| #
84a8fea2 |
| 08-Oct-2024 |
David Carlier |
Fix GH-16290: session cookie_lifetime ini value overflow.
close GH-16295
|
| #
7cdd1302 |
| 12-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16385: Unexpected null returned by session_set_cookie_params
Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while th
Fix GH-16385: Unexpected null returned by session_set_cookie_params
Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while this
function can only return booleans. An exception seems not acceptable
in stable versions, but a warning may do.
Closes GH-16386.
show more ...
|
| #
af789afb |
| 26-Jul-2024 |
Christoph M. Becker |
Fix type incompatibility in assignment.
This partially reverts 0956267c08b8ea8cc8e8e2b31fe0ce12f060e47e, which
introduced a type incompatibility where an `int` function is assigned
t
Fix type incompatibility in assignment.
This partially reverts 0956267c08b8ea8cc8e8e2b31fe0ce12f060e47e, which
introduced a type incompatibility where an `int` function is assigned
to a `zend_result` function. That yields a level 1 C4133 warning on
MSVC, and usually (e.g. in CI) level 1 warnings are elevated to errors,
so the build fails.[1]
The PHP-8.3 branch and up are uneffected by this, so the upward merges
should be empty.
[1] <https://github.com/php/php-src/commit/0956267c08b8ea8cc8e8e2b31fe0ce12f060e47e#r144587696>
show more ...
|
| #
0956267c |
| 23-Jul-2024 |
Levi Morrison |
Fix warnings in session/spl
This fixes -Winline errors where the functions are not ever inlined.
Also fixes some signature mismatches which were fixed previously but
for whateve
Fix warnings in session/spl
This fixes -Winline errors where the functions are not ever inlined.
Also fixes some signature mismatches which were fixed previously but
for whatever reason were not ported to all maintained branches:
/usr/local/src/php/ext/session/session.c:1299:20:
warning:conflicting types for 'php_session_send_cookie' due to enum/integer mismatch;
have 'zend_result(void)' {aka 'ZEND_RESULT_CODE(void)'} [-Wenum-int-mismatch]
1299 | static zend_result php_session_send_cookie(void) /* {{{ */
| ^~~~~~~~~~~~~~~~~~~~~~~
/usr/local/src/php/ext/session/session.c:100:12:
note: previous declaration of 'php_session_send_cookie' with type 'int(void)'
100 | static int php_session_send_cookie(void);
| ^~~~~~~~~~~~~~~~~~~~~~~
show more ...
|
| #
6985aff7 |
| 12-Mar-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-13680: Segfault with session_decode and compilation error
It's illegal to return from a bailout because that doesn't restore the
original bailout data. Return outside of it.
Fix GH-13680: Segfault with session_decode and compilation error
It's illegal to return from a bailout because that doesn't restore the
original bailout data. Return outside of it.
Test by YuanchengJiang
Closes GH-13689.
show more ...
|
| #
97b3b455 |
| 01-Feb-2024 |
Tim Düsterhus |
random: Move CSPRNG API into php_random_csprng.h (#13290)
This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source
random: Move CSPRNG API into php_random_csprng.h (#13290)
This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source file might use non-secure
randomness.
This commit includes the new header wherever the CSPRNG is used, possibly
replacing the inclusion of php_random.h if nothing else is used, but also
includes it in the main php_random.h header for compatibility.
Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1,
2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and
b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.
show more ...
|
| #
b36eac94 |
| 22-Nov-2023 |
Máté Kocsis |
Deprecate calling session_set_save_handler() with more than 2 arguments
|
| #
c0147a05 |
| 25-Jun-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11529: Crash after dealing with an Apache request
In an MPM worker scenario we have 1 module, N threads. Each thread must
have their globals initialised. If we only initialise the
Fix GH-11529: Crash after dealing with an Apache request
In an MPM worker scenario we have 1 module, N threads. Each thread must
have their globals initialised. If we only initialise the filename
fields in MINIT, then the threads have an uninitialized value. If the
uninitialized value is not NULL, this leads to segfaults upon access.
Closes GH-11530.
show more ...
|
| #
d5ad7510 |
| 08-Jun-2023 |
George Peter Banyard |
More usage of known zend_str instead of C string (#11381)
|
| #
6f63d4b2 |
| 19-Apr-2023 |
Ilija Tovilo |
Fix -Wenum-int-mismatch warnings on gcc 13
Closes GH-11103
|
| #
180f7854 |
| 28-Mar-2023 |
Calvin Buckley |
Note where a session was already started (#10736)
* Note where a session was already started
Duplicated session starts can be annoying to debug. The error that
occurs when a ses
Note where a session was already started (#10736)
* Note where a session was already started
Duplicated session starts can be annoying to debug. The error that
occurs when a session is already active doesn't tell you where it
was initialized, so figuring out the callsite involves manual
debugging to find it out.
