diff options
author | Yasuo Ohgaki <yohgaki@php.net> | 2016-01-15 09:45:08 +0900 |
---|---|---|
committer | Yasuo Ohgaki <yohgaki@php.net> | 2016-01-15 09:45:08 +0900 |
commit | 8c37a086c78a66517967fcb809fb53297becfe42 (patch) | |
tree | 16206987d6d3e798766e451526ecaeac67e2d606 | |
parent | c126725a7f4b89a93d1130ea62ddaa7af8579389 (diff) | |
download | php-git-8c37a086c78a66517967fcb809fb53297becfe42.tar.gz |
Improved fix for bug #68063 (Empty session IDs do still start sessions).
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/session/session.c | 9 | ||||
-rw-r--r-- | ext/session/tests/bug68063.phpt | 14 |
3 files changed, 14 insertions, 10 deletions
@@ -22,6 +22,7 @@ PHP NEWS on the same server). (Anatol) - Session: + . Improved fix for bug #68063 (Empty session IDs do still start sessions). (Yasuo) . Fixed bug #71122 (Session GC may not remove obsolete session data). (Yasuo) . Fixed bug #71038 (session_start() returns TRUE on failure). It's fixed partially on PHP 5.6. It still returns TRUE on session read diff --git a/ext/session/session.c b/ext/session/session.c index 53e22c252e..ffb6fb381b 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -512,7 +512,10 @@ static void php_session_initialize(TSRMLS_D) /* {{{ */ } /* If there is no ID, use session module to create one */ - if (!PS(id)) { + if (!PS(id) || !PS(id)[0]) { + if (PS(id)) { + efree(PS(id)); + } PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC); if (!PS(id)) { php_session_abort(TSRMLS_C); @@ -2102,10 +2105,6 @@ static PHP_FUNCTION(session_decode) static PHP_FUNCTION(session_start) { /* skipping check for non-zero args for performance reasons here ?*/ - if (PS(id) && !strlen(PS(id))) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot start session with empty session ID"); - RETURN_FALSE; - } php_session_start(TSRMLS_C); diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt index d3da470d06..ec3a70d156 100644 --- a/ext/session/tests/bug68063.phpt +++ b/ext/session/tests/bug68063.phpt @@ -3,18 +3,22 @@ Bug #68063 (Empty session IDs do still start sessions) --SKIPIF-- <?php include('skipif.inc'); ?> --INI-- +session.use_strict_mode=0 +session.hash_function=1 +session.hash_bits_per_character=4 --FILE-- <?php +// Empty session ID may happen by browser bugs + // Could also be set with a cookie like "PHPSESSID=; path=/" session_id(''); -// Will still start the session and return true +// Start the session with empty string should result in new session ID var_dump(session_start()); -// Returns an empty string +// Returns newly created session ID var_dump(session_id()); ?> --EXPECTF-- -Warning: session_start(): Cannot start session with empty session ID in %s on line %d -bool(false) -string(0) "" +bool(true) +string(40) "%s" |