#
f69d5405 |
| 24-Mar-2024 |
Jorg Adam Sowa |
Removed impossible paths from session_decode and session_encode (#13796)
|
#
81744d6c |
| 18-Mar-2024 |
Tim Düsterhus |
random: Improve the output quality of RANDOM_SEED() (#13730) * random: Improve the output quality of RANDOM_SEED() Previously 4 consecutive calls to `RANDOM_SEED()` each for 4 diffe
random: Improve the output quality of RANDOM_SEED() (#13730) * random: Improve the output quality of RANDOM_SEED() Previously 4 consecutive calls to `RANDOM_SEED()` each for 4 different CLI requests resulted in: $ sapi/cli/php test.php 2c13e9fde9caa 2c13e9fd1d6b0 2c13e9fd4de34 2c13e9fd1610e $ sapi/cli/php test.php 2c1436764fe07 2c14367621770 2c143676c0bf6 2c143676e02f5 $ sapi/cli/php test.php 2c144995a0626 2c14499590fe2 2c144995c65db 2c14499536833 $ sapi/cli/php test.php 2c145cb30860b 2c145cb3ec027 2c145cb33b4ca 2c145cb38ff63 Now they result in: $ sapi/cli/php test.php 6796973ace1b5f3d 1913daf5c158cb4b 255dbf24237bc8c9 7c3ba22e60f35196 $ sapi/cli/php test.php afb7cc9ba9819cd2 3e01a71b91ad020c 6b718364d3ef108 bdcd17beeb4b31d2 $ sapi/cli/php test.php 53d36eb9b83f8788 4381c85e816187aa 2e9b32ee9898e71e 31d15c946842bddb $ sapi/cli/php test.php 2037a3cba88114b4 ba0b0d93a9bb43aa e13d82d2421269e2 191de474f3292240 * tree-wide: Replace GENERATE_SEED() by php_random_generate_fallback_seed() * random: Fix NTS build * random: Fix Windows build
show more ...
|
#
6985aff7 |
| 12-Mar-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-13680: Segfault with session_decode and compilation error It's illegal to return from a bailout because that doesn't restore the original bailout data. Return outside of it.
Fix GH-13680: Segfault with session_decode and compilation error It's illegal to return from a bailout because that doesn't restore the original bailout data. Return outside of it. Test by YuanchengJiang Closes GH-13689.
show more ...
|
#
f6c38fc9 |
| 01-Mar-2024 |
Tim Düsterhus |
session: Stop using php_combined_lcg() The CombinedLCG is a terrible RNG with a questionable API and should ideally not be used anymore. While in the case of ext/session it is only used
session: Stop using php_combined_lcg() The CombinedLCG is a terrible RNG with a questionable API and should ideally not be used anymore. While in the case of ext/session it is only used for probabilistic garbage collection where the quality of the RNG is not of particular importance, there are better choices. Replace the RNG used for garbage collection by an ext/session specific instance of PcgOneseq128XslRr64. Its 16 Byte state nicely fits into the memory freed up by the previous reordering of the session globals struct, even allowing to the storage of the php_random_algo_with_state struct, making using the RNG a little nicer. Instead multiplying the float returned by the CombinedLCG by the GC Divisor to obtain an integer between 0 and the divisor we can just use `php_random_range` to directly generate an appropriate integer, completely avoiding the floating point maths, making it easier to verify the code for correctness.
show more ...
|
#
97b3b455 |
| 01-Feb-2024 |
Tim Düsterhus |
random: Move CSPRNG API into php_random_csprng.h (#13290) This allows consumers of just the CSPRNG to include a much smaller header. It also allows to verify at a glance whether a source
random: Move CSPRNG API into php_random_csprng.h (#13290) This allows consumers of just the CSPRNG to include a much smaller header. It also allows to verify at a glance whether a source file might use non-secure randomness. This commit includes the new header wherever the CSPRNG is used, possibly replacing the inclusion of php_random.h if nothing else is used, but also includes it in the main php_random.h header for compatibility. Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1, 2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.
show more ...
|
#
7f7031eb |
| 20-Jan-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader For details and reasoning, see [1] and following. [1] https://github.com/php/php-src/issues/12504#is
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader For details and reasoning, see [1] and following. [1] https://github.com/php/php-src/issues/12504#issuecomment-1790870399 Closes GH-13207.
show more ...
|
#
b36eac94 |
| 22-Nov-2023 |
Máté Kocsis |
Deprecate calling session_set_save_handler() with more than 2 arguments
|
#
c0147a05 |
| 25-Jun-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11529: Crash after dealing with an Apache request In an MPM worker scenario we have 1 module, N threads. Each thread must have their globals initialised. If we only initialise the
Fix GH-11529: Crash after dealing with an Apache request In an MPM worker scenario we have 1 module, N threads. Each thread must have their globals initialised. If we only initialise the filename fields in MINIT, then the threads have an uninitialized value. If the uninitialized value is not NULL, this leads to segfaults upon access. Closes GH-11530.
