PHP :: Bug #34701 :: url_rewriter.tags won't work with output buffer and eval

Bug #34701	url_rewriter.tags won't work with output buffer and eval
Submitted:	2005-10-01 16:53 UTC	Modified:	2005-10-01 23:11 UTC
From:	php dot net at callerid dot de	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5CVS-2005-10-01 (snap)	OS:	linux, windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php dot net at callerid dot de
New email:
PHP Version:		OS:

New Comment:

[2005-10-01 16:53 UTC] php dot net at callerid dot de

Description:
------------
If an output is produced inside an eval that is captured in an output buffer, the url will not be supplemented with the session-ID as expected.

This happens only if the session_start is also inside the eval'd code.

The behaviour can be reproduced independently from OS or PHP-Version, if session.use-trans-sid is set.

Reproduce code:
---------------
<?php
$source = <<<EOQ
session_start();
echo "<a href=\"index.html\">Testlink</a>";
EOQ;
ob_start();
eval($source);
$content = ob_get_contents();
ob_end_clean();
echo $content;
?>

Expected result:
----------------
<a href="index.html?PHPSESSID=.....">Testlink</a>

Actual result:
--------------
<a href="index.html">Testlink</a>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-01 16:58 UTC] sniper@php.net

It's not expected.

[2005-10-01 18:00 UTC] php dot net at callerid dot de

Sorry. It isn't expected, why?

[2005-10-01 18:58 UTC] php dot net at callerid dot de

OK. I found it out myself.

Because of the ob_end... the output buffer, that url_rewriting is obviously using, is stopped.

That is also an unexpected behaviour and should be explained in the documentation of the session-functions. I will post a note.

Sorry about this bug-report. But the answer wasn't very helpful.

[2005-10-01 18:59 UTC] php dot net at callerid dot de

Closed.

[2005-10-01 19:06 UTC] johannes@php.net

No PHP problem -> bogus

[2005-10-01 23:11 UTC] php dot net at callerid dot de

All right. But if there's no bug in the handling, tell me (without parsing) what this script will put out.

<?php
ob_start();
session_start();

echo "Something\n";
echo "<a href=\"index.html\">Text</a>";

$var = ob_get_contents();
ob_clean();
echo $var;
?>
(remember: session.use_trans_sid is set)

Nevertheless, by using session_start while session.use_trans_sid is set and output buffer at the same time the behaviour is strange and should be redesigned. The function-based output buffer must be seperated from internal usage for functionality like url_rewriting.

This could definitely not be expected nor found in the docs.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 12 05:01:33 2025 UTC