This keeps track of the call site of session_start as a request
global, and frees at the end of the request. It should make it
easier to find these instances for PHP users.
The resulting message can look like:
Notice: session_start(): Ignoring session_start() because a session is already active (started from /home/calvin/src/php-src/inc.php on line 4) in /home/calvin/src/php-src/index.php on line 9
Fixes GH-10721
* Convert to using zend_string for session start location
* Fix leak with session start callsite filename
If this was already initialized, we'd forget it. Have shared free
between session_start and RSHUTDOWN.
* For sessions that are automatically started, note that
Easy to forget that you have this set, in which case, session start
is done at RINIT outside of user code. Because this config option
can't change at runtime, we can check for it and make the error
more specific if that's the case.
show more ...
|
| #
9d5f2f13 |
| 20-Mar-2023 |
Ilija Tovilo |
Use new ZSTR_INIT_LITERAL macro (#10879)
|
| #
41772571 |
| 28-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
3 minor cleanups in ext/session (#10722)
* sid can never be NULL because it was NULL-checked earlier
* Change namelen to size_t because it is always unsigned and less in size than s
3 minor cleanups in ext/session (#10722)
* sid can never be NULL because it was NULL-checked earlier
* Change namelen to size_t because it is always unsigned and less in size than size_t
* Remove redundant check on ser
It can't be NULL, and even if it could, the ser++ would be UB.
show more ...
|
| #
d9c2cf7e |
| 23-Jan-2023 |
Tim Düsterhus |
session: Remove PS_EXTRA_RAND_BYTES (#10394)
This was introduced in 3467526a65bfb15eaf9ec49a0b5673b84e26bca4 and the
corresponding RFC gives some reasoning. However the CSPRNG being “not
session: Remove PS_EXTRA_RAND_BYTES (#10394)
This was introduced in 3467526a65bfb15eaf9ec49a0b5673b84e26bca4 and the
corresponding RFC gives some reasoning. However the CSPRNG being “not secure
enough” is not a thing and reading these extra bytes is just security theater:
If the CSPRNG would hypothetically be broken, then PHP’s session IDs are the
least of one’s concerns, because we already trust it in `random_bytes()` and
might generate long-term secrets using that.
show more ...
|
| #
7936c808 |
| 23-Jan-2023 |
Máté Kocsis |
Fix GH-8329 Print true/false instead of bool in error and debug messages (#8385)
|
| #
51888425 |
| 04-Oct-2022 |
George Peter Banyard |
Drop struct union as access is now always named
|
| #
2ddd68aa |
| 04-Oct-2022 |
George Peter Banyard |
Free handles by name directly
|
| #
5b40d066 |
| 03-Oct-2022 |
George Peter Banyard |
Refactor session_set_save_handler()
Use proper ZPP callables with FCI/FCC
|
| #
7f7031eb |
| 20-Jan-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader
For details and reasoning, see [1] and following.
[1] https://github.com/php/php-src/issues/12504#is
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader
For details and reasoning, see [1] and following.
[1] https://github.com/php/php-src/issues/12504#issuecomment-1790870399
Closes GH-13207.
show more ...
|
| #
f160eff4 |
| 17-Jun-2023 |
Ilija Tovilo |
Remove session ID set through REQUEST_URI
|
| #
a4298c14 |
| 15-Nov-2022 |
David Carlier |
Fix GH-9932: Discards further characters for session name.
As those are converted, it s better to make aware of the code caller of the naming inadequacy.
Closes GH-9940.
|
| #
499fbcd6 |
| 29-Sep-2022 |
George Peter Banyard |
Actually fix GH-9583
The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set
Add another regression test to en
Actually fix GH-9583
The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set
Add another regression test to ensure current working behaviour is not broken (which was by the previous incorrect fix)
Closes GH-9638
show more ...
|
| #
8b115254 |
| 24-Sep-2022 |
George Peter Banyard |
Fix GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method
|
| #
3071d85a |
| 20-Sep-2022 |
Ilija Tovilo |
PS(mod_user_class_name) must not leak into next request
Fixes GH-9584
|
| #
1ad59b32 |
| 30-Aug-2022 |
George Peter Banyard |
Update INI validator and displayers depending on INI type
Closes GH-9451
|
