xref: /PHP-7.4/ext/session/session.c (revision 688e56d0)
1 /*
2    +----------------------------------------------------------------------+
3    | PHP Version 7                                                        |
4    +----------------------------------------------------------------------+
5    | Copyright (c) The PHP Group                                          |
6    +----------------------------------------------------------------------+
7    | This source file is subject to version 3.01 of the PHP license,      |
8    | that is bundled with this package in the file LICENSE, and is        |
9    | available through the world-wide-web at the following url:           |
10    | http://www.php.net/license/3_01.txt                                  |
11    | If you did not receive a copy of the PHP license and are unable to   |
12    | obtain it through the world-wide-web, please send a note to          |
13    | license@php.net so we can mail you a copy immediately.               |
14    +----------------------------------------------------------------------+
15    | Authors: Sascha Schumann <sascha@schumann.cx>                        |
16    |          Andrei Zmievski <andrei@php.net>                            |
17    +----------------------------------------------------------------------+
18  */
19 
20 #ifdef HAVE_CONFIG_H
21 #include "config.h"
22 #endif
23 
24 #include "php.h"
25 
26 #ifdef PHP_WIN32
27 # include "win32/winutil.h"
28 # include "win32/time.h"
29 #else
30 # include <sys/time.h>
31 #endif
32 
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 
36 #include "php_ini.h"
37 #include "SAPI.h"
38 #include "rfc1867.h"
39 #include "php_variables.h"
40 #include "php_session.h"
41 #include "ext/standard/php_random.h"
42 #include "ext/standard/php_var.h"
43 #include "ext/date/php_date.h"
44 #include "ext/standard/php_lcg.h"
45 #include "ext/standard/url_scanner_ex.h"
46 #include "ext/standard/info.h"
47 #include "zend_smart_str.h"
48 #include "ext/standard/url.h"
49 #include "ext/standard/basic_functions.h"
50 #include "ext/standard/head.h"
51 
52 #include "mod_files.h"
53 #include "mod_user.h"
54 
55 #ifdef HAVE_LIBMM
56 #include "mod_mm.h"
57 #endif
58 
59 PHPAPI ZEND_DECLARE_MODULE_GLOBALS(ps)
60 
61 static int php_session_rfc1867_callback(unsigned int event, void *event_data, void **extra);
62 static int (*php_session_rfc1867_orig_callback)(unsigned int event, void *event_data, void **extra);
63 static void php_session_track_init(void);
64 
65 /* SessionHandler class */
66 zend_class_entry *php_session_class_entry;
67 
68 /* SessionHandlerInterface */
69 zend_class_entry *php_session_iface_entry;
70 
71 /* SessionIdInterface */
72 zend_class_entry *php_session_id_iface_entry;
73 
74 /* SessionUpdateTimestampHandler class */
75 zend_class_entry *php_session_update_timestamp_class_entry;
76 
77 /* SessionUpdateTimestampInterface */
78 zend_class_entry *php_session_update_timestamp_iface_entry;
79 
80 #define PS_MAX_SID_LENGTH 256
81 
82 /* ***********
83    * Helpers *
84    *********** */
85 
86 #define IF_SESSION_VARS() \
87 	if (Z_ISREF_P(&PS(http_session_vars)) && Z_TYPE_P(Z_REFVAL(PS(http_session_vars))) == IS_ARRAY)
88 
89 #define SESSION_CHECK_ACTIVE_STATE	\
90 	if (PS(session_status) == php_session_active) {	\
91 		php_error_docref(NULL, E_WARNING, "A session is active. You cannot change the session module's ini settings at this time");	\
92 		return FAILURE;	\
93 	}
94 
95 #define SESSION_CHECK_OUTPUT_STATE										\
96 	if (SG(headers_sent) && stage != ZEND_INI_STAGE_DEACTIVATE) {												\
97 		php_error_docref(NULL, E_WARNING, "Headers already sent. You cannot change the session module's ini settings at this time");	\
98 		return FAILURE;													\
99 	}
100 
101 #define APPLY_TRANS_SID (PS(use_trans_sid) && !PS(use_only_cookies))
102 
103 static int php_session_send_cookie(void);
104 static int php_session_abort(void);
105 
106 /* Initialized in MINIT, readonly otherwise. */
107 static int my_module_number = 0;
108 
109 /* Dispatched by RINIT and by php_session_destroy */
php_rinit_session_globals(void)110 static inline void php_rinit_session_globals(void) /* {{{ */
111 {
112 	/* Do NOT init PS(mod_user_names) here! */
113 	/* TODO: These could be moved to MINIT and removed. These should be initialized by php_rshutdown_session_globals() always when execution is finished. */
114 	PS(id) = NULL;
115 	PS(session_status) = php_session_none;
116 	PS(in_save_handler) = 0;
117 	PS(set_handler) = 0;
118 	PS(mod_data) = NULL;
119 	PS(mod_user_is_open) = 0;
120 	PS(define_sid) = 1;
121 	PS(session_vars) = NULL;
122 	PS(module_number) = my_module_number;
123 	ZVAL_UNDEF(&PS(http_session_vars));
124 }
125 /* }}} */
126 
127 /* Dispatched by RSHUTDOWN and by php_session_destroy */
php_rshutdown_session_globals(void)128 static inline void php_rshutdown_session_globals(void) /* {{{ */
129 {
130 	/* Do NOT destroy PS(mod_user_names) here! */
131 	if (!Z_ISUNDEF(PS(http_session_vars))) {
132 		zval_ptr_dtor(&PS(http_session_vars));
133 		ZVAL_UNDEF(&PS(http_session_vars));
134 	}
135 	if (PS(mod_data) || PS(mod_user_implemented)) {
136 		zend_try {
137 			PS(mod)->s_close(&PS(mod_data));
138 		} zend_end_try();
139 	}
140 	if (PS(id)) {
141 		zend_string_release_ex(PS(id), 0);
142 		PS(id) = NULL;
143 	}
144 
145 	if (PS(session_vars)) {
146 		zend_string_release_ex(PS(session_vars), 0);
147 		PS(session_vars) = NULL;
148 	}
149 
150 	/* User save handlers may end up directly here by misuse, bugs in user script, etc. */
151 	/* Set session status to prevent error while restoring save handler INI value. */
152 	PS(session_status) = php_session_none;
153 }
154 /* }}} */
155 
php_session_destroy(void)156 PHPAPI int php_session_destroy(void) /* {{{ */
157 {
158 	int retval = SUCCESS;
159 
160 	if (PS(session_status) != php_session_active) {
161 		php_error_docref(NULL, E_WARNING, "Trying to destroy uninitialized session");
162 		return FAILURE;
163 	}
164 
165 	if (PS(id) && PS(mod)->s_destroy(&PS(mod_data), PS(id)) == FAILURE) {
166 		retval = FAILURE;
167 		php_error_docref(NULL, E_WARNING, "Session object destruction failed");
168 	}
169 
170 	php_rshutdown_session_globals();
171 	php_rinit_session_globals();
172 
173 	return retval;
174 }
175 /* }}} */
176 
php_add_session_var(zend_string * name)177 PHPAPI void php_add_session_var(zend_string *name) /* {{{ */
178 {
179 	IF_SESSION_VARS() {
180 		zval *sess_var = Z_REFVAL(PS(http_session_vars));
181 		SEPARATE_ARRAY(sess_var);
182 		if (!zend_hash_exists(Z_ARRVAL_P(sess_var), name)) {
183 			zval empty_var;
184 			ZVAL_NULL(&empty_var);
185 			zend_hash_update(Z_ARRVAL_P(sess_var), name, &empty_var);
186 		}
187 	}
188 }
189 /* }}} */
190 
php_set_session_var(zend_string * name,zval * state_val,php_unserialize_data_t * var_hash)191 PHPAPI zval* php_set_session_var(zend_string *name, zval *state_val, php_unserialize_data_t *var_hash) /* {{{ */
192 {
193 	IF_SESSION_VARS() {
194 		zval *sess_var = Z_REFVAL(PS(http_session_vars));
195 		SEPARATE_ARRAY(sess_var);
196 		return zend_hash_update(Z_ARRVAL_P(sess_var), name, state_val);
197 	}
198 	return NULL;
199 }
200 /* }}} */
201 
php_get_session_var(zend_string * name)202 PHPAPI zval* php_get_session_var(zend_string *name) /* {{{ */
203 {
204 	IF_SESSION_VARS() {
205 		return zend_hash_find(Z_ARRVAL_P(Z_REFVAL(PS(http_session_vars))), name);
206 	}
207 	return NULL;
208 }
209 /* }}} */
210 
php_session_track_init(void)211 static void php_session_track_init(void) /* {{{ */
212 {
213 	zval session_vars;
214 	zend_string *var_name = zend_string_init("_SESSION", sizeof("_SESSION") - 1, 0);
215 	/* Unconditionally destroy existing array -- possible dirty data */
216 	zend_delete_global_variable(var_name);
217 
218 	if (!Z_ISUNDEF(PS(http_session_vars))) {
219 		zval_ptr_dtor(&PS(http_session_vars));
220 	}
221 
222 	array_init(&session_vars);
223 	ZVAL_NEW_REF(&PS(http_session_vars), &session_vars);
224 	Z_ADDREF_P(&PS(http_session_vars));
225 	zend_hash_update_ind(&EG(symbol_table), var_name, &PS(http_session_vars));
226 	zend_string_release_ex(var_name, 0);
227 }
228 /* }}} */
229 
php_session_encode(void)230 static zend_string *php_session_encode(void) /* {{{ */
231 {
232 	IF_SESSION_VARS() {
233 		if (!PS(serializer)) {
234 			php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to encode session object");
235 			return NULL;
236 		}
237 		return PS(serializer)->encode();
238 	} else {
239 		php_error_docref(NULL, E_WARNING, "Cannot encode non-existent session");
240 	}
241 	return NULL;
242 }
243 /* }}} */
244 
php_session_decode(zend_string * data)245 static int php_session_decode(zend_string *data) /* {{{ */
246 {
247 	if (!PS(serializer)) {
248 		php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
249 		return FAILURE;
250 	}
251 	if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) {
252 		php_session_destroy();
253 		php_session_track_init();
254 		php_error_docref(NULL, E_WARNING, "Failed to decode session object. Session has been destroyed");
255 		return FAILURE;
256 	}
257 	return SUCCESS;
258 }
259 /* }}} */
260 
261 /*
262  * Note that we cannot use the BASE64 alphabet here, because
263  * it contains "/" and "+": both are unacceptable for simple inclusion
264  * into URLs.
265  */
266 
267 static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-";
268 
bin_to_readable(unsigned char * in,size_t inlen,char * out,size_t outlen,char nbits)269 static void bin_to_readable(unsigned char *in, size_t inlen, char *out, size_t outlen, char nbits) /* {{{ */
270 {
271 	unsigned char *p, *q;
272 	unsigned short w;
273 	int mask;
274 	int have;
275 
276 	p = (unsigned char *)in;
277 	q = (unsigned char *)in + inlen;
278 
279 	w = 0;
280 	have = 0;
281 	mask = (1 << nbits) - 1;
282 
283 	while (outlen--) {
284 		if (have < nbits) {
285 			if (p < q) {
286 				w |= *p++ << have;
287 				have += 8;
288 			} else {
289 				/* Should never happen. Input must be large enough. */
290 				ZEND_ASSERT(0);
291 				break;
292 			}
293 		}
294 
295 		/* consume nbits */
296 		*out++ = hexconvtab[w & mask];
297 		w >>= nbits;
298 		have -= nbits;
299 	}
300 
301 	*out = '\0';
302 }
303 /* }}} */
304 
305 #define PS_EXTRA_RAND_BYTES 60
306 
php_session_create_id(PS_CREATE_SID_ARGS)307 PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
308 {
309 	unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES];
310 	zend_string *outid;
311 
312 	/* It would be enough to read ceil(sid_length * sid_bits_per_character / 8) bytes here.
313 	 * We read sid_length bytes instead for simplicity. */
314 	/* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */
315 	if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) {
316 		return NULL;
317 	}
318 
319 	outid = zend_string_alloc(PS(sid_length), 0);
320 	bin_to_readable(
321 		rbuf, PS(sid_length),
322 		ZSTR_VAL(outid), ZSTR_LEN(outid),
323 		(char)PS(sid_bits_per_character));
324 
325 	return outid;
326 }
327 /* }}} */
328 
329 /* Default session id char validation function allowed by ps_modules.
330  * If you change the logic here, please also update the error message in
331  * ps_modules appropriately */
php_session_valid_key(const char * key)332 PHPAPI int php_session_valid_key(const char *key) /* {{{ */
333 {
334 	size_t len;
335 	const char *p;
336 	char c;
337 	int ret = SUCCESS;
338 
339 	for (p = key; (c = *p); p++) {
340 		/* valid characters are a..z,A..Z,0..9 */
341 		if (!((c >= 'a' && c <= 'z')
342 				|| (c >= 'A' && c <= 'Z')
343 				|| (c >= '0' && c <= '9')
344 				|| c == ','
345 				|| c == '-')) {
346 			ret = FAILURE;
347 			break;
348 		}
349 	}
350 
351 	len = p - key;
352 
353 	/* Somewhat arbitrary length limit here, but should be way more than
354 	   anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */
355 	if (len == 0 || len > PS_MAX_SID_LENGTH) {
356 		ret = FAILURE;
357 	}
358 
359 	return ret;
360 }
361 /* }}} */
362 
363 
php_session_gc(zend_bool immediate)364 static zend_long php_session_gc(zend_bool immediate) /* {{{ */
365 {
366 	int nrand;
367 	zend_long num = -1;
368 
369 	/* GC must be done before reading session data. */
370 	if ((PS(mod_data) || PS(mod_user_implemented))) {
371 		if (immediate) {
372 			PS(mod)->s_gc(&PS(mod_data), PS(gc_maxlifetime), &num);
373 			return num;
374 		}
375 		nrand = (zend_long) ((float) PS(gc_divisor) * php_combined_lcg());
376 		if (PS(gc_probability) > 0 && nrand < PS(gc_probability)) {
377 			PS(mod)->s_gc(&PS(mod_data), PS(gc_maxlifetime), &num);
378 		}
379 	}
380 	return num;
381 } /* }}} */
382 
php_session_initialize(void)383 static int php_session_initialize(void) /* {{{ */
384 {
385 	zend_string *val = NULL;
386 
387 	PS(session_status) = php_session_active;
388 
389 	if (!PS(mod)) {
390 		PS(session_status) = php_session_disabled;
391 		php_error_docref(NULL, E_WARNING, "No storage module chosen - failed to initialize session");
392 		return FAILURE;
393 	}
394 
395 	/* Open session handler first */
396 	if (PS(mod)->s_open(&PS(mod_data), PS(save_path), PS(session_name)) == FAILURE
397 		/* || PS(mod_data) == NULL */ /* FIXME: open must set valid PS(mod_data) with success */
398 	) {
399 		php_session_abort();
400 		php_error_docref(NULL, E_WARNING, "Failed to initialize storage module: %s (path: %s)", PS(mod)->s_name, PS(save_path));
401 		return FAILURE;
402 	}
403 
404 	/* If there is no ID, use session module to create one */
405 	if (!PS(id) || !ZSTR_VAL(PS(id))[0]) {
406 		if (PS(id)) {
407 			zend_string_release_ex(PS(id), 0);
408 		}
409 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
410 		if (!PS(id)) {
411 			php_session_abort();
412 			zend_throw_error(NULL, "Failed to create session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
413 			return FAILURE;
414 		}
415 		if (PS(use_cookies)) {
416 			PS(send_cookie) = 1;
417 		}
418 	} else if (PS(use_strict_mode) && PS(mod)->s_validate_sid &&
419 		PS(mod)->s_validate_sid(&PS(mod_data), PS(id)) == FAILURE) {
420 		if (PS(id)) {
421 			zend_string_release_ex(PS(id), 0);
422 		}
423 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
424 		if (!PS(id)) {
425 			PS(id) = php_session_create_id(NULL);
426 		}
427 		if (PS(use_cookies)) {
428 			PS(send_cookie) = 1;
429 		}
430 	}
431 
432 	if (php_session_reset_id() == FAILURE) {
433 		php_session_abort();
434 		return FAILURE;
435 	}
436 
437 	/* Read data */
438 	php_session_track_init();
439 	if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, PS(gc_maxlifetime)) == FAILURE) {
440 		php_session_abort();
441 		/* FYI: Some broken save handlers return FAILURE for non-existent session ID, this is incorrect */
442 		php_error_docref(NULL, E_WARNING, "Failed to read session data: %s (path: %s)", PS(mod)->s_name, PS(save_path));
443 		return FAILURE;
444 	}
445 
446 	/* GC must be done after read */
447 	php_session_gc(0);
448 
449 	if (PS(session_vars)) {
450 		zend_string_release_ex(PS(session_vars), 0);
451 		PS(session_vars) = NULL;
452 	}
453 	if (val) {
454 		if (PS(lazy_write)) {
455 			PS(session_vars) = zend_string_copy(val);
456 		}
457 		php_session_decode(val);
458 		zend_string_release_ex(val, 0);
459 	}
460 	return SUCCESS;
461 }
462 /* }}} */
463 
php_session_save_current_state(int write)464 static void php_session_save_current_state(int write) /* {{{ */
465 {
466 	int ret = FAILURE;
467 
468 	if (write) {
469 		IF_SESSION_VARS() {
470 			if (PS(mod_data) || PS(mod_user_implemented)) {
471 				zend_string *val;
472 
473 				val = php_session_encode();
474 				if (val) {
475 					if (PS(lazy_write) && PS(session_vars)
476 						&& PS(mod)->s_update_timestamp
477 						&& PS(mod)->s_update_timestamp != php_session_update_timestamp
478 						&& ZSTR_LEN(val) == ZSTR_LEN(PS(session_vars))
479 						&& !memcmp(ZSTR_VAL(val), ZSTR_VAL(PS(session_vars)), ZSTR_LEN(val))
480 					) {
481 						ret = PS(mod)->s_update_timestamp(&PS(mod_data), PS(id), val, PS(gc_maxlifetime));
482 					} else {
483 						ret = PS(mod)->s_write(&PS(mod_data), PS(id), val, PS(gc_maxlifetime));
484 					}
485 					zend_string_release_ex(val, 0);
486 				} else {
487 					ret = PS(mod)->s_write(&PS(mod_data), PS(id), ZSTR_EMPTY_ALLOC(), PS(gc_maxlifetime));
488 				}
489 			}
490 
491 			if ((ret == FAILURE) && !EG(exception)) {
492 				if (!PS(mod_user_implemented)) {
493 					php_error_docref(NULL, E_WARNING, "Failed to write session data (%s). Please "
494 									 "verify that the current setting of session.save_path "
495 									 "is correct (%s)",
496 									 PS(mod)->s_name,
497 									 PS(save_path));
498 				} else {
499 					php_error_docref(NULL, E_WARNING, "Failed to write session data using user "
500 									 "defined save handler. (session.save_path: %s)", PS(save_path));
501 				}
502 			}
503 		}
504 	}
505 
506 	if (PS(mod_data) || PS(mod_user_implemented)) {
507 		PS(mod)->s_close(&PS(mod_data));
508 	}
509 }
510 /* }}} */
511 
php_session_normalize_vars()512 static void php_session_normalize_vars() /* {{{ */
513 {
514 	PS_ENCODE_VARS;
