php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38353 pipe char in index of SESSION variables should lead to error in session_encode
Submitted: 2006-08-06 06:15 UTC Modified: 2006-08-06 13:49 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: wf at bitplan dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.1.4 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: wf at bitplan dot com
New email:
PHP Version: OS:

 

 [2006-08-06 06:15 UTC] wf at bitplan dot com
Description:
------------
Please read carefully before rating i already had to reenter and rephrase since two existing bugreport where rated "bogus" which is the reason this bugreport is places in the first place. The rating is not o.k. Telling users "Read the fine manual" is not enough in this case because the cause is just a minor think the effect is devastating - that should not be. So please rate as "serious" to make sure the bug gets fixed. I'm sure it is a simple thing to add.

The bugreports
  http://bugs.php.net/bug.php?id=33786
and
  http://bugs.php.net/bug.php?id=38346
have just the Status "bogus". That rating is not o.k.
It's true that using pipe chars as part of an array index is not allowed - but the system should react better on this
at least it should give a proper error message.

With the current buggy behaviour of the system as an answer to the programming error  session_encode will fail badly and a whole web - app will suffer (I've seen one report that someone lost his job due to sessions not being restored properly ...)
A simple programming error that is hard to find and the whole system will be unusuable. PHP can do better than that and simply given an error message.



Reproduce code:
---------------
<?php
for ($i=33;$i<255;$i++) {
	@session_destroy();
	@session_start();
	$_SESSION["validname"]="valid value";
	$_varname="v".chr($i)."ar";
	$_SESSION[$_varname]=$i;
	$data=session_encode();
	if (strlen($data)==0) 
	echo "when varname is ".$_varname.
			 " session has ".count($_SESSION).
			 " entries that are encoded with ".strlen($data)." bytes ".
			 //" as '".$data.
			 "'<br />";
}	// for		 
?>

Expected result:
----------------
A (fatal) error message on using | within the array index name for
$_SESSION

Actual result:
--------------
when varname is v|ar session has 2 entries that are encoded with 0 bytes
'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-06 13:49 UTC] tony2001@php.net
<?php
session_start();
$_SESSION["v|ar"] = 1;
var_dump(session_encode());
?>

bool(false)

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC