php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15484 custom handler of session is not strong enough
Submitted: 2002-02-10 06:04 UTC Modified: 2002-03-11 00:00 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Xuefer at 21cn dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.1.1 OS: win2k
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Xuefer at 21cn dot com
New email:
PHP Version: OS:

 

 [2002-02-10 06:04 UTC] Xuefer at 21cn dot com 
used session_set_save_handler(...."sess_read"....);
and when session_start();
and also sess_read() returns _NONE_ string
e.g. function sess_read() { }
or function sess_read() { return false; }

browser get no response from apache (should be crash)


it should be strong enough :-)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-10 06:18 UTC] mfischer@php.net 
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".
 [2002-02-10 07:00 UTC] Xuefer at 21cn dot com 
"what i did":
code's here:

session_set_save_handler ('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy', 'sess_gc');
function sess_open() { return true;}
function sess_close() { return true;}
function sess_read() { return ""; }
function sess_write() {}
function ses_destroy() {}
function sess_gc() {}

session_start();
echo "program got here";
;--------------
ok, the above program won't crash the apache

but if i change:
--> function sess_read() { return ""; }
into:
--> function sess_read() { return null; }

"what i expected to happen" is: php `should` warnning me my returning isnot STRING, or keep running quietly

"what happened" is: no response from apache

and here why i report this bug:
a server running 100 website, one of the custom(the one can upload/update php file for his site) is able to attact the server by using the above script, making `fool` of the server



is the above info enough? :)
 [2002-02-10 07:02 UTC] mfischer@php.net 
To properly diagnose this bug, we need a backtrace to see what is
happening behind the scenes. To find out how to generate a backtrace,
please read http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open".
 [2002-02-10 08:21 UTC] Xuefer at 21cn dot com 
i'm using win2k to run apache+php
how can i get backtrace?

btw, i'm not sure that apache is fully 'down'
just browser get no response from apache
and can browse other php pages without restarting apache

i've tested it on my linux server, script finished quite fine
 [2002-03-11 00:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 17:01:58 2024 UTC