php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71038 session_start() returns TRUE on failure
Submitted: 2015-12-05 15:27 UTC Modified: 2016-10-16 08:58 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: pfenderd at bellsouth dot net Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 7.1.0RC3 OS: Irrelevant
Private report: No CVE-ID:
 [2015-12-05 15:27 UTC] pfenderd at bellsouth dot net
Description:
------------
On a hosting server, the /tmp file system was mounted as read-only.
The function session_start() returned TRUE on failure to open a session file. It should have returned FALSE.
There is a Warning message issued by PHP but it should have been an ERROR message.


Test script:
---------------
session_start();
session_write_close();


Expected result:
----------------
session_start needs to return FALSE on failure to open a session.

Actual result:
--------------
Warning: session_start(): open(/tmp/sess_99c3aa0ceeec362b9de4ece520aeef64, O_RDWR) failed: Read-only file system (30) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php:2) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 2

Warning: session_write_close(): open(/tmp/sess_99c3aa0ceeec362b9de4ece520aeef64, O_RDWR) failed: Read-only file system (30) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 3

Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 3


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-09 14:53 UTC] laruence@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-12-09 14:53 UTC] laruence@php.net
please have a look, it's a little weird s_open doesn't verify the path first..
 [2015-12-09 21:51 UTC] yohgaki@php.net
Sure.
 [2015-12-10 12:44 UTC] yohgaki@php.net
-Status: Assigned +Status: Analyzed
 [2015-12-10 12:44 UTC] yohgaki@php.net
I have to change session internal functions (php_session_flush, php_session_save_current_state, etc) so that they return SUCCESS/FAILURE. These functions are static and may be changed in released versions. I'll modify these for 5.6/7.0. I have to look into save handler code more closely if I can change without compatibility issues. I guess I can since current save handler has stricter rules for return values.
 [2015-12-16 01:18 UTC] yohgaki@php.net
Return value of PHPAPI function is needed to be changed to fix this.
The fix will only be applied to next minor version at best. i.e. 7.1 or later.
 [2016-01-12 11:48 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a15e9ccba8a34553c029fb4574edba87c76447e5
Log: Fixed Bug #71038 session_start() returns TRUE on failure
 [2016-01-12 11:48 UTC] yohgaki@php.net
-Status: Analyzed +Status: Closed
 [2016-01-12 11:50 UTC] yohgaki@php.net
I used PS(session_status) to fix this. 
PHP 5.6 still returns TURE on read failure to keep compatibility for buggy save handlers.
PHP 7.0 and up are treats read error strictly.
 [2016-10-06 08:05 UTC] yohgaki@php.net
-Status: Closed +Status: Re-Opened -Operating System: Linux +Operating System: Irrelevant -PHP Version: 5.6.16 +PHP Version: 7.1.0RC3
 [2016-10-06 08:05 UTC] yohgaki@php.net
There is a case still start session and initialize $_SESSION with error. Bug #73245
 [2016-10-16 08:58 UTC] yohgaki@php.net
Sorry for late important bug fix. I was thinking to create a new RFC for this, but I forgot it completely.

This kind of bug fix can only be in minor release. If RM feels to late/large at this point. I don't mind applying this only to master branch.
 [2016-11-17 02:09 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f196e321fa464075248eced7d0d2c046b686b24
Log: Fix bug #71038 - session_start() returns true even when it failed PR #2167
 [2016-11-17 02:09 UTC] yohgaki@php.net
-Status: Re-Opened +Status: Closed
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f196e321fa464075248eced7d0d2c046b686b24
Log: Fix bug #71038 - session_start() returns true even when it failed PR #2167
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 07:01:45 2017 UTC