php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60860 session.save_handler=user without defined function core dumps
Submitted: 2012-01-23 20:46 UTC Modified: 2012-01-28 21:02 UTC
From: bfrance@php.net Assigned: felipe
Status: Closed Package: Session related
PHP Version: 5.3.9 OS: Fedora, RHEL, OS X
Private report: No CVE-ID:
 [2012-01-23 20:46 UTC] bfrance@php.net
Description:
------------
The following script will core dump because the save_handlers have not been defined, but the session extension is not checking to make sure the functions are not null before trying to call them.

I would expect an error, but not a core dump.

I think the fix would be in mod_user.c to add a check in PS_OPEN_FUNC, PS_CLOSE_FUNC, PS_READ_FUNC, PS_WRITE_FUNC, PS_DESTROY_FUNC, PS_GC_FUNC with something like this:

----
  if (PSF(open) == NULL) {
    php_error_docref(NULL TSRMLS_CC, E_WARNING, "user session handler open not found");
    return FAILURE;
  }
----

Or maybe the error "User session functions not configured" or something.

The problem I have with the patch is that it needs TSRMLS_CC, which the PS function don't pass in and I don't know enough about the threading stuff to fix.


Test script:
---------------
% php -d session.save_handler=user
<?PHP
session_start();
var_dump($_SESSION);
?>


Expected result:
----------------
Expecting a warning about how the user session function are not defined/set.

Actual result:
--------------
This is a backtrace from running under Apache 2.x

#0  zend_is_callable_ex (callable=0x0, object_ptr=0x0, check_flags=8, callable_name=0xffffaf48, callable_name_len=0xffffae8c, fcc=0xffffaf50, error=0xffffaf4c)
    at php-5.3.9/Zend/zend_API.c:2718
#1  0xf72e150a in zend_call_function (fci=0xffffaff0, fci_cache=0xffffaf50) at php-5.3.9/Zend/zend_execute_API.c:817
#2  0xf72e21c1 in call_user_function_ex (function_table=0x81f43f8, object_pp=0x0, function_name=0xffffaf4c, retval_ptr_ptr=0xffffaf4c, param_count=4294946636, params=0xffffaf4c, no_separation=-20660, 
    symbol_table=0xffffaf4c) at php-5.3.9/Zend/zend_execute_API.c:758
#3  0xf72e2235 in call_user_function (function_table=0x81f43f8, object_pp=0x0, function_name=0x0, retval_ptr=0xf6cc7d10, param_count=2, params=0xffffb0c0)
    at php-5.3.9/Zend/zend_execute_API.c:731
#4  0xf6a35fcf in ps_call_handler (func=0x0, argc=2, argv=0xffffb0c0) at php-5.3.9/ext/session/mod_user.c:53
#5  0xf6a360e7 in ps_open_user (mod_data=0xffffaf4c, save_path=0xf6a36a49 "", session_name=0xf6a3675f "YBY") at php-5.3.9/ext/session/mod_user.c:93
#6  0xf6a32951 in php_session_start () at php-5.3.9/ext/session/session.c:512
#7  0xf6a34784 in zif_session_start (ht=0, return_value=0xf6cc7b00, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at php-5.3.9/ext/session/session.c:1911
#8  0xf7315474 in zend_do_fcall_common_helper_SPEC (execute_data=0xf654f028) at php-5.3.9/Zend/zend_vm_execute.h:320
#9  0xf73144ba in execute (op_array=0xf6cc7a1c) at php-5.3.9/Zend/zend_vm_execute.h:107
#10 0xf72f0e31 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at php-5.3.9/Zend/zend.c:1237
#11 0xf7294be4 in php_execute_script (primary_file=0xffffd5d0) at php-5.3.9/main/main.c:2343
#12 0xf737ae3d in php_handler (r=0x82c6588) at php-5.3.9/sapi/apache2handler/sapi_apache2.c:685
#13 0x08074ddd in ap_run_handler (r=0x82c6588) at config.c:157
#14 0x080751c1 in ap_invoke_handler (r=0x82c6588) at config.c:376
#15 0x08081d22 in ap_process_request (r=0x82c6588) at http_request.c:282
#16 0x0807f31a in ap_process_http_connection (c=0x82c23b8) at http_core.c:190
#17 0x0807b971 in ap_run_process_connection (c=0x82c23b8) at connection.c:43
#18 0x080868b7 in child_main (child_num_arg=Variable "child_num_arg" is not available.
) at prefork.c:667
#19 0x08086ab1 in make_child (s=0x80aafd0, slot=0) at prefork.c:712
#20 0x08087153 in ap_mpm_run (_pconf=0x80a90d8, plog=0x80d7190, s=0x80aafd0) at prefork.c:990
#21 0x08063047 in main (argc=2, argv=0xffffdb74) at main.c:739


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-28 01:24 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322897
Log: - Fixed bug #60860 (session.save_handler=user without defined function core dumps)
 [2012-01-28 01:25 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: felipe
 [2012-01-28 01:25 UTC] felipe@php.net
I've committed a fix in trunk, I'll check if it's ok to other branches.
 [2012-01-28 21:02 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=322909
Log: - Fixed bug #60860 (session.save_handler=user without defined function core dumps)
 [2012-01-28 21:02 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-01-28 21:02 UTC] felipe@php.net
-Status: Assigned +Status: Closed
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=acaf9c5227d75321def26ec5631def2fbb58feb2
Log: - Fixed bug #60860 (session.save_handler=user without defined function core dumps)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=acaf9c5227d75321def26ec5631def2fbb58feb2
Log: - Fixed bug #60860 (session.save_handler=user without defined function core dumps)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=acaf9c5227d75321def26ec5631def2fbb58feb2
Log: - Fixed bug #60860 (session.save_handler=user without defined function core dumps)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC