PHP :: Bug #5953 :: Session invalidates when newline character is inserted into a session variable

Bug #5953	Session invalidates when newline character is inserted into a session variable
Submitted:	2000-08-04 08:09 UTC	Modified:	2000-08-05 12:24 UTC
From:	mbeers at udeco dot com	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.0.1pl2	OS:	Windows 2000
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mbeers at udeco dot com
New email:
PHP Version:		OS:

New Comment:

[2000-08-04 08:09 UTC] mbeers at udeco dot com

If you take a form with a textfield on it and enter some text, including hit enter a couple of times, and store that information in a session variable, when you later try to access that variable (or any variables registered after that one) it is invalidated. 

It seems that when the session file is created, the newline character creates a second line (on win32 anyway) and I  suppose that the code that reads the encoded session reads a line at a time, thereby missing the second line of information and invalidating any variables occurring after the one with newline charaters in it.  We worked around this particular problem by replacing \n with another character, and this kept the session intact. (Please note that the \r character remained in the string, but win32 of course does not recognize that as eol)

This was only tested on IE5, but not Netscape or earlier versions of IE.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-08-04 13:29 UTC] stas@php.net

Probably the cause is that session file is opened in the text mode. Can anybody with Windows verify that?

[2000-08-04 21:11 UTC] waldschrott@php.net

I could not reproduce this, please provide a short code
fragment reproducing this behaviour...

[2000-08-04 21:12 UTC] mbeers at udeco dot com

well, I tiptoed through the ms documentation fopen and _open and according to them the default mode for the open operations is _O_TEXT. Unless it is explicitly overriden, then it is text mode.

[2000-08-04 21:30 UTC] mbeers at udeco dot com

Here is some sample code to reproduce the problem:
<? 
session_start();
session_register("beforeLF");
session_register("testVarLF");
session_register("testVarNoLF");

$beforeLF = "A string before that with linefeeds";
$testVarNoLF = "A string without linefeeds";
$testVarLF = "A string with linefeeds\nmore\nmore\n";

print "click <a href=\"test2.php\">here</a> to continue<br><br>";
?>
beforeLF:
<pre><?= $beforeLF ?></pre>
end;
<br><br>
testVarLF:
<pre><?= $testVarLF ?></pre>
end;
<br><br>
testVarNoLF:
<pre><?= $testVarNoLF ?></pre>
end;

in another file (in this case called test2.php):
<? 
session_start();
?>
beforeLF:
<pre><?= $beforeLF ?></pre>
end;
<br><br>
testVarLF:
<pre><?= $testVar ?></pre>
end of the output of the testVar
<br><br>
testVarNoLF:
<pre><?= $testVarNoLF ?></pre>
end;

On my system, the variables don't print out at all. However, if you comment out the $testVarLF variable in the first file, everything comes out fine. (except of course a value for that variable, because it is not set). Also, if you change it to not include newline characters, it works.

[2000-08-04 21:40 UTC] mbeers at udeco dot com

It is an issue of the session files being opened in text mode. I added | O_BINARY to all of the V_OPEN calls in files_mod.c and recompiled, and now the example I just posted works. (this is using the snapshot from yesterday morning). I don't know if this has any implications elsewhere, but it does work now.

thanks

[2000-08-04 22:42 UTC] mbeers at udeco dot com

It is an issue of the session files being opened in text mode. I added | O_BINARY to all of the V_OPEN calls in files_mod.c and recompiled, and now the example I just posted works. (this is using the snapshot from yesterday morning). I don't know if this has any implications elsewhere, but it does work now.

thanks

[2000-08-05 12:14 UTC] stas@php.net

Well, that's bad. Session files should be opened in binary mode. If nobody fixes it, I'll fix it in couple of days.

[2000-08-05 12:24 UTC] stas@php.net

Fixed in CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 08:01:28 2024 UTC