diff options
| author | Yasuo Ohgaki <yohgaki@php.net> | 2016-11-10 16:03:41 +0900 |
|---|---|---|
| committer | Joe Watkins <krakjoe@php.net> | 2016-11-16 05:08:28 +0000 |
| commit | 6230c2bad089bfbf518b64ef0868bf9d55a2145c (patch) | |
| tree | a93a4ab30d0ff32c855a617326750da52afc08cd /ext/session/mod_user.c | |
| parent | d6c36e9af7ce43445b823e9a3b96868cf60fa7ed (diff) | |
| download | php-git-6230c2bad089bfbf518b64ef0868bf9d55a2145c.tar.gz | |
Fix Bug #73461
This patch disables any invalid save handler calls.
Diffstat (limited to 'ext/session/mod_user.c')
| -rw-r--r-- | ext/session/mod_user.c | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/ext/session/mod_user.c b/ext/session/mod_user.c index 0cdbaf96f9..0a54204cc9 100644 --- a/ext/session/mod_user.c +++ b/ext/session/mod_user.c @@ -75,7 +75,15 @@ PS_OPEN_FUNC(user) zval args[2]; STDVARS; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + if (Z_ISUNDEF(PSF(open))) { + PS(in_save_handler) = 0; php_error_docref(NULL, E_WARNING, "user session functions not defined"); @@ -88,6 +96,7 @@ PS_OPEN_FUNC(user) zend_try { ps_call_handler(&PSF(open), 2, args, &retval); } zend_catch { + PS(in_save_handler) = 0; PS(session_status) = php_session_none; if (!Z_ISUNDEF(retval)) { zval_ptr_dtor(&retval); @@ -97,6 +106,7 @@ PS_OPEN_FUNC(user) PS(mod_user_implemented) = 1; + PS(in_save_handler) = 0; FINISH; } @@ -105,8 +115,16 @@ PS_CLOSE_FUNC(user) zend_bool bailout = 0; STDVARS; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + if (!PS(mod_user_implemented)) { /* already closed */ + PS(in_save_handler) = 0; return SUCCESS; } @@ -119,12 +137,14 @@ PS_CLOSE_FUNC(user) PS(mod_user_implemented) = 0; if (bailout) { + PS(in_save_handler) = 0; if (!Z_ISUNDEF(retval)) { zval_ptr_dtor(&retval); } zend_bailout(); } + PS(in_save_handler) = 0; FINISH; } @@ -133,6 +153,13 @@ PS_READ_FUNC(user) zval args[1]; STDVARS; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + ZVAL_STR_COPY(&args[0], key); ps_call_handler(&PSF(read), 1, args, &retval); @@ -145,6 +172,7 @@ PS_READ_FUNC(user) zval_ptr_dtor(&retval); } + PS(in_save_handler) = 0; return ret; } @@ -153,11 +181,19 @@ PS_WRITE_FUNC(user) zval args[2]; STDVARS; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + ZVAL_STR_COPY(&args[0], key); ZVAL_STR_COPY(&args[1], val); ps_call_handler(&PSF(write), 2, args, &retval); + PS(in_save_handler) = 0; FINISH; } @@ -166,10 +202,18 @@ PS_DESTROY_FUNC(user) zval args[1]; STDVARS; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + ZVAL_STR_COPY(&args[0], key); ps_call_handler(&PSF(destroy), 1, args, &retval); + PS(in_save_handler) = 0; FINISH; } @@ -178,24 +222,41 @@ PS_GC_FUNC(user) zval args[1]; zval retval; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + ZVAL_LONG(&args[0], maxlifetime); ps_call_handler(&PSF(gc), 1, args, &retval); if (Z_TYPE(retval) == IS_LONG) { convert_to_long(&retval); + PS(in_save_handler) = 0; return Z_LVAL(retval); } /* This is for older API compatibility */ if (Z_TYPE(retval) == IS_TRUE) { + PS(in_save_handler) = 0; return 1; } + PS(in_save_handler) = 0; /* Anything else is some kind of error */ return -1; // Error } PS_CREATE_SID_FUNC(user) { + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + /* maintain backwards compatibility */ if (!Z_ISUNDEF(PSF(create_sid))) { zend_string *id = NULL; @@ -209,24 +270,35 @@ PS_CREATE_SID_FUNC(user) } zval_ptr_dtor(&retval); } else { + PS(in_save_handler) = 0; zend_throw_error(NULL, "No session id returned by function"); return NULL; } if (!id) { + PS(in_save_handler) = 0; zend_throw_error(NULL, "Session id must be a string"); return NULL; } + PS(in_save_handler) = 0; return id; } + PS(in_save_handler) = 0; /* function as defined by PS_MOD */ return php_session_create_id(mod_data); } PS_VALIDATE_SID_FUNC(user) { + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + /* maintain backwards compatibility */ if (!Z_ISUNDEF(PSF(validate_sid))) { zval args[1]; @@ -236,9 +308,11 @@ PS_VALIDATE_SID_FUNC(user) ps_call_handler(&PSF(validate_sid), 1, args, &retval); + PS(in_save_handler) = 0; FINISH; } + PS(in_save_handler) = 0; /* dummy function defined by PS_MOD */ return php_session_validate_sid(mod_data, key); } @@ -248,6 +322,13 @@ PS_UPDATE_TIMESTAMP_FUNC(user) zval args[2]; STDVARS; + if (PS(in_save_handler)) { + PS(in_save_handler) = 0; + php_error_docref(NULL, E_WARNING, "Cannot call save handler function recursive manner"); + return FAILURE; + } + PS(in_save_handler) = 1; + ZVAL_STR_COPY(&args[0], key); ZVAL_STR_COPY(&args[1], val); @@ -258,6 +339,7 @@ PS_UPDATE_TIMESTAMP_FUNC(user) ps_call_handler(&PSF(write), 2, args, &retval); } + PS(in_save_handler) = 0; FINISH; } |