PHP :: Bug #71038 :: session_start() returns TRUE on failure

Bug #71038

session_start() returns TRUE on failure

Submitted:

2015-12-05 15:27 UTC

Modified:

2016-10-16 08:58 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

pfenderd at bellsouth dot net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

7.1.0RC3

OS:

Irrelevant

Private report:

CVE-ID:

None

View Developer Edit

[2015-12-05 15:27 UTC] pfenderd at bellsouth dot net

Description:
------------
On a hosting server, the /tmp file system was mounted as read-only.
The function session_start() returned TRUE on failure to open a session file. It should have returned FALSE.
There is a Warning message issued by PHP but it should have been an ERROR message.


Test script:
---------------
session_start();
session_write_close();


Expected result:
----------------
session_start needs to return FALSE on failure to open a session.

Actual result:
--------------
Warning: session_start(): open(/tmp/sess_99c3aa0ceeec362b9de4ece520aeef64, O_RDWR) failed: Read-only file system (30) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php:2) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 2

Warning: session_write_close(): open(/tmp/sess_99c3aa0ceeec362b9de4ece520aeef64, O_RDWR) failed: Read-only file system (30) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 3

Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 3

Patches

Pull Requests

Pull requests:

Fix bug #71038 - session_start() returns true even when it failed (php-src/2167)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-09 14:53 UTC] laruence@php.net

-Assigned To: +Assigned To: yohgaki

[2015-12-09 14:53 UTC] laruence@php.net

please have a look, it's a little weird s_open doesn't verify the path first..

[2015-12-09 21:51 UTC] yohgaki@php.net

Sure.

[2015-12-10 12:44 UTC] yohgaki@php.net

-Status: Assigned +Status: Analyzed

[2015-12-10 12:44 UTC] yohgaki@php.net

I have to change session internal functions (php_session_flush, php_session_save_current_state, etc) so that they return SUCCESS/FAILURE. These functions are static and may be changed in released versions. I'll modify these for 5.6/7.0. I have to look into save handler code more closely if I can change without compatibility issues. I guess I can since current save handler has stricter rules for return values.

[2015-12-16 01:18 UTC] yohgaki@php.net

Return value of PHPAPI function is needed to be changed to fix this.
The fix will only be applied to next minor version at best. i.e. 7.1 or later.

[2016-01-12 11:48 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a15e9ccba8a34553c029fb4574edba87c76447e5
Log: Fixed Bug #71038 session_start() returns TRUE on failure

[2016-01-12 11:48 UTC] yohgaki@php.net

-Status: Analyzed +Status: Closed

[2016-01-12 11:50 UTC] yohgaki@php.net

I used PS(session_status) to fix this. 
PHP 5.6 still returns TURE on read failure to keep compatibility for buggy save handlers.
PHP 7.0 and up are treats read error strictly.

[2016-01-14 04:24 UTC] yohgaki@php.net

Related To: Bug #69964

[2016-10-06 08:05 UTC] yohgaki@php.net

-Status: Closed +Status: Re-Opened -Operating System: Linux +Operating System: Irrelevant -PHP Version: 5.6.16 +PHP Version: 7.1.0RC3

[2016-10-06 08:05 UTC] yohgaki@php.net

There is a case still start session and initialize $_SESSION with error. Bug #73245

[2016-10-06 08:07 UTC] yohgaki@php.net

Related To: Bug #73245

[2016-10-16 08:58 UTC] yohgaki@php.net

Sorry for late important bug fix. I was thinking to create a new RFC for this, but I forgot it completely.

This kind of bug fix can only be in minor release. If RM feels to late/large at this point. I don't mind applying this only to master branch.

[2016-11-17 02:09 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f196e321fa464075248eced7d0d2c046b686b24
Log: Fix bug #71038 - session_start() returns true even when it failed PR #2167

[2016-11-17 02:09 UTC] yohgaki@php.net

-Status: Re-Opened +Status: Closed

[2017-01-12 09:12 UTC] krakjoe@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f196e321fa464075248eced7d0d2c046b686b24
Log: Fix bug #71038 - session_start() returns true even when it failed PR #2167

[2017-09-19 14:43 UTC] requinix@php.net

Related To: Bug #75227

[2018-05-22 09:21 UTC] requinix@php.net

Related To: Bug #76358

[2018-05-22 10:03 UTC] tony at marston-home dot demon dot co dot uk

Related To: Bug #76358

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC