php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25307 Crash when session.serialize_handler=wddx & session, post, get vars
Submitted: 2003-08-29 04:35 UTC Modified: 2003-08-29 09:19 UTC
From: cristea at pntcd dot ro Assigned:
Status: Closed Package: Session related
PHP Version: 4CVS-2003-08-29 (stable) OS: any
Private report: No CVE-ID:
 [2003-08-29 04:35 UTC] cristea at pntcd dot ro
Description:
------------
Apache will crash session.serialize_handler is set to wddx and when a $_SESSION var have the same name as a $_POST (or $_GET) var.

Try this code:
File w1.php
-----------
<?php
ini_set('session.serialize_handler', 'wddx');
session_start();
$_SESSION['a'] = 'test';
echo <<< EOS
<form action="w2.php" method="post">
<input type="text" name="a" value="">
<input type="submit">
</form>
EOS;
?>

File w2.php
-----------
<?php
ini_set('session.serialize_handler', 'wddx');
session_start();
print_r($_SESSION);
echo "<hr>";
print_r($_POST);
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-29 05:40 UTC] sniper@php.net
Happens only when wddx is the serializer and 
register_globals is 'On'.

Backtrace as follows:

0x40567dfa in var_replace (var_hashx=0x0, ozval=0x8244114, nzval=0x8236ef0) at var_unserializer.re:40
40      var_unserializer.re: No such file or directory.
(gdb) bt
#0  0x40567dfa in var_replace (var_hashx=0x0, ozval=0x8244114, nzval=0x8236ef0) at var_unserializer.re:40
#1  0x404e727b in php_set_session_var (name=0x824429c "a", namelen=1, state_val=0x8244114, var_hash=0x0)
    at /usr/src/web/php/php4_3/ext/session/session.c:307
#2  0x405720e2 in ps_srlzr_decode_wddx (
    val=0x824724c "<wddxPacket version='1.0'><header/><data><struct><var name='a'><string>test</string></var></struct></data></wddxPacket>", vallen=119) at /usr/src/web/php/php4_3/ext/wddx/wddx.c:292
#3  0x404e7e5c in php_session_decode (
    val=0x824724c "<wddxPacket version='1.0'><header/><data><struct><var name='a'><string>test</string></var></struct></data></wddxPacket>", vallen=119) at /usr/src/web/php/php4_3/ext/session/session.c:523
#4  0x404e8254 in php_session_initialize () at /usr/src/web/php/php4_3/ext/session/session.c:608
#5  0x404e9764 in php_session_start () at /usr/src/web/php/php4_3/ext/session/session.c:1036
#6  0x404eb41b in zif_session_start (ht=0, return_value=0x8246ff4, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php4_3/ext/session/session.c:1475

 [2003-08-29 06:06 UTC] cristea at pntcd dot ro
In this case is a bug. If the serializer is set to 'php' everything is OK.
 [2003-08-29 06:18 UTC] sniper@php.net
This patch _seems_ to fix this bug:
http://www.php.net/~jani/patches/bug25307.patch

(doesn't crash for me anymore)

 [2003-08-29 06:32 UTC] cristea at pntcd dot ro
I'm using php binary on win32. I cannot use this patch. Could this be included on http://snaps.php.net ?
 [2003-08-29 09:19 UTC] sniper@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC