summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikita Popov <nikita.ppv@gmail.com>2019-09-25 11:03:19 +0200
committerNikita Popov <nikita.ppv@gmail.com>2019-09-25 11:03:19 +0200
commitfb60ccc666e5b7245e7abf13314e79d9986b5b4e (patch)
tree31e0c6cd49238d488c40d6195df93502400ec7ab
parentde6b76805da6f7b3a69b364f1352e6408ff682e9 (diff)
parentb8ef7c35abd31666d9fb317db4b09a9eef0ede6c (diff)
downloadphp-git-fb60ccc666e5b7245e7abf13314e79d9986b5b4e.tar.gz
Merge branch 'PHP-7.4'
Diffstat
-rw-r--r--ext/session/session.c9
-rw-r--r--ext/standard/tests/serialize/bug70219.phpt17
-rw-r--r--ext/standard/tests/serialize/bug70219_1.phpt11
3 files changed, 16 insertions, 21 deletions
diff --git a/ext/session/session.c b/ext/session/session.c
index 75ac465c7f..2e5cddcbb7 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -245,11 +245,18 @@ static zend_string *php_session_encode(void) /* {{{ */
static int php_session_decode(zend_string *data) /* {{{ */
{
+ int res;
if (!PS(serializer)) {
php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
return FAILURE;
}
- if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) {
+ /* Make sure that any uses of unserialize() during session decoding do not share
+ * state with any unserialize() that is already in progress (e.g. because we are
+ * currently inside Serializable::unserialize(). */
+ BG(serialize_lock)++;
+ res = PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data));
+ BG(serialize_lock)--;
+ if (res == FAILURE) {
php_session_destroy();
php_session_track_init();
php_error_docref(NULL, E_WARNING, "Failed to decode session object. Session has been destroyed");
diff --git a/ext/standard/tests/serialize/bug70219.phpt b/ext/standard/tests/serialize/bug70219.phpt
index ddd2f317df..a97caf6c2b 100644
--- a/ext/standard/tests/serialize/bug70219.phpt
+++ b/ext/standard/tests/serialize/bug70219.phpt
@@ -4,8 +4,6 @@ Bug #70219 Use after free vulnerability in session deserializer
<?php
if (!extension_loaded('session')) die('skip session extension not available');
?>
---XFAIL--
-Unfinished merge, needs fix.
--FILE--
<?php
class obj implements Serializable {
@@ -32,15 +30,6 @@ var_dump($data);
?>
--EXPECTF--
Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
-array(2) {
- [0]=>
- object(obj)#%d (1) {
- ["data"]=>
- NULL
- }
- [1]=>
- &array(1) {
- ["data"]=>
- NULL
- }
-}
+
+Notice: unserialize(): Error at offset 55 of 56 bytes in %s on line %d
+bool(false)
diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt
index 6bbc593b34..6492a9a21e 100644
--- a/ext/standard/tests/serialize/bug70219_1.phpt
+++ b/ext/standard/tests/serialize/bug70219_1.phpt
@@ -18,6 +18,7 @@ class obj implements Serializable {
}
function unserialize($data) {
session_decode($data);
+ return null;
}
}
@@ -33,20 +34,18 @@ for ($i = 0; $i < 5; $i++) {
var_dump($data);
var_dump($_SESSION);
?>
---EXPECTF--
+--EXPECT--
array(2) {
[0]=>
- object(obj)#%d (1) {
+ object(obj)#1 (1) {
["data"]=>
NULL
}
[1]=>
- object(obj)#%d (1) {
+ object(obj)#2 (1) {
["data"]=>
NULL
}
}
-object(obj)#1 (1) {
- ["data"]=>
- NULL
+array(0) {
}
View Lorry Controller Status