diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-25 11:03:19 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-25 11:03:19 +0200 |
commit | fb60ccc666e5b7245e7abf13314e79d9986b5b4e (patch) | |
tree | 31e0c6cd49238d488c40d6195df93502400ec7ab | |
parent | de6b76805da6f7b3a69b364f1352e6408ff682e9 (diff) | |
parent | b8ef7c35abd31666d9fb317db4b09a9eef0ede6c (diff) | |
download | php-git-fb60ccc666e5b7245e7abf13314e79d9986b5b4e.tar.gz |
Merge branch 'PHP-7.4'
-rw-r--r-- | ext/session/session.c | 9 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug70219.phpt | 17 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug70219_1.phpt | 11 |
3 files changed, 16 insertions, 21 deletions
diff --git a/ext/session/session.c b/ext/session/session.c index 75ac465c7f..2e5cddcbb7 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -245,11 +245,18 @@ static zend_string *php_session_encode(void) /* {{{ */ static int php_session_decode(zend_string *data) /* {{{ */ { + int res; if (!PS(serializer)) { php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object"); return FAILURE; } - if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) { + /* Make sure that any uses of unserialize() during session decoding do not share + * state with any unserialize() that is already in progress (e.g. because we are + * currently inside Serializable::unserialize(). */ + BG(serialize_lock)++; + res = PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)); + BG(serialize_lock)--; + if (res == FAILURE) { php_session_destroy(); php_session_track_init(); php_error_docref(NULL, E_WARNING, "Failed to decode session object. Session has been destroyed"); diff --git a/ext/standard/tests/serialize/bug70219.phpt b/ext/standard/tests/serialize/bug70219.phpt index ddd2f317df..a97caf6c2b 100644 --- a/ext/standard/tests/serialize/bug70219.phpt +++ b/ext/standard/tests/serialize/bug70219.phpt @@ -4,8 +4,6 @@ Bug #70219 Use after free vulnerability in session deserializer <?php if (!extension_loaded('session')) die('skip session extension not available'); ?> ---XFAIL-- -Unfinished merge, needs fix. --FILE-- <?php class obj implements Serializable { @@ -32,15 +30,6 @@ var_dump($data); ?> --EXPECTF-- Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d -array(2) { - [0]=> - object(obj)#%d (1) { - ["data"]=> - NULL - } - [1]=> - &array(1) { - ["data"]=> - NULL - } -} + +Notice: unserialize(): Error at offset 55 of 56 bytes in %s on line %d +bool(false) diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt index 6bbc593b34..6492a9a21e 100644 --- a/ext/standard/tests/serialize/bug70219_1.phpt +++ b/ext/standard/tests/serialize/bug70219_1.phpt @@ -18,6 +18,7 @@ class obj implements Serializable { } function unserialize($data) { session_decode($data); + return null; } } @@ -33,20 +34,18 @@ for ($i = 0; $i < 5; $i++) { var_dump($data); var_dump($_SESSION); ?> ---EXPECTF-- +--EXPECT-- array(2) { [0]=> - object(obj)#%d (1) { + object(obj)#1 (1) { ["data"]=> NULL } [1]=> - object(obj)#%d (1) { + object(obj)#2 (1) { ["data"]=> NULL } } -object(obj)#1 (1) { - ["data"]=> - NULL +array(0) { } |