Fix GH-16590: UAF in session_encode()

The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.

Closes GH-166

Fix GH-16590: UAF in session_encode()

The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.

Closes GH-16640.

show more ...

Unify headers already sent/session already started error handler (#16451)

* Unify headers already sent errors

Now whenever we need to check where headers were already sent in
ex

Unify headers already sent/session already started error handler (#16451)

* Unify headers already sent errors

Now whenever we need to check where headers were already sent in
ext/session, we call a single location that prints where, keeping it
consistent output wise.

* Unify session aready started errors

Similar to the one for headers.

* Also change session active checks too

This usually go hand in hand with the headers already sent checks, but
is in a separate commit because of the amount of tests it changes.

show more ...

Mention where headers were already sent if session_start fails (#16378)

We had previously improved where sessions were already started, and
where headers were already sent when setting h

Mention where headers were already sent if session_start fails (#16378)

We had previously improved where sessions were already started, and
where headers were already sent when setting headers, but not where a
header has been sent if we try to set the header cookie.

Fixes GH-16372

show more ...

Fix GH-16290: session cookie_lifetime ini value overflow.

close GH-16295

Fix GH-16385: Unexpected null returned by session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while th

Fix GH-16385: Unexpected null returned by session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while this
function can only return booleans. An exception seems not acceptable
in stable versions, but a warning may do.

Closes GH-16386.

show more ...

Use php_error_docref() instead of zend_error() in session.c (GH-15505)

Using `php_error_docref()` is preferable since it outputs additional
details (which function has been called and wh

Use php_error_docref() instead of zend_error() in session.c (GH-15505)

Using `php_error_docref()` is preferable since it outputs additional
details (which function has been called and whether it is a startup or
shutdown error), uses HTML markup, and also provides a link to the
documentation, if configured.

Since these deprecation warnings have been introduced recently[1][2],
i.e. for PHP 8.4, there are no BC concerns.

[1] <https://github.com/php/php-src/commit/e8ff7c70f9669f1a54c47c018ccc0f80bc0c929b>
[2] <https://github.com/php/php-src/commit/b36eac94d26bdced150d9d2178f6209893d9961f>

Co-authored-by: Máté Kocsis <kocsismate90@gmail.com>

show more ...

Deprecate disabling use_only_cookies (#13578)

ext/session: Warn when providing invalid values for session.gc_probability and session.gc_divisor

ext/session: session_create_id() now throws a ValueError for large prefix (#15338)

ValueError on null byte in session_name() (#15286)

session: Deprecate `session.sid_length` and `session.sid_bits_per_character` (#15213)

RFC: https://wiki.php.net/rfc/deprecations_php_8_4

Fix warnings in session/spl

This fixes -Winline errors where the functions are not ever inlined.

Also fixes some signature mismatches which were fixed previously but
for whateve

Fix warnings in session/spl

This fixes -Winline errors where the functions are not ever inlined.

Also fixes some signature mismatches which were fixed previously but
for whatever reason were not ported to all maintained branches:

/usr/local/src/php/ext/session/session.c:1299:20:
warning:conflicting types for 'php_session_send_cookie' due to enum/integer mismatch;
have 'zend_result(void)' {aka 'ZEND_RESULT_CODE(void)'} [-Wenum-int-mismatch]
1299 | static zend_result php_session_send_cookie(void) /* {{{ */
| ^~~~~~~~~~~~~~~~~~~~~~~
/usr/local/src/php/ext/session/session.c:100:12:
note: previous declaration of 'php_session_send_cookie' with type 'int(void)'
100 | static int php_session_send_cookie(void);
| ^~~~~~~~~~~~~~~~~~~~~~~

show more ...

Check session_create_id() input for null byte (#14728)

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Before, out of tree builds would preferably include files from the src dir, as
the include path was defined as follows (ignoring includes from ext/ and sapi/) :

-I$(top_builddir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/main
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM
-I$(top_builddir)/

As a result, an out of tree build would include configure artifacts such as
`main/php_config.h` from the src dir.

After this change, the include path is defined as follows:

-I$(top_builddir)/main
-I$(top_builddir)
-I$(top_srcdir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM

* Fix extension include path for out of tree builds

* Include config.h with the brackets form

`#include "config.h"` searches in the directory containing the including-file
before any other include path. This can include the wrong config.h when building
out of tree and a config.h exists in the source tree.

Using `#include <config.h>` uses exclusively the include path, and gives
priority to the build dir.

show more ...

Clean-up some more headers (#14416)

Remove unused headers (such as php_ini.h for extensions that don't define INI settings)
Use more specific headers when possible

Update ext/session spl dependency (#14410)

The spl dependency is configured so the spl_autoload_register is
available when session_start() is used, meaning the spl extension needs
to

Update ext/session spl dependency (#14410)

The spl dependency is configured so the spl_autoload_register is
available when session_start() is used, meaning the spl extension needs
to be loaded before the session. It is marked as optional to be more
explicit as spl is not directly used nor required in the session
extension.

show more ...

