
Christoph M. Becker
733b514326 Merge branch 'PHP-7.4' into PHP-8.0 
* PHP-7.4:
  Properly initialize PS(mod) on RINIT
 2021-03-23 13:13:43 +01:00
Christoph M. Becker
688e56d0ac Properly initialize PS(mod) on RINIT 
We need to do that in case a user handler has been set.  However, we
can't do that in `php_rinit_session_globals()` since that function is
called by PHP function `session_destroy()` too, but in that case we
don't want to reset PS(mod).

Closes GH-6795.
 2021-03-23 13:12:19 +01:00
Christoph M. Becker
90be86fc91 Merge branch 'PHP-7.4' into PHP-8.0 
* PHP-7.4:
  Fix #80889: amendment
 2021-03-22 22:49:46 +01:00
Christoph M. Becker
838951c2d6 Fix #80889: amendment 
`session_set_save_handler()` may be called with callables instead of an
object; we need to cater to that as well.

We also extract a set_user_save_handler_ini() function to avoid code
duplication.

Closes GH-6796.
 2021-03-22 22:17:35 +01:00
Christoph M. Becker
2a1ed81ffc Merge branch 'PHP-7.4' into PHP-8.0 
* PHP-7.4:
  Fix #80889: Cannot set save handler when save_handler is invalid
 2021-03-19 17:03:54 +01:00
Christoph M. Becker
06bfada99b Fix #80889: Cannot set save handler when save_handler is invalid 
There is no need to require a (valid) save_handler to be set, when a
user handler is supposed to be set.  We just have to make sure, that
no user handler is already set in this case.

Closes GH-6788.
 2021-03-19 16:59:54 +01:00
Christoph M. Becker
6dcd640f35 Merge branch 'PHP-7.4' into PHP-8.0 
* PHP-7.4:
  Fix #80774: session_name() problem with backslash
 2021-02-22 12:35:23 +01:00
Christoph M. Becker
d7c98ca1ac Fix #80774: session_name() problem with backslash 
Since we do no longer URL decode cookie names[1], we must not URL
encode the session name.  We need to prevent broken Set-Cookie headers,
by rejecting names which contain invalid characters.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=6559fe912661ca5ce5f0eeeb591d928451428ed0>

Closes GH-6711.
 2021-02-22 12:32:56 +01:00
Nikita Popov
8067cf4752 Use callable type in register_shutdown_function() 
To make things a bit less weird, split off the function name into
a zval stored separately from the arguments. This allows us to
use normal zpp and get standard behavior.
 2020-09-25 14:48:33 +02:00
George Peter Banyard
82e14ff8e7 Drop usage of E_RECOVERABLE_ERROR in Session extension 2020-09-22 19:11:30 +01:00
Máté Kocsis
46c0c82a0f
Declare array|int and object-of-class|int types in stubs 
Closes GH-6081

Co-Authored-By: Nikita Popov <nikic@php.net>
 2020-09-14 11:59:32 +02:00
Máté Kocsis
f293e6b920
Clean up ext/session errors 
Closes GH-6111
 2020-09-11 11:59:04 +02:00
Dmitry Stogov
4a2ae84188 Add "const". Move constant strings to read-only memory. 2020-09-07 21:35:48 +03:00
Max Semenik
2b5de6f839
Remove proto comments from C files 
Closes GH-5758
 2020-07-06 21:13:34 +02:00
Nikita Popov
344c077400 Use zend_string_equals API in a couple places 2020-07-03 17:02:28 +02:00
Máté Kocsis
b981662855
Fix a couple of UNKNOWN default values in ext/session 
Closes GH-5752
 2020-06-23 15:42:59 +02:00
Christoph M. Becker
92c4b06513 Use ZEND_UNREACHABLE() instead of ZEND_ASSERT(0) 
Instead of marking unreachable code with `ZEND_ASSERT(0)`, we introduce
`ZEND_UNREACHABLE()`, so that MSVC which does not consider `assert(0)`
to mark unreachable code does no longer trigger C4715[1] warnings in
debug builds.  This may be useful for other compilers as well.

