php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #79892 session.use_strict_mode and SessionHandlerInterface mismatch
Submitted: 2020-07-24 04:15 UTC Modified: 2020-07-28 18:31 UTC
From: ce dot ceo at cybercoment dot com Assigned: cmb (profile)
Status: Closed Package: Documentation problem
PHP Version: 7.4.8 OS: alpine
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ce dot ceo at cybercoment dot com
New email:
PHP Version: OS:

 

 [2020-07-24 04:15 UTC] ce dot ceo at cybercoment dot com 
Description:
------------
---
From manual page: https://php.net/class.sessionhandlerinterface
---

Steps to reproduce:
1. Implement a custom session handler as documented.
2. Turn on use_strict_mode as documented.
3. Spoof session id

The custom session handler interface documentation needs to be updated to include mention of validateId; otherwise there is a session fixation vulnerability despite the fact the developer very intently set the documented setting which is supposed to avoid it.

Documentation for the setting nor the documentation for SessionHandlerInterface references the other, nor do either reference the secret validateId method.

Expected result:
----------------
Spoofed session id is not used

Actual result:
--------------
Spoofed session id is used.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-25 07:26 UTC] stas@php.net
-Assigned To: +Assigned To: yohgaki
 [2020-07-27 15:38 UTC] cmb@php.net
-Assigned To: yohgaki +Assigned To: cmb
 [2020-07-27 15:38 UTC] cmb@php.net 
I just landed <http://svn.php.net/viewvc?view=revision&revision=350221>,
which should fix this issue.  Can you please verify, ce dot ceo?
 [2020-07-27 18:39 UTC] ce dot ceo at cybercoment dot com 
Is there any way to view the documentation in the final form? It is very difficult to read the XML
 [2020-07-27 20:39 UTC] cmb@php.net 
Sorry, I forgot the mention <http://docs.php.net/>.  The most important change: <http://docs.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode>.
 [2020-07-28 11:03 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2020-07-28 11:03 UTC] cmb@php.net 
Since the doc update has been rolled out to the online manual, and
this ticket is no longer private for some reason, I'm closing it.
If there's anything to be improved, please say so. :)

And, of course, thanks for reporting the issue!
 [2020-07-28 18:31 UTC] ce dot ceo at cybercoment dot com 
I comme
 [2020-07-28 18:34 UTC] ce dot ceo at cybercoment dot com 
I commented earlier but it seems to have been lost. Maybe that's what triggered the conversion from private? When I entered my password to comment, it also submitted the draft comment =(

Anyway, I think these details should also be added to http://docs.php.net/manual/en/class.sessionhandlerinterface.php#class.sessionhandlerinterface and http://docs.php.net/manual/en/class.sessionhandler.php
 [2020-07-31 00:35 UTC] phpdocbot@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=692dccb19d4f94f9f719639f5b1ee396ba80fa3a
Log: Remove out-dated Windows related info Fix #79892: session.use_strict_mode and SessionHandlerInterface mismatch
 [2020-07-31 01:10 UTC] phpdocbot@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=d9d7e88353206893f16f8a00de95a5232320aa19
Log: Fix #79892: session.use_strict_mode and SessionHandlerInterface mismatch
 [2020-07-31 15:05 UTC] phpdocbot@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=94bb1f0c5b7e1917ba3ce73e4c52c21c1843622e
Log: Fix #79892: session.use_strict_mode and SessionHandlerInterface mismatch
 [2020-12-30 11:59 UTC] nikic@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=1fbf18a20b8e3f40b5473daf3c4318120b63a0e3
Log: Fix #79892: session.use_strict_mode and SessionHandlerInterface mismatch
 [2020-12-30 11:59 UTC] nikic@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=be5c50b19cf14794b66eb55b98d894abcad780df
Log: Fix #79892: session.use_strict_mode and SessionHandlerInterface mismatch
 [2020-12-30 11:59 UTC] nikic@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=600bed703eaecb7a52d955302c31e68c2d32d37d
Log: Remove out-dated Windows related info Fix #79892: session.use_strict_mode and SessionHandlerInterface mismatch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu May 16 05:01:35 2024 UTC