515 
516 	IF_SESSION_VARS() {
517 		PS_ENCODE_LOOP(
518 			if (Z_TYPE_P(struc) == IS_PTR) {
519 				zval *zv = (zval *)Z_PTR_P(struc);
520 				ZVAL_COPY_VALUE(struc, zv);
521 				ZVAL_UNDEF(zv);
522 			}
523 		);
524 	}
525 }
526 /* }}} */
527 
528 /* *************************
529    * INI Settings/Handlers *
530    ************************* */
531 
PHP_INI_MH(OnUpdateSaveHandler)532 static PHP_INI_MH(OnUpdateSaveHandler) /* {{{ */
533 {
534 	const ps_module *tmp;
535 
536 	SESSION_CHECK_ACTIVE_STATE;
537 	SESSION_CHECK_OUTPUT_STATE;
538 
539 	tmp = _php_find_ps_module(ZSTR_VAL(new_value));
540 
541 	if (PG(modules_activated) && !tmp) {
542 		int err_type;
543 
544 		if (stage == ZEND_INI_STAGE_RUNTIME) {
545 			err_type = E_WARNING;
546 		} else {
547 			err_type = E_ERROR;
548 		}
549 
550 		/* Do not output error when restoring ini options. */
551 		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
552 			php_error_docref(NULL, err_type, "Cannot find save handler '%s'", ZSTR_VAL(new_value));
553 		}
554 
555 		return FAILURE;
556 	}
557 
558 	/* "user" save handler should not be set by user */
559 	if (!PS(set_handler) &&  tmp == ps_user_ptr) {
560 		php_error_docref(NULL, E_RECOVERABLE_ERROR, "Cannot set 'user' save handler by ini_set() or session_module_name()");
561 		return FAILURE;
562 	}
563 
564 	PS(default_mod) = PS(mod);
565 	PS(mod) = tmp;
566 
567 	return SUCCESS;
568 }
569 /* }}} */
570 
PHP_INI_MH(OnUpdateSerializer)571 static PHP_INI_MH(OnUpdateSerializer) /* {{{ */
572 {
573 	const ps_serializer *tmp;
574 
575 	SESSION_CHECK_ACTIVE_STATE;
576 	SESSION_CHECK_OUTPUT_STATE;
577 
578 	tmp = _php_find_ps_serializer(ZSTR_VAL(new_value));
579 
580 	if (PG(modules_activated) && !tmp) {
581 		int err_type;
582 
583 		if (stage == ZEND_INI_STAGE_RUNTIME) {
584 			err_type = E_WARNING;
585 		} else {
586 			err_type = E_ERROR;
587 		}
588 
589 		/* Do not output error when restoring ini options. */
590 		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
591 			php_error_docref(NULL, err_type, "Cannot find serialization handler '%s'", ZSTR_VAL(new_value));
592 		}
593 		return FAILURE;
594 	}
595 	PS(serializer) = tmp;
596 
597 	return SUCCESS;
598 }
599 /* }}} */
600 
PHP_INI_MH(OnUpdateTransSid)601 static PHP_INI_MH(OnUpdateTransSid) /* {{{ */
602 {
603 	SESSION_CHECK_ACTIVE_STATE;
604 	SESSION_CHECK_OUTPUT_STATE;
605 
606 	if (!strncasecmp(ZSTR_VAL(new_value), "on", sizeof("on"))) {
607 		PS(use_trans_sid) = (zend_bool) 1;
608 	} else {
609 		PS(use_trans_sid) = (zend_bool) atoi(ZSTR_VAL(new_value));
610 	}
611 
612 	return SUCCESS;
613 }
614 /* }}} */
615 
616 
PHP_INI_MH(OnUpdateSaveDir)617 static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
618 {
619 	SESSION_CHECK_ACTIVE_STATE;
620 	SESSION_CHECK_OUTPUT_STATE;
621 
622 	/* Only do the safemode/open_basedir check at runtime */
623 	if (stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) {
624 		char *p;
625 
626 		if (memchr(ZSTR_VAL(new_value), '\0', ZSTR_LEN(new_value)) != NULL) {
627 			return FAILURE;
628 		}
629 
630 		/* we do not use zend_memrchr() since path can contain ; itself */
631 		if ((p = strchr(ZSTR_VAL(new_value), ';'))) {
632 			char *p2;
633 			p++;
634 			if ((p2 = strchr(p, ';'))) {
635 				p = p2 + 1;
636 			}
637 		} else {
638 			p = ZSTR_VAL(new_value);
639 		}
640 
641 		if (PG(open_basedir) && *p && php_check_open_basedir(p)) {
642 			return FAILURE;
643 		}
644 	}
645 
646 	return OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
647 }
648 /* }}} */
649 
650 
PHP_INI_MH(OnUpdateName)651 static PHP_INI_MH(OnUpdateName) /* {{{ */
652 {
653 	SESSION_CHECK_ACTIVE_STATE;
654 	SESSION_CHECK_OUTPUT_STATE;
655 
656 	/* Numeric session.name won't work at all */
657 	if ((!ZSTR_LEN(new_value) || is_numeric_string(ZSTR_VAL(new_value), ZSTR_LEN(new_value), NULL, NULL, 0))) {
658 		int err_type;
659 
660 		if (stage == ZEND_INI_STAGE_RUNTIME || stage == ZEND_INI_STAGE_ACTIVATE || stage == ZEND_INI_STAGE_STARTUP) {
661 			err_type = E_WARNING;
662 		} else {
663 			err_type = E_ERROR;
664 		}
665 
666 		/* Do not output error when restoring ini options. */
667 		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
668 			php_error_docref(NULL, err_type, "session.name cannot be a numeric or empty '%s'", ZSTR_VAL(new_value));
669 		}
670 		return FAILURE;
671 	}
672 
673 	return OnUpdateStringUnempty(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
674 }
675 /* }}} */
676 
677 
PHP_INI_MH(OnUpdateCookieLifetime)678 static PHP_INI_MH(OnUpdateCookieLifetime) /* {{{ */
679 {
680 	SESSION_CHECK_ACTIVE_STATE;
681 	SESSION_CHECK_OUTPUT_STATE;
682 	if (atol(ZSTR_VAL(new_value)) < 0) {
683 		php_error_docref(NULL, E_WARNING, "CookieLifetime cannot be negative");
684 		return FAILURE;
685 	}
686 	return OnUpdateLongGEZero(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
687 }
688 /* }}} */
689 
690 
PHP_INI_MH(OnUpdateSessionLong)691 static PHP_INI_MH(OnUpdateSessionLong) /* {{{ */
692 {
693 	SESSION_CHECK_ACTIVE_STATE;
694 	SESSION_CHECK_OUTPUT_STATE;
695 	return OnUpdateLong(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
696 }
697 /* }}} */
698 
699 
PHP_INI_MH(OnUpdateSessionString)700 static PHP_INI_MH(OnUpdateSessionString) /* {{{ */
701 {
702 	SESSION_CHECK_ACTIVE_STATE;
703 	SESSION_CHECK_OUTPUT_STATE;
704 	return OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
705 }
706 /* }}} */
707 
708 
PHP_INI_MH(OnUpdateSessionBool)709 static PHP_INI_MH(OnUpdateSessionBool) /* {{{ */
710 {
711 	SESSION_CHECK_OUTPUT_STATE;
712 	SESSION_CHECK_ACTIVE_STATE;
713 	return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
714 }
715 /* }}} */
716 
717 
PHP_INI_MH(OnUpdateSidLength)718 static PHP_INI_MH(OnUpdateSidLength) /* {{{ */
719 {
720 	zend_long val;
721 	char *endptr = NULL;
722 
723 	SESSION_CHECK_OUTPUT_STATE;
724 	SESSION_CHECK_ACTIVE_STATE;
725 	val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10);
726 	if (endptr && (*endptr == '\0')
727 		&& val >= 22 && val <= PS_MAX_SID_LENGTH) {
728 		/* Numeric value */
729 		PS(sid_length) = val;
730 		return SUCCESS;
731 	}
732 
733 	php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must be between 22 and 256.");
734 	return FAILURE;
735 }
736 /* }}} */
737 
PHP_INI_MH(OnUpdateSidBits)738 static PHP_INI_MH(OnUpdateSidBits) /* {{{ */
739 {
740 	zend_long val;
741 	char *endptr = NULL;
742 
743 	SESSION_CHECK_OUTPUT_STATE;
744 	SESSION_CHECK_ACTIVE_STATE;
745 	val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10);
746 	if (endptr && (*endptr == '\0')
747 		&& val >= 4 && val <=6) {
748 		/* Numeric value */
749 		PS(sid_bits_per_character) = val;
750 		return SUCCESS;
751 	}
752 
753 	php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits_per_character' must be between 4 and 6.");
754 	return FAILURE;
755 }
756 /* }}} */
757 
758 
PHP_INI_MH(OnUpdateLazyWrite)759 static PHP_INI_MH(OnUpdateLazyWrite) /* {{{ */
760 {
761 	SESSION_CHECK_ACTIVE_STATE;
762 	SESSION_CHECK_OUTPUT_STATE;
763 	return OnUpdateBool(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
764 }
765 /* }}} */
766 
767 
768 
PHP_INI_MH(OnUpdateRfc1867Freq)769 static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */
770 {
771 	int tmp;
772 	tmp = zend_atoi(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
773 	if(tmp < 0) {
774 		php_error_docref(NULL, E_WARNING, "session.upload_progress.freq must be greater than or equal to zero");
775 		return FAILURE;
776 	}
777 	if(ZSTR_LEN(new_value) > 0 && ZSTR_VAL(new_value)[ZSTR_LEN(new_value)-1] == '%') {
778 		if(tmp > 100) {
779 			php_error_docref(NULL, E_WARNING, "session.upload_progress.freq cannot be over 100%%");
780 			return FAILURE;
781 		}
782 		PS(rfc1867_freq) = -tmp;
783 	} else {