[1] <https://docs.microsoft.com/de-de/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4715?view=vs-2019>
 2020-06-16 18:39:09 +02:00
Christoph M. Becker
08858e7cca Fix #73529: session_decode() silently fails on wrong input 
The `php_serialize` decode function has to return `FAILURE`, if the
unserialization failed on anything but an empty string.

The `php` decode function has also to return `FAILURE`, if there is
trailing garbage in the string.
 2020-06-10 16:48:49 +02:00
twosee
88355dd338 Constify char * arguments of APIs 
Closes GH-5676.
 2020-06-08 10:38:45 +02:00
Máté Kocsis
aa9b0ccda8
Add tests to check mismatching function signatures 
Closes GH-5666
 2020-06-06 09:23:34 +02:00
Christoph M. Becker
5a04796f76 Fix MSVC level 1 (severe) warnings 
We fix (hopefully) all instances of:

* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4005>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4024>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4028>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4047>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4087>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4090>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4273>
* <https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-1-c4312>

`zend_llist_add_element()` and `zend_llist_prepend_element()` now
explicitly expect a *const* pointer.

We use the macro `ZEND_VOIDP()` instead of a `(void*)` cast to suppress
C4090; this should prevent accidential removal of the cast by
clarifying the intention, and makes it easier to remove the casts if
the issue[1] will be resolved sometime.

[1] <https://developercommunity.visualstudio.com/content/problem/390711/c-compiler-incorrect-propagation-of-const-qualifie.html>
 2020-06-05 11:17:05 +02:00
Alex Dowad
af67b06995 SessionUpdateTimestampHandler class was never implemented 
It seems that in 2015, work was being done so that users could add their own custom
session handlers. The implementer intended to add a class called
SessionUpdateTimestampHandler, but never did so. The variable which was intended to point
to its class entry is never initialized.

The implementer also coded two methods for this class. Strangely, the method bodies
are declared with PHP_METHOD(SessionHandler, ...) rather than
PHP(SessionUpdateTimestampHandler, ...). However, these method implementations are not
added to the method table of any class or interface. They are just dead code.
 2020-04-27 14:51:33 +02:00
Máté Kocsis
1bba691ecc
Generate method entries for ext/session and ext/reflection 
Closes GH-5376
 2020-04-13 13:04:06 +02:00
Máté Kocsis
21cfa03f17
Generate function entries for another batch of extensions 
Closes GH-5352
 2020-04-05 21:15:30 +02:00
Christoph M. Becker
12ca4fe65d Merge branch 'PHP-7.4' 
* PHP-7.4:
  Fix #79413: session_create_id() fails for active sessions
 2020-03-31 08:41:08 +02:00
Christoph M. Becker
d533fa15e6 Merge branch 'PHP-7.3' into PHP-7.4 
* PHP-7.3:
  Fix #79413: session_create_id() fails for active sessions
 2020-03-31 08:39:54 +02:00
Christoph M. Becker
b510250b8e Fix #79413: session_create_id() fails for active sessions 
The comment on `PS_VALIDATE_SID_FUNC(files)` is very clear that the
function is supposed to return `SUCCESS` if the session already exists.
So to detect a collision, we have to check for `SUCCESS`, not
`FAILURE`.