Remove hash dependency from session extension (#14409)

The session extension once depended on the hash extension for having
hash functions available when using the `session.hash_function

Remove hash dependency from session extension (#14409)

The session extension once depended on the hash extension for having
hash functions available when using the `session.hash_function` INI
directive. This directive was removed in PHP-7.1 via
3467526a65bfb15eaf9ec49a0b5673b84e26bca4. At the time it could be marked
as optional dependency, because it only needed to be loaded before the
session in that case.

The removed ext/hash/php_hash.h in the ext/session/php_session.h might
cause BC break for PHP extensions if they rely on transitive include and
use hash extension in the code without explicitly including the
ext/hash/php_hash.h header. Solution is to include the
ext/hash/php_hash.h separately.

show more ...

Fix bug GH-11941: soap with session persistence will silently fails when "seession" built as a shared object (#14362)

This adds an optional dependency on the session extension and adds the

Fix bug GH-11941: soap with session persistence will silently fails when "seession" built as a shared object (#14362)

This adds an optional dependency on the session extension and adds the
necessary APIs to make the functionality work with lazy binding.

This can be tested by configuring PHP with `--enable-session=shared` and
`--enable-soap=shared` and running the test suite, in particular the
buggy behaviour can be observed by the existing test `server009.phpt`.

show more ...

Removed impossible paths from session_decode and session_encode (#13796)

random: Improve the output quality of RANDOM_SEED() (#13730)

* random: Improve the output quality of RANDOM_SEED()

Previously 4 consecutive calls to `RANDOM_SEED()` each for 4 diffe

random: Improve the output quality of RANDOM_SEED() (#13730)

* random: Improve the output quality of RANDOM_SEED()

Previously 4 consecutive calls to `RANDOM_SEED()` each for 4 different CLI
requests resulted in:

$ sapi/cli/php test.php
2c13e9fde9caa
2c13e9fd1d6b0
2c13e9fd4de34
2c13e9fd1610e
$ sapi/cli/php test.php
2c1436764fe07
2c14367621770
2c143676c0bf6
2c143676e02f5
$ sapi/cli/php test.php
2c144995a0626
2c14499590fe2
2c144995c65db
2c14499536833
$ sapi/cli/php test.php
2c145cb30860b
2c145cb3ec027
2c145cb33b4ca
2c145cb38ff63

Now they result in:

$ sapi/cli/php test.php
6796973ace1b5f3d
1913daf5c158cb4b
255dbf24237bc8c9
7c3ba22e60f35196
$ sapi/cli/php test.php
afb7cc9ba9819cd2
3e01a71b91ad020c
6b718364d3ef108
bdcd17beeb4b31d2
$ sapi/cli/php test.php
53d36eb9b83f8788
4381c85e816187aa
2e9b32ee9898e71e
31d15c946842bddb
$ sapi/cli/php test.php
2037a3cba88114b4
ba0b0d93a9bb43aa
e13d82d2421269e2
191de474f3292240

* tree-wide: Replace GENERATE_SEED() by php_random_generate_fallback_seed()

* random: Fix NTS build

* random: Fix Windows build

show more ...

Fix GH-13680: Segfault with session_decode and compilation error

It's illegal to return from a bailout because that doesn't restore the
original bailout data. Return outside of it.

Fix GH-13680: Segfault with session_decode and compilation error

It's illegal to return from a bailout because that doesn't restore the
original bailout data. Return outside of it.

Test by YuanchengJiang

Closes GH-13689.

show more ...

session: Stop using php_combined_lcg()

The CombinedLCG is a terrible RNG with a questionable API and should ideally
not be used anymore. While in the case of ext/session it is only used

session: Stop using php_combined_lcg()

The CombinedLCG is a terrible RNG with a questionable API and should ideally
not be used anymore. While in the case of ext/session it is only used for
probabilistic garbage collection where the quality of the RNG is not of
particular importance, there are better choices.

Replace the RNG used for garbage collection by an ext/session specific instance
of PcgOneseq128XslRr64. Its 16 Byte state nicely fits into the memory freed up
by the previous reordering of the session globals struct, even allowing to the
storage of the php_random_algo_with_state struct, making using the RNG a little
nicer.

Instead multiplying the float returned by the CombinedLCG by the GC Divisor to
obtain an integer between 0 and the divisor we can just use `php_random_range`
to directly generate an appropriate integer, completely avoiding the floating
point maths, making it easier to verify the code for correctness.

show more ...

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source file might use non-secure
randomness.

This commit includes the new header wherever the CSPRNG is used, possibly
replacing the inclusion of php_random.h if nothing else is used, but also
includes it in the main php_random.h header for compatibility.

Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1,
2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and
b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.

show more ...

Fix GH-12504: Corrupted session written when there's a fatal error in autoloader

For details and reasoning, see [1] and following.

[1] https://github.com/php/php-src/issues/12504#is

Fix GH-12504: Corrupted session written when there's a fatal error in autoloader

For details and reasoning, see [1] and following.

[1] https://github.com/php/php-src/issues/12504#issuecomment-1790870399

Closes GH-13207.

show more ...

Deprecate calling session_set_save_handler() with more than 2 arguments