#
84a8fea2 |
| 08-Oct-2024 |
David Carlier |
Fix GH-16290: session cookie_lifetime ini value overflow. close GH-16295
|
#
7cdd1302 |
| 12-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16385: Unexpected null returned by session_set_cookie_params Two issues: 1) The check happened before ZPP checks 2) The `return;` statement caused NULL to be returned while th
Fix GH-16385: Unexpected null returned by session_set_cookie_params Two issues: 1) The check happened before ZPP checks 2) The `return;` statement caused NULL to be returned while this function can only return booleans. An exception seems not acceptable in stable versions, but a warning may do. Closes GH-16386.
show more ...
|
#
217ea732 |
| 04-Sep-2024 |
Christoph M. Becker |
Use php_error_docref() instead of zend_error() in session.c (GH-15505) Using `php_error_docref()` is preferable since it outputs additional details (which function has been called and wh
Use php_error_docref() instead of zend_error() in session.c (GH-15505) Using `php_error_docref()` is preferable since it outputs additional details (which function has been called and whether it is a startup or shutdown error), uses HTML markup, and also provides a link to the documentation, if configured. Since these deprecation warnings have been introduced recently[1][2], i.e. for PHP 8.4, there are no BC concerns. [1] <https://github.com/php/php-src/commit/e8ff7c70f9669f1a54c47c018ccc0f80bc0c929b> [2] <https://github.com/php/php-src/commit/b36eac94d26bdced150d9d2178f6209893d9961f> Co-authored-by: Máté Kocsis <kocsismate90@gmail.com>
show more ...
|
#
c5bce0d8 |
| 24-Aug-2024 |
Kamil Tekiela |
Deprecate disabling use_only_cookies (#13578)
|
#
ff69f334 |
| 22-Aug-2024 |
Jorg Adam Sowa |
ext/session: Warn when providing invalid values for session.gc_probability and session.gc_divisor
|
#
21fa5e15 |
| 15-Aug-2024 |
Jorg Adam Sowa |
ext/session: session_create_id() now throws a ValueError for large prefix (#15338)
|
#
6bf7b722 |
| 11-Aug-2024 |
Jorg Adam Sowa |
ValueError on null byte in session_name() (#15286)
|
#
e8ff7c70 |
| 04-Aug-2024 |
Tim Düsterhus |
session: Deprecate `session.sid_length` and `session.sid_bits_per_character` (#15213) RFC: https://wiki.php.net/rfc/deprecations_php_8_4
|
#
8e1561cd |
| 06-Jul-2024 |
Jorg Adam Sowa |
Check session_create_id() input for null byte (#14728)
|
#
11accb5c |
| 25-Jun-2024 |
Arnaud Le Blanc |
Preferably include from build dir (#13516) * Include from build dir first This fixes out of tree builds by ensuring that configure artifacts are included from the build dir.
Preferably include from build dir (#13516) * Include from build dir first This fixes out of tree builds by ensuring that configure artifacts are included from the build dir. Before, out of tree builds would preferably include files from the src dir, as the include path was defined as follows (ignoring includes from ext/ and sapi/) : -I$(top_builddir)/main -I$(top_srcdir) -I$(top_builddir)/TSRM -I$(top_builddir)/Zend -I$(top_srcdir)/main -I$(top_srcdir)/Zend -I$(top_srcdir)/TSRM -I$(top_builddir)/ As a result, an out of tree build would include configure artifacts such as `main/php_config.h` from the src dir. After this change, the include path is defined as follows: -I$(top_builddir)/main -I$(top_builddir) -I$(top_srcdir)/main -I$(top_srcdir) -I$(top_builddir)/TSRM -I$(top_builddir)/Zend -I$(top_srcdir)/Zend -I$(top_srcdir)/TSRM * Fix extension include path for out of tree builds * Include config.h with the brackets form `#include "config.h"` searches in the directory containing the including-file before any other include path. This can include the wrong config.h when building out of tree and a config.h exists in the source tree. Using `#include <config.h>` uses exclusively the include path, and gives priority to the build dir.
show more ...
|
#
fd2d8696 |
| 08-Jun-2024 |
Gina Peter Banyard |
Clean-up some more headers (#14416) Remove unused headers (such as php_ini.h for extensions that don't define INI settings) Use more specific headers when possible
|
#
ec50b178 |
| 01-Jun-2024 |
Peter Kokot |
Update ext/session spl dependency (#14410) The spl dependency is configured so the spl_autoload_register is available when session_start() is used, meaning the spl extension needs to
Update ext/session spl dependency (#14410) The spl dependency is configured so the spl_autoload_register is available when session_start() is used, meaning the spl extension needs to be loaded before the session. It is marked as optional to be more explicit as spl is not directly used nor required in the session extension.
