php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73529 session_decode() silently fails on wrong input
Submitted: 2016-11-15 14:55 UTC Modified: 2016-11-27 01:26 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: love at sickpeople dot se Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: 7.1.0RC6 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: love at sickpeople dot se
New email:
PHP Version: OS:

 

 [2016-11-15 14:55 UTC] love at sickpeople dot se
Description:
------------
The session_decode() returns true on most invalid values. Eg NULL, ints, strings in wrong format and empty strings.

The docs state "Returns TRUE on success or FALSE on failure." and invalid input should be considered an error.

..

An important aspect of this is passing data serialized with another method than the current "session.serialize_handler". These should be considered an error as well. I think this is implied by the docs:

  "By default, the unserialization method used is internal to PHP, and is not the same as unserialize(). The serialization method can be set using session.serialize_handler."

The following two test scripts shows that setting A as serialize handler and passing input serialized with B leads to a silent error. The $_SESSION is not populated but true is returned.

Eg


/* Test 1 */

$data = array ('foo' => 'bar');

ini_set ('session.serialize_handler', 'php');

session_start ();

var_dump (session_decode (serialize ($data)));

var_dump ($_SESSION);


/* Test 2 */

ini_set ('session.serialize_handler', 'php_serialize');

session_start ();

var_dump (session_decode ('foo|s:3:"bar";'));

var_dump ($_SESSION);
 


Test script:
---------------
ini_set ('session.serialize_handler', 'php');

session_start ();

var_dump (session_decode ("foo"));


Expected result:
----------------
session_decode() to return false.

Actual result:
--------------
session_decode() returns true.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-27 01:26 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Jun 20 19:01:26 2019 UTC