|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2016-11-27 01:26 UTC] yohgaki@php.net
-Assigned To:
+Assigned To: yohgaki
[2020-06-10 10:05 UTC] cmb@php.net
[2020-06-10 14:48 UTC] cmb@php.net
[2020-06-10 14:48 UTC] cmb@php.net
-Status: Assigned
+Status: Closed
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Feb 22 17:01:28 2025 UTC |
Description: ------------ The session_decode() returns true on most invalid values. Eg NULL, ints, strings in wrong format and empty strings. The docs state "Returns TRUE on success or FALSE on failure." and invalid input should be considered an error. .. An important aspect of this is passing data serialized with another method than the current "session.serialize_handler". These should be considered an error as well. I think this is implied by the docs: "By default, the unserialization method used is internal to PHP, and is not the same as unserialize(). The serialization method can be set using session.serialize_handler." The following two test scripts shows that setting A as serialize handler and passing input serialized with B leads to a silent error. The $_SESSION is not populated but true is returned. Eg /* Test 1 */ $data = array ('foo' => 'bar'); ini_set ('session.serialize_handler', 'php'); session_start (); var_dump (session_decode (serialize ($data))); var_dump ($_SESSION); /* Test 2 */ ini_set ('session.serialize_handler', 'php_serialize'); session_start (); var_dump (session_decode ('foo|s:3:"bar";')); var_dump ($_SESSION); Test script: --------------- ini_set ('session.serialize_handler', 'php'); session_start (); var_dump (session_decode ("foo")); Expected result: ---------------- session_decode() to return false. Actual result: -------------- session_decode() returns true.