show more ...
|
#
f69c55b5 |
| 01-Jun-2024 |
Peter Kokot |
Remove hash dependency from session extension (#14409) The session extension once depended on the hash extension for having hash functions available when using the `session.hash_function
Remove hash dependency from session extension (#14409) The session extension once depended on the hash extension for having hash functions available when using the `session.hash_function` INI directive. This directive was removed in PHP-7.1 via 3467526a65bfb15eaf9ec49a0b5673b84e26bca4. At the time it could be marked as optional dependency, because it only needed to be loaded before the session in that case. The removed ext/hash/php_hash.h in the ext/session/php_session.h might cause BC break for PHP extensions if they rely on transitive include and use hash extension in the code without explicitly including the ext/hash/php_hash.h header. Solution is to include the ext/hash/php_hash.h separately.
show more ...
|
#
c7797fc8 |
| 29-May-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix bug GH-11941: soap with session persistence will silently fails when "seession" built as a shared object (#14362) This adds an optional dependency on the session extension and adds the
Fix bug GH-11941: soap with session persistence will silently fails when "seession" built as a shared object (#14362) This adds an optional dependency on the session extension and adds the necessary APIs to make the functionality work with lazy binding. This can be tested by configuring PHP with `--enable-session=shared` and `--enable-soap=shared` and running the test suite, in particular the buggy behaviour can be observed by the existing test `server009.phpt`.
show more ...
|
#
f69d5405 |
| 24-Mar-2024 |
Jorg Adam Sowa |
Removed impossible paths from session_decode and session_encode (#13796)
|
#
81744d6c |
| 18-Mar-2024 |
Tim Düsterhus |
random: Improve the output quality of RANDOM_SEED() (#13730) * random: Improve the output quality of RANDOM_SEED() Previously 4 consecutive calls to `RANDOM_SEED()` each for 4 diffe
random: Improve the output quality of RANDOM_SEED() (#13730) * random: Improve the output quality of RANDOM_SEED() Previously 4 consecutive calls to `RANDOM_SEED()` each for 4 different CLI requests resulted in: $ sapi/cli/php test.php 2c13e9fde9caa 2c13e9fd1d6b0 2c13e9fd4de34 2c13e9fd1610e $ sapi/cli/php test.php 2c1436764fe07 2c14367621770 2c143676c0bf6 2c143676e02f5 $ sapi/cli/php test.php 2c144995a0626 2c14499590fe2 2c144995c65db 2c14499536833 $ sapi/cli/php test.php 2c145cb30860b 2c145cb3ec027 2c145cb33b4ca 2c145cb38ff63 Now they result in: $ sapi/cli/php test.php 6796973ace1b5f3d 1913daf5c158cb4b 255dbf24237bc8c9 7c3ba22e60f35196 $ sapi/cli/php test.php afb7cc9ba9819cd2 3e01a71b91ad020c 6b718364d3ef108 bdcd17beeb4b31d2 $ sapi/cli/php test.php 53d36eb9b83f8788 4381c85e816187aa 2e9b32ee9898e71e 31d15c946842bddb $ sapi/cli/php test.php 2037a3cba88114b4 ba0b0d93a9bb43aa e13d82d2421269e2 191de474f3292240 * tree-wide: Replace GENERATE_SEED() by php_random_generate_fallback_seed() * random: Fix NTS build * random: Fix Windows build
show more ...
|
#
f6c38fc9 |
| 01-Mar-2024 |
Tim Düsterhus |
session: Stop using php_combined_lcg() The CombinedLCG is a terrible RNG with a questionable API and should ideally not be used anymore. While in the case of ext/session it is only used
session: Stop using php_combined_lcg() The CombinedLCG is a terrible RNG with a questionable API and should ideally not be used anymore. While in the case of ext/session it is only used for probabilistic garbage collection where the quality of the RNG is not of particular importance, there are better choices. Replace the RNG used for garbage collection by an ext/session specific instance of PcgOneseq128XslRr64. Its 16 Byte state nicely fits into the memory freed up by the previous reordering of the session globals struct, even allowing to the storage of the php_random_algo_with_state struct, making using the RNG a little nicer. Instead multiplying the float returned by the CombinedLCG by the GC Divisor to obtain an integer between 0 and the divisor we can just use `php_random_range` to directly generate an appropriate integer, completely avoiding the floating point maths, making it easier to verify the code for correctness.
show more ...
|
#
97b3b455 |
| 01-Feb-2024 |
Tim Düsterhus |
random: Move CSPRNG API into php_random_csprng.h (#13290) This allows consumers of just the CSPRNG to include a much smaller header. It also allows to verify at a glance whether a source
random: Move CSPRNG API into php_random_csprng.h (#13290) This allows consumers of just the CSPRNG to include a much smaller header. It also allows to verify at a glance whether a source file might use non-secure randomness. This commit includes the new header wherever the CSPRNG is used, possibly replacing the inclusion of php_random.h if nothing else is used, but also includes it in the main php_random.h header for compatibility. Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1, 2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.
show more ...
|
#
b36eac94 |
| 22-Nov-2023 |
Máté Kocsis |
Deprecate calling session_set_save_handler() with more than 2 arguments
|
#
af789afb |
| 26-Jul-2024 |
Christoph M. Becker |
Fix type incompatibility in assignment. This partially reverts 0956267c08b8ea8cc8e8e2b31fe0ce12f060e47e, which introduced a type incompatibility where an `int` function is assigned t
Fix type incompatibility in assignment. This partially reverts 0956267c08b8ea8cc8e8e2b31fe0ce12f060e47e, which introduced a type incompatibility where an `int` function is assigned to a `zend_result` function. That yields a level 1 C4133 warning on MSVC, and usually (e.g. in CI) level 1 warnings are elevated to errors, so the build fails.[1] The PHP-8.3 branch and up are uneffected by this, so the upward merges should be empty. [1] <https://github.com/php/php-src/commit/0956267c08b8ea8cc8e8e2b31fe0ce12f060e47e#r144587696>
show more ...
|
#
0956267c |
| 23-Jul-2024 |
Levi Morrison |
Fix warnings in session/spl This fixes -Winline errors where the functions are not ever inlined. Also fixes some signature mismatches which were fixed previously but for whateve
Fix warnings in session/spl This fixes -Winline errors where the functions are not ever inlined. Also fixes some signature mismatches which were fixed previously but for whatever reason were not ported to all maintained branches: /usr/local/src/php/ext/session/session.c:1299:20: warning:conflicting types for 'php_session_send_cookie' due to enum/integer mismatch; have 'zend_result(void)' {aka 'ZEND_RESULT_CODE(void)'} [-Wenum-int-mismatch] 1299 | static zend_result php_session_send_cookie(void) /* {{{ */ | ^~~~~~~~~~~~~~~~~~~~~~~ /usr/local/src/php/ext/session/session.c:100:12: note: previous declaration of 'php_session_send_cookie' with type 'int(void)' 100 | static int php_session_send_cookie(void); | ^~~~~~~~~~~~~~~~~~~~~~~
show more ...
|
#
6985aff7 |
| 12-Mar-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-13680: Segfault with session_decode and compilation error It's illegal to return from a bailout because that doesn't restore the original bailout data. Return outside of it.
Fix GH-13680: Segfault with session_decode and compilation error It's illegal to return from a bailout because that doesn't restore the original bailout data. Return outside of it. Test by YuanchengJiang Closes GH-13689.
show more ...
|
#
7f7031eb |
| 20-Jan-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader For details and reasoning, see [1] and following. [1] https://github.com/php/php-src/issues/12504#is
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader For details and reasoning, see [1] and following. [1] https://github.com/php/php-src/issues/12504#issuecomment-1790870399 Closes GH-13207.
show more ...
|
#
c0147a05 |
| 25-Jun-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11529: Crash after dealing with an Apache request In an MPM worker scenario we have 1 module, N threads. Each thread must have their globals initialised. If we only initialise the
Fix GH-11529: Crash after dealing with an Apache request In an MPM worker scenario we have 1 module, N threads. Each thread must have their globals initialised. If we only initialise the filename fields in MINIT, then the threads have an uninitialized value. If the uninitialized value is not NULL, this leads to segfaults upon access. Closes GH-11530.
show more ...
|
#
f160eff4 |
| 17-Jun-2023 |
Ilija Tovilo |
Remove session ID set through REQUEST_URI
|