show more ...
|
#
f160eff4 |
| 17-Jun-2023 |
Ilija Tovilo |
Remove session ID set through REQUEST_URI
|
#
d5ad7510 |
| 08-Jun-2023 |
George Peter Banyard |
More usage of known zend_str instead of C string (#11381)
|
#
6f63d4b2 |
| 19-Apr-2023 |
Ilija Tovilo |
Fix -Wenum-int-mismatch warnings on gcc 13 Closes GH-11103
|
#
180f7854 |
| 28-Mar-2023 |
Calvin Buckley |
Note where a session was already started (#10736) * Note where a session was already started Duplicated session starts can be annoying to debug. The error that occurs when a ses
Note where a session was already started (#10736) * Note where a session was already started Duplicated session starts can be annoying to debug. The error that occurs when a session is already active doesn't tell you where it was initialized, so figuring out the callsite involves manual debugging to find it out. This keeps track of the call site of session_start as a request global, and frees at the end of the request. It should make it easier to find these instances for PHP users. The resulting message can look like: Notice: session_start(): Ignoring session_start() because a session is already active (started from /home/calvin/src/php-src/inc.php on line 4) in /home/calvin/src/php-src/index.php on line 9 Fixes GH-10721 * Convert to using zend_string for session start location * Fix leak with session start callsite filename If this was already initialized, we'd forget it. Have shared free between session_start and RSHUTDOWN. * For sessions that are automatically started, note that Easy to forget that you have this set, in which case, session start is done at RINIT outside of user code. Because this config option can't change at runtime, we can check for it and make the error more specific if that's the case.
show more ...
|
#
9d5f2f13 |
| 20-Mar-2023 |
Ilija Tovilo |
Use new ZSTR_INIT_LITERAL macro (#10879)
|
#
41772571 |
| 28-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
3 minor cleanups in ext/session (#10722) * sid can never be NULL because it was NULL-checked earlier * Change namelen to size_t because it is always unsigned and less in size than s
3 minor cleanups in ext/session (#10722) * sid can never be NULL because it was NULL-checked earlier * Change namelen to size_t because it is always unsigned and less in size than size_t * Remove redundant check on ser It can't be NULL, and even if it could, the ser++ would be UB.
show more ...
|
#
d9c2cf7e |
| 23-Jan-2023 |
Tim Düsterhus |
session: Remove PS_EXTRA_RAND_BYTES (#10394) This was introduced in 3467526a65bfb15eaf9ec49a0b5673b84e26bca4 and the corresponding RFC gives some reasoning. However the CSPRNG being “not
session: Remove PS_EXTRA_RAND_BYTES (#10394) This was introduced in 3467526a65bfb15eaf9ec49a0b5673b84e26bca4 and the corresponding RFC gives some reasoning. However the CSPRNG being “not secure enough” is not a thing and reading these extra bytes is just security theater: If the CSPRNG would hypothetically be broken, then PHP’s session IDs are the least of one’s concerns, because we already trust it in `random_bytes()` and might generate long-term secrets using that.
show more ...
|
#
7936c808 |
| 23-Jan-2023 |
Máté Kocsis |
Fix GH-8329 Print true/false instead of bool in error and debug messages (#8385)
|
#
a4298c14 |
| 15-Nov-2022 |
David Carlier |
Fix GH-9932: Discards further characters for session name. As those are converted, it s better to make aware of the code caller of the naming inadequacy. Closes GH-9940.
|
#
51888425 |
| 04-Oct-2022 |
George Peter Banyard |
Drop struct union as access is now always named
|
#
2ddd68aa |
| 04-Oct-2022 |
George Peter Banyard |
Free handles by name directly
|
#
5b40d066 |
| 03-Oct-2022 |
George Peter Banyard |
Refactor session_set_save_handler() Use proper ZPP callables with FCI/FCC
|
#
499fbcd6 |
| 29-Sep-2022 |
George Peter Banyard |
Actually fix GH-9583 The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set Add another regression test to en
Actually fix GH-9583 The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set Add another regression test to ensure current working behaviour is not broken (which was by the previous incorrect fix) Closes GH-9638
show more ...
|
#
8b115254 |
| 24-Sep-2022 |
George Peter Banyard |
Fix GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method
|
#
3071d85a |
| 20-Sep-2022 |
Ilija Tovilo |
PS(mod_user_class_name) must not leak into next request Fixes GH-9584
|
Revision tags: php-8.2.0RC1, php-8.1.10 |
|
#
1ad59b32 |
| 30-Aug-2022 |
George Peter Banyard |
Update INI validator and displayers depending on INI type Closes GH-9451
|
Revision tags: php-8.0.23, php-8.0.23RC1, php-8.1.10RC1, php-8.2.0beta3 |
|
#
66aed3a8 |
| 12-Aug-2022 |
George Peter Banyard |
SameSite session cookie prop should behave like other INI settings It should warn if the INI setting is changed after headers are sent or a session is not active |