php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73529 session_decode() silently fails on wrong input
Submitted: 2016-11-15 14:55 UTC Modified: 2016-11-27 01:26 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: love at sickpeople dot se Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 7.1.0RC6 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: love at sickpeople dot se
New email:
PHP Version: OS:

 

 [2016-11-15 14:55 UTC] love at sickpeople dot se
Description:
------------
The session_decode() returns true on most invalid values. Eg NULL, ints, strings in wrong format and empty strings.

The docs state "Returns TRUE on success or FALSE on failure." and invalid input should be considered an error.

..

An important aspect of this is passing data serialized with another method than the current "session.serialize_handler". These should be considered an error as well. I think this is implied by the docs:

  "By default, the unserialization method used is internal to PHP, and is not the same as unserialize(). The serialization method can be set using session.serialize_handler."

The following two test scripts shows that setting A as serialize handler and passing input serialized with B leads to a silent error. The $_SESSION is not populated but true is returned.

Eg


/* Test 1 */

$data = array ('foo' => 'bar');

ini_set ('session.serialize_handler', 'php');

session_start ();

var_dump (session_decode (serialize ($data)));

var_dump ($_SESSION);


/* Test 2 */

ini_set ('session.serialize_handler', 'php_serialize');

session_start ();

var_dump (session_decode ('foo|s:3:"bar";'));

var_dump ($_SESSION);
 


Test script:
---------------
ini_set ('session.serialize_handler', 'php');

session_start ();

var_dump (session_decode ("foo"));


Expected result:
----------------
session_decode() to return false.

Actual result:
--------------
session_decode() returns true.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-27 01:26 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2020-06-10 10:05 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #73529: session_decode() silently fails on wrong input
On GitHub:  https://github.com/php/php-src/pull/5698
Patch:      https://github.com/php/php-src/pull/5698.patch
 [2020-06-10 14:48 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=08858e7cca223f298e169ed275691769483b2064
Log: Fix #73529: session_decode() silently fails on wrong input
 [2020-06-10 14:48 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:29 2024 UTC