784 		PS(rfc1867_freq) = tmp;
785 	}
786 	return SUCCESS;
787 } /* }}} */
788 
789 /* {{{ PHP_INI
790  */
791 PHP_INI_BEGIN()
792 	STD_PHP_INI_ENTRY("session.save_path",          "",          PHP_INI_ALL, OnUpdateSaveDir,       save_path,          php_ps_globals,    ps_globals)
793 	STD_PHP_INI_ENTRY("session.name",               "PHPSESSID", PHP_INI_ALL, OnUpdateName,          session_name,       php_ps_globals,    ps_globals)
794 	PHP_INI_ENTRY("session.save_handler",           "files",     PHP_INI_ALL, OnUpdateSaveHandler)
795 	STD_PHP_INI_BOOLEAN("session.auto_start",       "0",         PHP_INI_PERDIR, OnUpdateBool,       auto_start,         php_ps_globals,    ps_globals)
796 	STD_PHP_INI_ENTRY("session.gc_probability",     "1",         PHP_INI_ALL, OnUpdateSessionLong,          gc_probability,     php_ps_globals,    ps_globals)
797 	STD_PHP_INI_ENTRY("session.gc_divisor",         "100",       PHP_INI_ALL, OnUpdateSessionLong,          gc_divisor,         php_ps_globals,    ps_globals)
798 	STD_PHP_INI_ENTRY("session.gc_maxlifetime",     "1440",      PHP_INI_ALL, OnUpdateSessionLong,          gc_maxlifetime,     php_ps_globals,    ps_globals)
799 	PHP_INI_ENTRY("session.serialize_handler",      "php",       PHP_INI_ALL, OnUpdateSerializer)
800 	STD_PHP_INI_ENTRY("session.cookie_lifetime",    "0",         PHP_INI_ALL, OnUpdateCookieLifetime,cookie_lifetime,    php_ps_globals,    ps_globals)
801 	STD_PHP_INI_ENTRY("session.cookie_path",        "/",         PHP_INI_ALL, OnUpdateSessionString, cookie_path,        php_ps_globals,    ps_globals)
802 	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateSessionString, cookie_domain,      php_ps_globals,    ps_globals)
803 	STD_PHP_INI_ENTRY("session.cookie_secure",      "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_secure,      php_ps_globals,    ps_globals)
804 	STD_PHP_INI_ENTRY("session.cookie_httponly",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_httponly,    php_ps_globals,    ps_globals)
805 	STD_PHP_INI_ENTRY("session.cookie_samesite",    "",          PHP_INI_ALL, OnUpdateString,        cookie_samesite,    php_ps_globals,    ps_globals)
806 	STD_PHP_INI_ENTRY("session.use_cookies",        "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_cookies,        php_ps_globals,    ps_globals)
807 	STD_PHP_INI_ENTRY("session.use_only_cookies",   "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_only_cookies,   php_ps_globals,    ps_globals)
808 	STD_PHP_INI_ENTRY("session.use_strict_mode",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   use_strict_mode,    php_ps_globals,    ps_globals)
809 	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateSessionString, extern_referer_chk, php_ps_globals,    ps_globals)
810 	STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   PHP_INI_ALL, OnUpdateSessionString, cache_limiter,      php_ps_globals,    ps_globals)
811 	STD_PHP_INI_ENTRY("session.cache_expire",       "180",       PHP_INI_ALL, OnUpdateSessionLong,   cache_expire,       php_ps_globals,    ps_globals)
812 	PHP_INI_ENTRY("session.use_trans_sid",          "0",         PHP_INI_ALL, OnUpdateTransSid)
813 	PHP_INI_ENTRY("session.sid_length",             "32",        PHP_INI_ALL, OnUpdateSidLength)
814 	PHP_INI_ENTRY("session.sid_bits_per_character", "4",         PHP_INI_ALL, OnUpdateSidBits)
815 	STD_PHP_INI_BOOLEAN("session.lazy_write",       "1",         PHP_INI_ALL, OnUpdateLazyWrite,     lazy_write,         php_ps_globals,    ps_globals)
816 
817 	/* Upload progress */
818 	STD_PHP_INI_BOOLEAN("session.upload_progress.enabled",
819 	                                                "1",     ZEND_INI_PERDIR, OnUpdateBool,        rfc1867_enabled, php_ps_globals, ps_globals)
820 	STD_PHP_INI_BOOLEAN("session.upload_progress.cleanup",
821 	                                                "1",     ZEND_INI_PERDIR, OnUpdateBool,        rfc1867_cleanup, php_ps_globals, ps_globals)
822 	STD_PHP_INI_ENTRY("session.upload_progress.prefix",
823 	                                     "upload_progress_", ZEND_INI_PERDIR, OnUpdateString,      rfc1867_prefix,  php_ps_globals, ps_globals)
824 	STD_PHP_INI_ENTRY("session.upload_progress.name",
825 	                          "PHP_SESSION_UPLOAD_PROGRESS", ZEND_INI_PERDIR, OnUpdateString,      rfc1867_name,    php_ps_globals, ps_globals)
826 	STD_PHP_INI_ENTRY("session.upload_progress.freq",  "1%", ZEND_INI_PERDIR, OnUpdateRfc1867Freq, rfc1867_freq,    php_ps_globals, ps_globals)
827 	STD_PHP_INI_ENTRY("session.upload_progress.min_freq",
828 	                                                   "1",  ZEND_INI_PERDIR, OnUpdateReal,        rfc1867_min_freq,php_ps_globals, ps_globals)
829 
830 	/* Commented out until future discussion */
831 	/* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */
PHP_INI_END()832 PHP_INI_END()
833 /* }}} */
834 
835 /* ***************
836    * Serializers *
837    *************** */
838 PS_SERIALIZER_ENCODE_FUNC(php_serialize) /* {{{ */
839 {
840 	smart_str buf = {0};
841 	php_serialize_data_t var_hash;
842 
843 	IF_SESSION_VARS() {
844 		PHP_VAR_SERIALIZE_INIT(var_hash);
845 		php_var_serialize(&buf, Z_REFVAL(PS(http_session_vars)), &var_hash);
846 		PHP_VAR_SERIALIZE_DESTROY(var_hash);
847 	}
848 	return buf.s;
849 }
850 /* }}} */
851 
PS_SERIALIZER_DECODE_FUNC(php_serialize)852 PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */
853 {
854 	const char *endptr = val + vallen;
855 	zval session_vars;
856 	php_unserialize_data_t var_hash;
857 	int result;
858 	zend_string *var_name = zend_string_init("_SESSION", sizeof("_SESSION") - 1, 0);
859 
860 	ZVAL_NULL(&session_vars);
861 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
862 	result = php_var_unserialize(
863 		&session_vars, (const unsigned char **)&val, (const unsigned char *)endptr, &var_hash);
864 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
865 	if (!result) {
866 		zval_ptr_dtor(&session_vars);
867 		ZVAL_NULL(&session_vars);
868 	}
869 
870 	if (!Z_ISUNDEF(PS(http_session_vars))) {
871 		zval_ptr_dtor(&PS(http_session_vars));
872 	}
873 	if (Z_TYPE(session_vars) == IS_NULL) {
874 		array_init(&session_vars);
875 	}
876 	ZVAL_NEW_REF(&PS(http_session_vars), &session_vars);
877 	Z_ADDREF_P(&PS(http_session_vars));
878 	zend_hash_update_ind(&EG(symbol_table), var_name, &PS(http_session_vars));
879 	zend_string_release_ex(var_name, 0);
880 	return SUCCESS;
881 }
882 /* }}} */
883 
884 #define PS_BIN_NR_OF_BITS 8
885 #define PS_BIN_UNDEF (1<<(PS_BIN_NR_OF_BITS-1))
886 #define PS_BIN_MAX (PS_BIN_UNDEF-1)
887 
PS_SERIALIZER_ENCODE_FUNC(php_binary)888 PS_SERIALIZER_ENCODE_FUNC(php_binary) /* {{{ */
889 {
890 	smart_str buf = {0};
891 	php_serialize_data_t var_hash;
892 	PS_ENCODE_VARS;
893 
894 	PHP_VAR_SERIALIZE_INIT(var_hash);
895 
896 	PS_ENCODE_LOOP(
897 			if (ZSTR_LEN(key) > PS_BIN_MAX) continue;
898 			smart_str_appendc(&buf, (unsigned char)ZSTR_LEN(key));
899 			smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
900 			php_var_serialize(&buf, struc, &var_hash);
901 	);
902 
903 	smart_str_0(&buf);
904 	PHP_VAR_SERIALIZE_DESTROY(var_hash);
905 
906 	return buf.s;
907 }
908 /* }}} */
909 
PS_SERIALIZER_DECODE_FUNC(php_binary)910 PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
911 {
912 	const char *p;
913 	const char *endptr = val + vallen;
914 	int namelen;
915 	zend_string *name;
916 	php_unserialize_data_t var_hash;
917 	zval *current, rv;
918 
919 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
920 
921 	for (p = val; p < endptr; ) {
922 		namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
923 
924 		if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
925 			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
926 			return FAILURE;
927 		}
928 
929 		name = zend_string_init(p + 1, namelen, 0);
930 		p += namelen + 1;
931 		current = var_tmp_var(&var_hash);
932 
933 		if (php_var_unserialize(current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash)) {
934 			ZVAL_PTR(&rv, current);
935 			php_set_session_var(name, &rv, &var_hash);
936 		} else {
937 			zend_string_release_ex(name, 0);
938 			php_session_normalize_vars();
939 			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
940 			return FAILURE;
941 		}
942 		zend_string_release_ex(name, 0);
943 	}
944 
945 	php_session_normalize_vars();
946 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
947 
948 	return SUCCESS;
949 }
950 /* }}} */
951 
952 #define PS_DELIMITER '|'
953 
PS_SERIALIZER_ENCODE_FUNC(php)954 PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
955 {
956 	smart_str buf = {0};
957 	php_serialize_data_t var_hash;
958 	PS_ENCODE_VARS;
959 
960 	PHP_VAR_SERIALIZE_INIT(var_hash);
961 
962 	PS_ENCODE_LOOP(
963 		smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
964 		if (memchr(ZSTR_VAL(key), PS_DELIMITER, ZSTR_LEN(key))) {
965 			PHP_VAR_SERIALIZE_DESTROY(var_hash);
966 			smart_str_free(&buf);
967 			return NULL;
968 		}
969 		smart_str_appendc(&buf, PS_DELIMITER);
970 		php_var_serialize(&buf, struc, &var_hash);
971 	);
972 
973 	smart_str_0(&buf);
974 
975 	PHP_VAR_SERIALIZE_DESTROY(var_hash);
976 	return buf.s;
977 }
978 /* }}} */
979 
PS_SERIALIZER_DECODE_FUNC(php)980 PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
981 {
982 	const char *p, *q;
983 	const char *endptr = val + vallen;
984 	ptrdiff_t namelen;
985 	zend_string *name;
986 	int retval = SUCCESS;
987 	php_unserialize_data_t var_hash;
988 	zval *current, rv;
989 
990 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
991 
992 	p = val;
993 
994 	while (p < endptr) {
995 		q = p;
996 		while (*q != PS_DELIMITER) {
997 			if (++q >= endptr) goto break_outer_loop;
998 		}
999 
1000 		namelen = q - p;
1001 		name = zend_string_init(p, namelen, 0);
1002 		q++;
1003 
1004 		current = var_tmp_var(&var_hash);
1005 		if (php_var_unserialize(current, (const unsigned char **)&q, (const unsigned char *)endptr, &var_hash)) {
1006 			ZVAL_PTR(&rv, current);
1007 			php_set_session_var(name, &rv, &var_hash);
1008 		} else {
1009 			zend_string_release_ex(name, 0);
1010 			retval = FAILURE;
1011 			goto break_outer_loop;
1012 		}
1013 		zend_string_release_ex(name, 0);
1014 		p = q;
1015 	}
1016 
1017 break_outer_loop:
1018 	php_session_normalize_vars();
1019 
1020 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
1021 
1022 	return retval;
1023 }
1024 /* }}} */
1025 
1026 #define MAX_SERIALIZERS 32
1027 #define PREDEFINED_SERIALIZERS 3
1028 
1029 static ps_serializer ps_serializers[MAX_SERIALIZERS + 1] = {
1030 	PS_SERIALIZER_ENTRY(php_serialize),
1031 	PS_SERIALIZER_ENTRY(php),
1032 	PS_SERIALIZER_ENTRY(php_binary)
1033 };
1034 
php_session_register_serializer(const char * name,zend_string * (* encode)(PS_SERIALIZER_ENCODE_ARGS),int (* decode)(PS_SERIALIZER_DECODE_ARGS))1035 PHPAPI int php_session_register_serializer(const char *name, zend_string *(*encode)(PS_SERIALIZER_ENCODE_ARGS), int (*decode)(PS_SERIALIZER_DECODE_ARGS)) /* {{{ */
1036 {
1037 	int ret = FAILURE;
1038 	int i;
1039 
1040 	for (i = 0; i < MAX_SERIALIZERS; i++) {
1041 		if (ps_serializers[i].name == NULL) {
1042 			ps_serializers[i].name = name;
1043 			ps_serializers[i].encode = encode;
1044 			ps_serializers[i].decode = decode;
1045 			ps_serializers[i + 1].name = NULL;
1046 			ret = SUCCESS;
1047 			break;
1048 		}
1049 	}
1050 	return ret;
1051 }
1052 /* }}} */
1053 
1054 /* *******************
1055    * Storage Modules *
1056    ******************* */
1057 
1058 #define MAX_MODULES 32
1059 #define PREDEFINED_MODULES 2
1060 
1061 static const ps_module *ps_modules[MAX_MODULES + 1] = {
1062 	ps_files_ptr,
1063 	ps_user_ptr
1064 };
1065 
php_session_register_module(const ps_module * ptr)1066 PHPAPI int php_session_register_module(const ps_module *ptr) /* {{{ */
1067 {
1068 	int ret = FAILURE;
1069 	int i;
1070 
1071 	for (i = 0; i < MAX_MODULES; i++) {
1072 		if (!ps_modules[i]) {
1073 			ps_modules[i] = ptr;
1074 			ret = SUCCESS;
1075 			break;
1076 		}
1077 	}
1078 	return ret;
1079 }
1080 /* }}} */
1081 
1082 /* Dummy PS module function */
php_session_validate_sid(PS_VALIDATE_SID_ARGS)1083 PHPAPI int php_session_validate_sid(PS_VALIDATE_SID_ARGS) {
1084 	return SUCCESS;
1085 }
1086 
1087 /* Dummy PS module function */
php_session_update_timestamp(PS_UPDATE_TIMESTAMP_ARGS)1088 PHPAPI int php_session_update_timestamp(PS_UPDATE_TIMESTAMP_ARGS) {
1089 	return SUCCESS;
1090 }
1091 
1092 
1093 /* ******************
1094    * Cache Limiters *
1095    ****************** */
1096 
1097 typedef struct {
1098 	char *name;
1099 	void (*func)(void);
1100 } php_session_cache_limiter_t;
1101 
1102 #define CACHE_LIMITER(name) _php_cache_limiter_##name
1103 #define CACHE_LIMITER_FUNC(name) static void CACHE_LIMITER(name)(void)
1104 #define CACHE_LIMITER_ENTRY(name) { #name, CACHE_LIMITER(name) },
1105 #define ADD_HEADER(a) sapi_add_header(a, strlen(a), 1);
1106 #define MAX_STR 512
1107 
1108 static char *month_names[] = {
1109 	"Jan", "Feb", "Mar", "Apr", "May", "Jun",
1110 	"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
1111 };
1112 
1113 static char *week_days[] = {
1114 	"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"
1115 };
1116 
strcpy_gmt(char * ubuf,time_t * when)1117 static inline void strcpy_gmt(char *ubuf, time_t *when) /* {{{ */
1118 {
1119 	char buf[MAX_STR];
1120 	struct tm tm, *res;
1121 	int n;
1122 
1123 	res = php_gmtime_r(when, &tm);
1124 
1125 	if (!res) {
1126 		ubuf[0] = '\0';
1127 		return;
1128 	}
1129 
1130 	n = slprintf(buf, sizeof(buf), "%s, %02d %s %d %02d:%02d:%02d GMT", /* SAFE */
1131 				week_days[tm.tm_wday], tm.tm_mday,
1132 				month_names[tm.tm_mon], tm.tm_year + 1900,
1133 				tm.tm_hour, tm.tm_min,
1134 				tm.tm_sec);
1135 	memcpy(ubuf, buf, n);
1136 	ubuf[n] = '\0';
1137 }
1138 /* }}} */
1139 
last_modified(void)1140 static inline void last_modified(void) /* {{{ */
1141 {
1142 	const char *path;
1143 	zend_stat_t sb;
1144 	char buf[MAX_STR + 1];
1145 
1146 	path = SG(request_info).path_translated;
1147 	if (path) {
1148 		if (VCWD_STAT(path, &sb) == -1) {
1149 			return;
1150 		}
1151 
1152 #define LAST_MODIFIED "Last-Modified: "
1153 		memcpy(buf, LAST_MODIFIED, sizeof(LAST_MODIFIED) - 1);
1154 		strcpy_gmt(buf + sizeof(LAST_MODIFIED) - 1, &sb.st_mtime);
1155 		ADD_HEADER(buf);
1156 	}
1157 }
1158 /* }}} */
1159 
1160 #define EXPIRES "Expires: "
CACHE_LIMITER_FUNC(public)1161 CACHE_LIMITER_FUNC(public) /* {{{ */
1162 {
1163 	char buf[MAX_STR + 1];
1164 	struct timeval tv;
1165 	time_t now;
1166 
1167 	gettimeofday(&tv, NULL);
1168 	now = tv.tv_sec + PS(cache_expire) * 60;
1169 	memcpy(buf, EXPIRES, sizeof(EXPIRES) - 1);
1170 	strcpy_gmt(buf + sizeof(EXPIRES) - 1, &now);
1171 	ADD_HEADER(buf);
1172 
1173 	snprintf(buf, sizeof(buf) , "Cache-Control: public, max-age=" ZEND_LONG_FMT, PS(cache_expire) * 60); /* SAFE */
1174 	ADD_HEADER(buf);
1175 
1176 	last_modified();
1177 }
1178 /* }}} */
1179 
CACHE_LIMITER_FUNC(private_no_expire)1180 CACHE_LIMITER_FUNC(private_no_expire) /* {{{ */
1181 {
1182 	char buf[MAX_STR + 1];
1183 
1184 	snprintf(buf, sizeof(buf), "Cache-Control: private, max-age=" ZEND_LONG_FMT, PS(cache_expire) * 60); /* SAFE */
1185 	ADD_HEADER(buf);
1186 
1187 	last_modified();
1188 }
1189 /* }}} */
1190 
CACHE_LIMITER_FUNC(private)1191 CACHE_LIMITER_FUNC(private) /* {{{ */
1192 {
1193 	ADD_HEADER("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
1194 	CACHE_LIMITER(private_no_expire)();
1195 }
1196 /* }}} */
1197 
CACHE_LIMITER_FUNC(nocache)1198 CACHE_LIMITER_FUNC(nocache) /* {{{ */
