diff options
| author | Yasuo Ohgaki <yohgaki@php.net> | 2016-01-15 10:19:01 +0900 |
|---|---|---|
| committer | Yasuo Ohgaki <yohgaki@php.net> | 2016-01-15 10:19:01 +0900 |
| commit | 132d919c8597b3a06b2f03d04d8d8df5614dba4c (patch) | |
| tree | b3d76bb111d883818661d064b92009ba225131fe | |
| parent | 4ab7d6a5e1a8e9b5018af96b722e37ebcf313bad (diff) | |
| parent | 8c37a086c78a66517967fcb809fb53297becfe42 (diff) | |
| download | php-git-132d919c8597b3a06b2f03d04d8d8df5614dba4c.tar.gz | |
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Improved fix for bug #68063 (Empty session IDs do still start sessions).
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/session/session.c | 10 | ||||
| -rw-r--r-- | ext/session/tests/bug68063.phpt | 14 |
3 files changed, 14 insertions, 11 deletions
@@ -44,6 +44,7 @@ PHP NEWS immediately). (Laruence) - Session: + . Improved fix for bug #68063 (Empty session IDs do still start sessions). (Yasuo) . Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made diff --git a/ext/session/session.c b/ext/session/session.c index f5a399b75f..4b0643d021 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -522,7 +522,10 @@ static void php_session_initialize(void) /* {{{ */ } /* If there is no ID, use session module to create one */ - if (!PS(id)) { + if (!PS(id) || !ZSTR_VAL(PS(id))[0]) { + if (PS(id)) { + efree(PS(id)); + } PS(id) = PS(mod)->s_create_sid(&PS(mod_data)); if (!PS(id)) { php_session_abort(); @@ -2282,11 +2285,6 @@ static PHP_FUNCTION(session_start) RETURN_FALSE; } - if (PS(id) && !(ZSTR_LEN(PS(id)))) { - php_error_docref(NULL, E_WARNING, "Cannot start session with empty session ID"); - RETURN_FALSE; - } - /* set options */ if (options) { ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(options), num_idx, str_idx, value) { diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt index d3da470d06..ec3a70d156 100644 --- a/ext/session/tests/bug68063.phpt +++ b/ext/session/tests/bug68063.phpt @@ -3,18 +3,22 @@ Bug #68063 (Empty session IDs do still start sessions) --SKIPIF-- <?php include('skipif.inc'); ?> --INI-- +session.use_strict_mode=0 +session.hash_function=1 +session.hash_bits_per_character=4 --FILE-- <?php +// Empty session ID may happen by browser bugs + // Could also be set with a cookie like "PHPSESSID=; path=/" session_id(''); -// Will still start the session and return true +// Start the session with empty string should result in new session ID var_dump(session_start()); -// Returns an empty string +// Returns newly created session ID var_dump(session_id()); ?> --EXPECTF-- -Warning: session_start(): Cannot start session with empty session ID in %s on line %d -bool(false) -string(0) "" +bool(true) +string(40) "%s" |