We also fix the wrong condition in session_regenerate_id() as well.
 2020-03-31 08:38:23 +02:00
Stanislav Malyshev
90ae1818d5 Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress 2020-02-17 00:20:31 -08:00
Stanislav Malyshev
282bfb109e Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress 2020-02-17 00:20:17 -08:00
Stanislav Malyshev
409965fe1c Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress 2020-02-17 00:19:30 -08:00
Stanislav Malyshev
545f77d313 Merge branch 'PHP-7.4' 
* PHP-7.4:
  Update NEWS
  Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
  Fix #79099: OOB read in php_strip_tags_ex
  Fix #79091: heap use-after-free in session_create_id()
 2020-01-20 22:47:28 -08:00
Stanislav Malyshev
a29c793381 Merge branch 'PHP-7.3' into PHP-7.4 
* PHP-7.3:
  Update NEWS
  Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
  Fix #79099: OOB read in php_strip_tags_ex
  Fix #79091: heap use-after-free in session_create_id()
 2020-01-20 22:47:01 -08:00
Stanislav Malyshev
25ec7eb346 Merge branch 'PHP-7.2' into PHP-7.3 
* PHP-7.2:
  Update NEWS
  Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
  Fix #79099: OOB read in php_strip_tags_ex
  Fix #79091: heap use-after-free in session_create_id()
 2020-01-20 22:46:29 -08:00
Christoph M. Becker
f79c774274 Fix #79091: heap use-after-free in session_create_id() 
If the `new_id` is released, we must not use it again.
 2020-01-20 21:43:42 -08:00
Máté Kocsis
349a286461
Use RETURN_THROWS() after zend_throw_error() 2020-01-01 16:42:30 +01:00
Máté Kocsis
345703724c
Use RETURN_THROWS() during ZPP in most of the extensions 
Except for some bigger ones: reflection, sodium, spl
 2019-12-31 11:46:11 +01:00
Nikita Popov
d8bd113b51 Merge branch 'PHP-7.4' 
* PHP-7.4:
  Add test for bug #79031
  Revert "Increase serialize_lock while decoding session"
 2019-12-30 11:31:56 +01:00
Nikita Popov
ed3811e781 Revert "Increase serialize_lock while decoding session" 
This reverts commit b8ef7c35ab.

See bug #79031. The semantics of serialize locking aren't quite
correct right now, and the use of the lock in this particular
place makes us hit the issue in a common case. I'm reverting this
commit for PHP 7.4 and will try to fix this properly for PHP 8,
as I believe it will require ABI breakage.
 2019-12-30 11:27:13 +01:00
Máté Kocsis
2204dbde3b Add missing ZPP checks 
Closes GH-4878.
 2019-11-01 15:26:52 +01:00
Máté Kocsis
9493893412 Cleanup return values when parameter parsing is unsuccessful 2019-10-30 16:05:20 +01:00
Gabriel Caruso
5d6e923d46
Remove mention of PHP major version in Copyright headers 
Closes GH-4732.
 2019-09-25 14:51:43 +02:00
Nikita Popov
fb60ccc666 Merge branch 'PHP-7.4' 2019-09-25 11:03:19 +02:00
Nikita Popov
b8ef7c35ab Increase serialize_lock while decoding session 
Avoid leaking state between Serializable::unserialize() and
session_decode().
 2019-09-25 11:02:23 +02:00
Craig Duncan
1fc2fec138 Convert session functions arginfo to php stubs 2019-09-18 10:59:57 +02:00
Nikita Popov
7686b0b889 Merge branch 'PHP-7.4' 2019-06-05 14:53:50 +02:00
Nikita Popov
a31f46421d Allow exceptions in __toString() 
RFC: https://wiki.php.net/rfc/tostring_exceptions

And convert some object to string conversion related recoverable
fatal errors into Error exceptions.

Improve exception safety of internal code performing string
conversions.
 2019-06-05 14:25:07 +02:00
Christoph M. Becker
034babbcc1 Merge branch 'PHP-7.4' 
* PHP-7.4:
  Fix #77911: Wrong warning for session.sid_bits_per_character
 2019-04-17 17:25:13 +02:00
Christoph M. Becker
87912ca3b9 Merge branch 'PHP-7.3' into PHP-7.4 
* PHP-7.3:
  Fix #77911: Wrong warning for session.sid_bits_per_character
 2019-04-17 17:24:36 +02:00