1199 {
1200 	ADD_HEADER("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
1201 
1202 	/* For HTTP/1.1 conforming clients */
1203 	ADD_HEADER("Cache-Control: no-store, no-cache, must-revalidate");
1204 
1205 	/* For HTTP/1.0 conforming clients */
1206 	ADD_HEADER("Pragma: no-cache");
1207 }
1208 /* }}} */
1209 
1210 static const php_session_cache_limiter_t php_session_cache_limiters[] = {
1211 	CACHE_LIMITER_ENTRY(public)
1212 	CACHE_LIMITER_ENTRY(private)
1213 	CACHE_LIMITER_ENTRY(private_no_expire)
1214 	CACHE_LIMITER_ENTRY(nocache)
1215 	{0}
1216 };
1217 
php_session_cache_limiter(void)1218 static int php_session_cache_limiter(void) /* {{{ */
1219 {
1220 	const php_session_cache_limiter_t *lim;
1221 
1222 	if (PS(cache_limiter)[0] == '\0') return 0;
1223 	if (PS(session_status) != php_session_active) return -1;
1224 
1225 	if (SG(headers_sent)) {
1226 		const char *output_start_filename = php_output_get_start_filename();
1227 		int output_start_lineno = php_output_get_start_lineno();
1228 
1229 		php_session_abort();
1230 		if (output_start_filename) {
1231 			php_error_docref(NULL, E_WARNING, "Cannot send session cache limiter - headers already sent (output started at %s:%d)", output_start_filename, output_start_lineno);
1232 		} else {
1233 			php_error_docref(NULL, E_WARNING, "Cannot send session cache limiter - headers already sent");
1234 		}
1235 		return -2;
1236 	}
1237 
1238 	for (lim = php_session_cache_limiters; lim->name; lim++) {
1239 		if (!strcasecmp(lim->name, PS(cache_limiter))) {
1240 			lim->func();
1241 			return 0;
1242 		}
1243 	}
1244 
1245 	return -1;
1246 }
1247 /* }}} */
1248 
1249 /* *********************
1250    * Cookie Management *
1251    ********************* */
1252 
1253 /*
1254  * Remove already sent session ID cookie.
1255  * It must be directly removed from SG(sapi_header) because sapi_add_header_ex()
1256  * removes all of matching cookie. i.e. It deletes all of Set-Cookie headers.
1257  */
php_session_remove_cookie(void)1258 static void php_session_remove_cookie(void) {
1259 	sapi_header_struct *header;
1260 	zend_llist *l = &SG(sapi_headers).headers;
1261 	zend_llist_element *next;
1262 	zend_llist_element *current;
1263 	char *session_cookie;
1264 	size_t session_cookie_len;
1265 	size_t len = sizeof("Set-Cookie")-1;
1266 
1267 	ZEND_ASSERT(strpbrk(PS(session_name), "=,; \t\r\n\013\014") == NULL);
1268 	spprintf(&session_cookie, 0, "Set-Cookie: %s=", PS(session_name));
1269 
1270 	session_cookie_len = strlen(session_cookie);
1271 	current = l->head;
1272 	while (current) {
1273 		header = (sapi_header_struct *)(current->data);
1274 		next = current->next;
1275 		if (header->header_len > len && header->header[len] == ':'
1276 			&& !strncmp(header->header, session_cookie, session_cookie_len)) {
1277 			if (current->prev) {
1278 				current->prev->next = next;
1279 			} else {
1280 				l->head = next;
1281 			}
1282 			if (next) {
1283 				next->prev = current->prev;
1284 			} else {
1285 				l->tail = current->prev;
1286 			}
1287 			sapi_free_header(header);
1288 			efree(current);
1289 			--l->count;
1290 		}
1291 		current = next;
1292 	}
1293 	efree(session_cookie);
1294 }
1295 
php_session_send_cookie(void)1296 static int php_session_send_cookie(void) /* {{{ */
1297 {
1298 	smart_str ncookie = {0};
1299 	zend_string *date_fmt = NULL;
1300 	zend_string *e_id;
1301 
1302 	if (SG(headers_sent)) {
1303 		const char *output_start_filename = php_output_get_start_filename();
1304 		int output_start_lineno = php_output_get_start_lineno();
1305 
1306 		if (output_start_filename) {
1307 			php_error_docref(NULL, E_WARNING, "Cannot send session cookie - headers already sent by (output started at %s:%d)", output_start_filename, output_start_lineno);
1308 		} else {
1309 			php_error_docref(NULL, E_WARNING, "Cannot send session cookie - headers already sent");
1310 		}
1311 		return FAILURE;
1312 	}
1313 
1314 	/* Prevent broken Set-Cookie header, because the session_name might be user supplied */
1315 	if (strpbrk(PS(session_name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
1316 		php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,; \\t\\r\\n\\013\\014'");
1317 		return FAILURE;
1318 	}
1319 
1320 	/* URL encode id because it might be user supplied */
1321 	e_id = php_url_encode(ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)));
1322 
1323 	smart_str_appendl(&ncookie, "Set-Cookie: ", sizeof("Set-Cookie: ")-1);
1324 	smart_str_appendl(&ncookie, PS(session_name), strlen(PS(session_name)));
1325 	smart_str_appendc(&ncookie, '=');
1326 	smart_str_appendl(&ncookie, ZSTR_VAL(e_id), ZSTR_LEN(e_id));
1327 
1328 	zend_string_release_ex(e_id, 0);
1329 
1330 	if (PS(cookie_lifetime) > 0) {
1331 		struct timeval tv;
1332 		time_t t;
1333 
1334 		gettimeofday(&tv, NULL);
1335 		t = tv.tv_sec + PS(cookie_lifetime);
1336 
1337 		if (t > 0) {
1338 			date_fmt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, t, 0);
1339 			smart_str_appends(&ncookie, COOKIE_EXPIRES);
1340 			smart_str_appendl(&ncookie, ZSTR_VAL(date_fmt), ZSTR_LEN(date_fmt));
1341 			zend_string_release_ex(date_fmt, 0);
1342 
1343 			smart_str_appends(&ncookie, COOKIE_MAX_AGE);
1344 			smart_str_append_long(&ncookie, PS(cookie_lifetime));
1345 		}
1346 	}
1347 
1348 	if (PS(cookie_path)[0]) {
1349 		smart_str_appends(&ncookie, COOKIE_PATH);
1350 		smart_str_appends(&ncookie, PS(cookie_path));
1351 	}
1352 
1353 	if (PS(cookie_domain)[0]) {
1354 		smart_str_appends(&ncookie, COOKIE_DOMAIN);
1355 		smart_str_appends(&ncookie, PS(cookie_domain));
1356 	}
1357 
1358 	if (PS(cookie_secure)) {
1359 		smart_str_appends(&ncookie, COOKIE_SECURE);
1360 	}
1361 
1362 	if (PS(cookie_httponly)) {
1363 		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
1364 	}
1365 
1366 	if (PS(cookie_samesite)[0]) {
1367     	smart_str_appends(&ncookie, COOKIE_SAMESITE);
1368     	smart_str_appends(&ncookie, PS(cookie_samesite));
1369     }
1370 
1371 	smart_str_0(&ncookie);
1372 
1373 	php_session_remove_cookie(); /* remove already sent session ID cookie */
1374 	/*	'replace' must be 0 here, else a previous Set-Cookie
1375 		header, probably sent with setcookie() will be replaced! */
1376 	sapi_add_header_ex(estrndup(ZSTR_VAL(ncookie.s), ZSTR_LEN(ncookie.s)), ZSTR_LEN(ncookie.s), 0, 0);
1377 	smart_str_free(&ncookie);
1378 
1379 	return SUCCESS;
1380 }
1381 /* }}} */
1382 
_php_find_ps_module(char * name)1383 PHPAPI const ps_module *_php_find_ps_module(char *name) /* {{{ */
1384 {
1385 	const ps_module *ret = NULL;
1386 	const ps_module **mod;
1387 	int i;
1388 
1389 	for (i = 0, mod = ps_modules; i < MAX_MODULES; i++, mod++) {
1390 		if (*mod && !strcasecmp(name, (*mod)->s_name)) {
1391 			ret = *mod;
1392 			break;
1393 		}
1394 	}
1395 	return ret;
1396 }
1397 /* }}} */
1398 
_php_find_ps_serializer(char * name)1399 PHPAPI const ps_serializer *_php_find_ps_serializer(char *name) /* {{{ */
1400 {
1401 	const ps_serializer *ret = NULL;
1402 	const ps_serializer *mod;
1403 
1404 	for (mod = ps_serializers; mod->name; mod++) {
1405 		if (!strcasecmp(name, mod->name)) {
1406 			ret = mod;
1407 			break;
1408 		}
1409 	}
1410 	return ret;
1411 }
1412 /* }}} */
1413 
ppid2sid(zval * ppid)1414 static void ppid2sid(zval *ppid) {
1415 	ZVAL_DEREF(ppid);
1416 	if (Z_TYPE_P(ppid) == IS_STRING) {
1417 		PS(id) = zend_string_init(Z_STRVAL_P(ppid), Z_STRLEN_P(ppid), 0);
1418 		PS(send_cookie) = 0;
1419 	} else {
1420 		PS(id) = NULL;
1421 		PS(send_cookie) = 1;
1422 	}
1423 }
1424 
1425 
php_session_reset_id(void)1426 PHPAPI int php_session_reset_id(void) /* {{{ */
1427 {
1428 	int module_number = PS(module_number);
1429 	zval *sid, *data, *ppid;
1430 	zend_bool apply_trans_sid;
1431 
1432 	if (!PS(id)) {
1433 		php_error_docref(NULL, E_WARNING, "Cannot set session ID - session ID is not initialized");
1434 		return FAILURE;
1435 	}
1436 
1437 	if (PS(use_cookies) && PS(send_cookie)) {
1438 		php_session_send_cookie();
1439 		PS(send_cookie) = 0;
1440 	}
1441 
1442 	/* If the SID constant exists, destroy it. */
1443 	/* We must not delete any items in EG(zend_constants) */
1444 	/* zend_hash_str_del(EG(zend_constants), "sid", sizeof("sid") - 1); */
1445 	sid = zend_get_constant_str("SID", sizeof("SID") - 1);
1446 
1447 	if (PS(define_sid)) {
1448 		smart_str var = {0};
1449 
1450 		smart_str_appends(&var, PS(session_name));
1451 		smart_str_appendc(&var, '=');
1452 		smart_str_appends(&var, ZSTR_VAL(PS(id)));
1453 		smart_str_0(&var);
1454 		if (sid) {
1455 			zval_ptr_dtor_str(sid);
1456 			ZVAL_NEW_STR(sid, var.s);
1457 		} else {
1458 			REGISTER_STRINGL_CONSTANT("SID", ZSTR_VAL(var.s), ZSTR_LEN(var.s), 0);
1459 			smart_str_free(&var);
1460 		}
1461 	} else {
1462 		if (sid) {
1463 			zval_ptr_dtor_str(sid);
1464 			ZVAL_EMPTY_STRING(sid);
1465 		} else {
1466 			REGISTER_STRINGL_CONSTANT("SID", "", 0, 0);
1467 		}
1468 	}
1469 
1470 	/* Apply trans sid if sid cookie is not set */
1471 	apply_trans_sid = 0;
1472 	if (APPLY_TRANS_SID) {
1473 		apply_trans_sid = 1;
1474 		if (PS(use_cookies) &&
1475 			(data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) {
1476 			ZVAL_DEREF(data);
1477 			if (Z_TYPE_P(data) == IS_ARRAY &&
1478 				(ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), strlen(PS(session_name))))) {
1479 				ZVAL_DEREF(ppid);
1480 				apply_trans_sid = 0;
1481 			}
1482 		}
1483 	}
1484 	if (apply_trans_sid) {
1485 		zend_string *sname;
1486 		sname = zend_string_init(PS(session_name), strlen(PS(session_name)), 0);
1487 		php_url_scanner_reset_session_var(sname, 1); /* This may fail when session name has changed */
1488 		zend_string_release_ex(sname, 0);
1489 		php_url_scanner_add_session_var(PS(session_name), strlen(PS(session_name)), ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 1);
1490 	}
1491 	return SUCCESS;
1492 }
1493 /* }}} */
1494 
1495 
php_session_start(void)1496 PHPAPI int php_session_start(void) /* {{{ */
1497 {
1498 	zval *ppid;
1499 	zval *data;
1500 	char *p, *value;
1501 	size_t lensess;
1502 
1503 	switch (PS(session_status)) {
1504 		case php_session_active:
1505 			php_error(E_NOTICE, "A session had already been started - ignoring session_start()");
1506 			return FAILURE;
1507 			break;
1508 
1509 		case php_session_disabled:
1510 			value = zend_ini_string("session.save_handler", sizeof("session.save_handler") - 1, 0);
1511 			if (!PS(mod) && value) {
1512 				PS(mod) = _php_find_ps_module(value);
1513 				if (!PS(mod)) {
1514 					php_error_docref(NULL, E_WARNING, "Cannot find save handler '%s' - session startup failed", value);
1515 					return FAILURE;
1516 				}
1517 			}
1518 			value = zend_ini_string("session.serialize_handler", sizeof("session.serialize_handler") - 1, 0);
1519 			if (!PS(serializer) && value) {
1520 				PS(serializer) = _php_find_ps_serializer(value);
1521 				if (!PS(serializer)) {
1522 					php_error_docref(NULL, E_WARNING, "Cannot find serialization handler '%s' - session startup failed", value);
1523 					return FAILURE;
1524 				}
1525 			}
1526 			PS(session_status) = php_session_none;
1527 			/* Fall through */
1528 
1529 		case php_session_none:
1530 		default:
1531 			/* Setup internal flags */
1532 			PS(define_sid) = !PS(use_only_cookies); /* SID constant is defined when non-cookie ID is used */
1533 			PS(send_cookie) = PS(use_cookies) || PS(use_only_cookies);
1534 	}
1535 
1536 	lensess = strlen(PS(session_name));
1537 
1538 	/*
1539 	 * Cookies are preferred, because initially cookie and get
1540 	 * variables will be available.
1541 	 * URL/POST session ID may be used when use_only_cookies=Off.
1542 	 * session.use_strice_mode=On prevents session adoption.
1543 	 * Session based file upload progress uses non-cookie ID.
1544 	 */
1545 
1546 	if (!PS(id)) {
1547 		if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) {
1548 			ZVAL_DEREF(data);
1549 			if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
1550 				ppid2sid(ppid);
1551 				PS(send_cookie) = 0;
1552 				PS(define_sid) = 0;
1553 			}
1554 		}
1555 		/* Initialize session ID from non cookie values */
1556 		if (!PS(use_only_cookies)) {
1557 			if (!PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1))) {
1558 				ZVAL_DEREF(data);
1559 				if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
1560 					ppid2sid(ppid);
1561 				}
1562 			}
1563 			if (!PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1))) {
1564 				ZVAL_DEREF(data);
1565 				if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
1566 					ppid2sid(ppid);
1567 				}
1568 			}
1569 			/* Check the REQUEST_URI symbol for a string of the form
1570 			 * '<session-name>=<session-id>' to allow URLs of the form
1571 			 * http://yoursite/<session-name>=<session-id>/script.php */
1572 			if (!PS(id) && zend_is_auto_global_str("_SERVER", sizeof("_SERVER") - 1) == SUCCESS &&
1573 				(data = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), "REQUEST_URI", sizeof("REQUEST_URI") - 1)) &&
1574 				Z_TYPE_P(data) == IS_STRING &&
1575 				(p = strstr(Z_STRVAL_P(data), PS(session_name))) &&
1576 				p[lensess] == '='
1577 				) {
1578 				char *q;
1579 				p += lensess + 1;
1580 				if ((q = strpbrk(p, "/?\\"))) {
1581 					PS(id) = zend_string_init(p, q - p, 0);
1582 				}
1583 			}
1584 			/* Check whether the current request was referred to by
1585 			 * an external site which invalidates the previously found id. */
1586 			if (PS(id) && PS(extern_referer_chk)[0] != '\0' &&
1587 				!Z_ISUNDEF(PG(http_globals)[TRACK_VARS_SERVER]) &&
1588 				(data = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), "HTTP_REFERER", sizeof("HTTP_REFERER") - 1)) &&
1589 				Z_TYPE_P(data) == IS_STRING &&
1590 				Z_STRLEN_P(data) != 0 &&
1591 				strstr(Z_STRVAL_P(data), PS(extern_referer_chk)) == NULL
1592 			) {
1593 				zend_string_release_ex(PS(id), 0);
1594 				PS(id) = NULL;
1595 			}
1596 		}
1597 	}
1598 
1599 	/* Finally check session id for dangerous characters
1600 	 * Security note: session id may be embedded in HTML pages.*/
1601 	if (PS(id) && strpbrk(ZSTR_VAL(PS(id)), "\r\n\t <>'\"\\")) {
1602 		zend_string_release_ex(PS(id), 0);
1603 		PS(id) = NULL;
1604 	}
1605 
1606 	if (php_session_initialize() == FAILURE
1607 		|| php_session_cache_limiter() == -2) {
1608 		PS(session_status) = php_session_none;
1609 		if (PS(id)) {
1610 			zend_string_release_ex(PS(id), 0);
1611 			PS(id) = NULL;
1612 		}
1613 		return FAILURE;
1614 	}
1615 	return SUCCESS;
1616 }
1617 /* }}} */
1618 
php_session_flush(int write)1619 PHPAPI int php_session_flush(int write) /* {{{ */
1620 {
1621 	if (PS(session_status) == php_session_active) {
1622 		php_session_save_current_state(write);
1623 		PS(session_status) = php_session_none;
1624 		return SUCCESS;
1625 	}
1626 	return FAILURE;
1627 }
1628 /* }}} */
1629 
php_session_abort(void)1630 static int php_session_abort(void) /* {{{ */
1631 {
1632 	if (PS(session_status) == php_session_active) {
1633 		if (PS(mod_data) || PS(mod_user_implemented)) {
1634 			PS(mod)->s_close(&PS(mod_data));
1635 		}
1636 		PS(session_status) = php_session_none;
1637 		return SUCCESS;
1638 	}
1639 	return FAILURE;
1640 }
1641 /* }}} */
1642 
php_session_reset(void)1643 static int php_session_reset(void) /* {{{ */
1644 {
1645 	if (PS(session_status) == php_session_active
1646 		&& php_session_initialize() == SUCCESS) {
1647 		return SUCCESS;
1648 	}
1649 	return FAILURE;
1650 }
1651 /* }}} */
1652 
1653 
1654 /* This API is not used by any PHP modules including session currently.
