php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71472 session_regenerate_id malfunctions with certain session handlers
Submitted: 2016-01-28 03:03 UTC Modified: 2016-01-28 03:49 UTC
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 7.0.2 OS:
Private report: No CVE-ID: None
 [2016-01-28 03:03 UTC] yohgaki@php.net
Description:
------------
session_regenerate_id() should open save handler before calling create_sid.


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-28 03:48 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2016-01-28 03:49 UTC] yohgaki@php.net
Description from the PR

The current order of session_regenerate_id seems to be:

    PS(mod)->s_close
    PS(mod)-> s_create_sid
    PS(mod)->s_open

This causes PS_CREATE_SID_FUNC to receive NULL data and it completely circumvents the original intention of PS_CREATE_SID_FUNC. (for example mod_files.c skips collision checks if data is NULL).

This doesn't seem to cause visible problems with built-in session handlers and not sure how to test this either.

t.php

<?php
ob_start();
ini_set ('session.save_path', '/tmp');

var_dump(session_start());
var_dump(session_regenerate_id(true));
?>

Relevant run on lldb:

lldb --file php -- t.php
(lldb) target create "/opt/php7/bin/php"
Current executable set to '/opt/php7/bin/php' (x86_64).
(lldb) settings set -- target.run-args  "t.php"
(lldb) breakpoint set --file mod_files.c --line 677
Breakpoint 1: where = php`ps_create_sid_files + 100 at mod_files.c:677, address = 0x00000001001cdc34
(lldb) run
Process 95005 launched: '/opt/php7/bin/php' (x86_64)
Process 95005 stopped
* thread #1: tid = 0x5b95ab, 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677
   674          }
   675          /* Check collision */
   676          /* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
-> 677          if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
   678              if (sid) {
   679                  zend_string_release(sid);
   680                  sid = NULL;
(lldb) p data
(ps_files *) $0 = 0x00000001020810f0
(lldb) p *data
(ps_files) $1 = (lastkey = 0x0000000000000000, basedir = "/tmp", basedir_len = 4, dirdepth = 0, st_size = 0, filemode = 384, fd = -1)
(lldb) cont
Process 95005 resuming
Process 95005 stopped
* thread #1: tid = 0x5b95ab, 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677
   674          }
   675          /* Check collision */
   676          /* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
-> 677          if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
   678              if (

sid) {
   679                  zend_string_release(sid);
   680                  sid = NULL;
(lldb) p *data
error: Couldn't apply expression side effects : Couldn't dematerialize a result variable: couldn't read its memory
(lldb) p data
(ps_files *) $3 = 0x0000000000000000

	@mkoppanen 	Session regenerate id seems to malfunction with 3rd party session han… …
 [2016-01-28 04:31 UTC] yohgaki@php.net
Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers
 [2016-01-28 04:31 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2016-04-18 09:29 UTC] bwoebi@php.net
Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Nov 27 05:05:53 2022 UTC