php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69952 Data integrity issues accessing superglobals by reference
Submitted: 2015-06-27 17:06 UTC Modified: 2015-06-28 14:28 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: michael dot babker at gmail dot com Assigned: bwoebi
Status: Closed Package: Session related
PHP Version: 7.0.0alpha2 OS: N/A
Private report: No CVE-ID:
 [2015-06-27 17:06 UTC] michael dot babker at gmail dot com
Description:
------------
Within Joomla, our input retrieval and setting API accesses the superglobals by reference.  It appears because of some of the engine refactoring, accessing the same data is not working the same way.  In the case of Joomla, this is most evident in our session boot sequence (extracted into the test script below) where data validated in the $_COOKIE superglobal is no longer returned correctly.

Test script:
---------------
https://github.com/mbabker/session-test/blob/purephp/index.php

Expected result:
----------------
On each execution of the script, the session counter should increment by one.

Actual result:
--------------
On each execution of the script, the session counter's value is one.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-28 12:22 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2015-06-28 12:22 UTC] cmb@php.net
I can confirm the issue. The following test script is sufficient
to reproduce it:

    <?php
    $cookieData = &$_COOKIE;
    session_start();
    var_dump($_SESSION);
    $_SESSION['foo'] = 'bar';

Apparently, the by-ref assignment causes a new session to be
created on each request.

@michael: The condition of the outermost if statement in your test
script is always FALSE, because a variable can't be isset() and
is_null().
 [2015-06-28 14:09 UTC] michael dot babker at gmail dot com
Ya, that was just me trying to reproduce what our internal code actually does as close as possible (the isset is part of our input API and the is_null check in the session startup).  Either way, glad to see I haven't completely lost it :-)
 [2015-06-28 14:28 UTC] bwoebi@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: bwoebi
 [2015-06-28 14:31 UTC] bwoebi@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b477aa1fad6cac41ee6959921b229cb3dba79e6e
Log: Fix bug #69952 (Dereferencing issue in session_start())
 [2015-06-28 14:31 UTC] bwoebi@php.net
-Status: Assigned +Status: Closed
 [2015-07-07 23:37 UTC] ab@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b477aa1fad6cac41ee6959921b229cb3dba79e6e
Log: Fix bug #69952 (Dereferencing issue in session_start())
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b477aa1fad6cac41ee6959921b229cb3dba79e6e
Log: Fix bug #69952 (Dereferencing issue in session_start())
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 17:01:36 2017 UTC