diff options
author | Bob Weinand <bobwei9@hotmail.com> | 2015-06-28 16:30:58 +0200 |
---|---|---|
committer | Bob Weinand <bobwei9@hotmail.com> | 2015-06-28 16:30:58 +0200 |
commit | b477aa1fad6cac41ee6959921b229cb3dba79e6e (patch) | |
tree | e9d33381039d03422e46e2a76e514f735ffb97f2 | |
parent | e96ad43ae6cc1f5e4db61cd52bf86198adaf77c1 (diff) | |
download | php-git-b477aa1fad6cac41ee6959921b229cb3dba79e6e.tar.gz |
Fix bug #69952 (Dereferencing issue in session_start())
-rw-r--r-- | NEWS | 10 | ||||
-rw-r--r-- | ext/session/session.c | 35 |
2 files changed, 24 insertions, 21 deletions
@@ -16,13 +16,17 @@ PHP NEWS . Corrected oci8 hash destructors to prevent segfaults, and a few other fixes. (Cameron Porter) +- OpenSSL: + . Fixed bug #69882 (OpenSSL error "key values mismatch" after + openssl_pkcs12_read with extra cert) (Tomasz Sawicki) + - PCRE: . Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string). (cmb) -- OpenSSL: - . Fixed bug #69882 (OpenSSL error "key values mismatch" after - openssl_pkcs12_read with extra cert) (Tomasz Sawicki) +- Session: + . Fixed bug #69952 (Data integrity issues accessing superglobals by + reference). (Bob) 25 Jun 2015, PHP 7.0.0 Alpha 2 diff --git a/ext/session/session.c b/ext/session/session.c index 66b1a8628b..819008c5bb 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -1436,6 +1436,7 @@ PHPAPI const ps_serializer *_php_find_ps_serializer(char *name) /* {{{ */ /* }}} */ static void ppid2sid(zval *ppid) { + ZVAL_DEREF(ppid); if (Z_TYPE_P(ppid) == IS_STRING) { PS(id) = zend_string_init(Z_STRVAL_P(ppid), Z_STRLEN_P(ppid), 0); PS(send_cookie) = 0; @@ -1547,28 +1548,26 @@ PHPAPI void php_session_start(void) /* {{{ */ */ if (!PS(id)) { - if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1)) && - Z_TYPE_P(data) == IS_ARRAY && - (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess)) - ) { - ppid2sid(ppid); - PS(send_cookie) = 0; + if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) { + ZVAL_DEREF(data); + if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) { + ppid2sid(ppid); + PS(send_cookie) = 0; + } } - if (PS(define_sid) && !PS(id) && - (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1)) && - Z_TYPE_P(data) == IS_ARRAY && - (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess)) - ) { - ppid2sid(ppid); + if (PS(define_sid) && !PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1))) { + ZVAL_DEREF(data); + if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) { + ppid2sid(ppid); + } } - if (PS(define_sid) && !PS(id) && - (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1)) && - Z_TYPE_P(data) == IS_ARRAY && - (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess)) - ) { - ppid2sid(ppid); + if (PS(define_sid) && !PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1))) { + ZVAL_DEREF(data); + if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) { + ppid2sid(ppid); + } } /* Check the REQUEST_URI symbol for a string of the form |