1655    session_adapt_url() may be used to set Session ID to target url without
1656    starting "URL-Rewriter" output handler. */
session_adapt_url(const char * url,size_t urllen,char ** new,size_t * newlen)1657 PHPAPI void session_adapt_url(const char *url, size_t urllen, char **new, size_t *newlen) /* {{{ */
1658 {
1659 	if (APPLY_TRANS_SID && (PS(session_status) == php_session_active)) {
1660 		*new = php_url_scanner_adapt_single_url(url, urllen, PS(session_name), ZSTR_VAL(PS(id)), newlen, 1);
1661 	}
1662 }
1663 /* }}} */
1664 
1665 /* ********************************
1666    * Userspace exported functions *
1667    ******************************** */
1668 
1669 /* {{{ proto bool session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure[, bool httponly]]]])
1670                   session_set_cookie_params(array options)
1671    Set session cookie parameters */
PHP_FUNCTION(session_set_cookie_params)1672 static PHP_FUNCTION(session_set_cookie_params)
1673 {
1674 	zval *lifetime_or_options = NULL;
1675 	zend_string *lifetime = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
1676 	zend_bool secure = 0, secure_null = 1;
1677 	zend_bool httponly = 0, httponly_null = 1;
1678 	zend_string *ini_name;
1679 	int result;
1680 	int found = 0;
1681 
1682 	if (!PS(use_cookies)) {
1683 		return;
1684 	}
1685 
1686 	ZEND_PARSE_PARAMETERS_START(1, 5)
1687 		Z_PARAM_ZVAL(lifetime_or_options)
1688 		Z_PARAM_OPTIONAL
1689 		Z_PARAM_STR(path)
1690 		Z_PARAM_STR(domain)
1691 		Z_PARAM_BOOL_EX(secure, secure_null, 1, 0)
1692 		Z_PARAM_BOOL_EX(httponly, httponly_null, 1, 0)
1693 	ZEND_PARSE_PARAMETERS_END();
1694 
1695 	if (PS(session_status) == php_session_active) {
1696 		php_error_docref(NULL, E_WARNING, "Cannot change session cookie parameters when session is active");
1697 		RETURN_FALSE;
1698 	}
1699 
1700 	if (SG(headers_sent)) {
1701 		php_error_docref(NULL, E_WARNING, "Cannot change session cookie parameters when headers already sent");
1702 		RETURN_FALSE;
1703 	}
1704 
1705 	if (Z_TYPE_P(lifetime_or_options) == IS_ARRAY) {
1706 		zend_string *key;
1707 		zval *value;
1708 
1709 		if (path) {
1710 			path = NULL;
1711 			domain = NULL;
1712 			secure_null = 1;
1713 			httponly_null = 1;
1714 			php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
1715 			RETURN_FALSE;
1716 		}
1717 
1718 		ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(lifetime_or_options), key, value) {
1719 			if (key) {
1720 				ZVAL_DEREF(value);
1721 				if(!strcasecmp("lifetime", ZSTR_VAL(key))) {
1722 					lifetime = zval_get_string(value);
1723 					found++;
1724 				} else if(!strcasecmp("path", ZSTR_VAL(key))) {
1725 					path = zval_get_string(value);
1726 					found++;
1727 				} else if(!strcasecmp("domain", ZSTR_VAL(key))) {
1728 					domain = zval_get_string(value);
1729 					found++;
1730 				} else if(!strcasecmp("secure", ZSTR_VAL(key))) {
1731 					secure = zval_is_true(value);
1732 					secure_null = 0;
1733 					found++;
1734 				} else if(!strcasecmp("httponly", ZSTR_VAL(key))) {
1735 					httponly = zval_is_true(value);
1736 					httponly_null = 0;
1737 					found++;
1738 				} else if(!strcasecmp("samesite", ZSTR_VAL(key))) {
1739 					samesite = zval_get_string(value);
1740 					found++;
1741 				} else {
1742 					php_error_docref(NULL, E_WARNING, "Unrecognized key '%s' found in the options array", ZSTR_VAL(key));
1743 				}
1744 			} else {
1745 				php_error_docref(NULL, E_WARNING, "Numeric key found in the options array");
1746 			}
1747 		} ZEND_HASH_FOREACH_END();
1748 
1749 		if (found == 0) {
1750 			php_error_docref(NULL, E_WARNING, "No valid keys were found in the options array");
1751 			RETURN_FALSE;
1752 		}
1753 	} else {
1754 		lifetime = zval_get_string(lifetime_or_options);
1755 	}
1756 
1757 	/* Exception during string conversion */
1758 	if (EG(exception)) {
1759 		goto cleanup;
1760 	}
1761 
1762 	if (lifetime) {
1763 		ini_name = zend_string_init("session.cookie_lifetime", sizeof("session.cookie_lifetime") - 1, 0);
1764 		result = zend_alter_ini_entry(ini_name, lifetime, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1765 		zend_string_release_ex(ini_name, 0);
1766 		if (result == FAILURE) {
1767 			RETVAL_FALSE;
1768 			goto cleanup;
1769 		}
1770 	}
1771 	if (path) {
1772 		ini_name = zend_string_init("session.cookie_path", sizeof("session.cookie_path") - 1, 0);
1773 		result = zend_alter_ini_entry(ini_name, path, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1774 		zend_string_release_ex(ini_name, 0);
1775 		if (result == FAILURE) {
1776 			RETVAL_FALSE;
1777 			goto cleanup;
1778 		}
1779 	}
1780 	if (domain) {
1781 		ini_name = zend_string_init("session.cookie_domain", sizeof("session.cookie_domain") - 1, 0);
1782 		result = zend_alter_ini_entry(ini_name, domain, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1783 		zend_string_release_ex(ini_name, 0);
1784 		if (result == FAILURE) {
1785 			RETVAL_FALSE;
1786 			goto cleanup;
1787 		}
1788 	}
1789 	if (!secure_null) {
1790 		ini_name = zend_string_init("session.cookie_secure", sizeof("session.cookie_secure") - 1, 0);
1791 		result = zend_alter_ini_entry_chars(ini_name, secure ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1792 		zend_string_release_ex(ini_name, 0);
1793 		if (result == FAILURE) {
1794 			RETVAL_FALSE;
1795 			goto cleanup;
1796 		}
1797 	}
1798 	if (!httponly_null) {
1799 		ini_name = zend_string_init("session.cookie_httponly", sizeof("session.cookie_httponly") - 1, 0);
1800 		result = zend_alter_ini_entry_chars(ini_name, httponly ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1801 		zend_string_release_ex(ini_name, 0);
1802 		if (result == FAILURE) {
1803 			RETVAL_FALSE;
1804 			goto cleanup;
1805 		}
1806 	}
1807 	if (samesite) {
1808 		ini_name = zend_string_init("session.cookie_samesite", sizeof("session.cookie_samesite") - 1, 0);
1809 		result = zend_alter_ini_entry(ini_name, samesite, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1810 		zend_string_release_ex(ini_name, 0);
1811 		if (result == FAILURE) {
1812 			RETVAL_FALSE;
1813 			goto cleanup;
1814 		}
1815 	}
1816 
1817 	RETVAL_TRUE;
1818 
1819 cleanup:
1820 	if (lifetime) zend_string_release(lifetime);
1821 	if (found > 0) {
1822 		if (path) zend_string_release(path);
1823 		if (domain) zend_string_release(domain);
1824 		if (samesite) zend_string_release(samesite);
1825 	}
1826 }
1827 /* }}} */
1828 
1829 /* {{{ proto array session_get_cookie_params(void)
1830    Return the session cookie parameters */
PHP_FUNCTION(session_get_cookie_params)1831 static PHP_FUNCTION(session_get_cookie_params)
1832 {
1833 	if (zend_parse_parameters_none() == FAILURE) {
1834 		return;
1835 	}
1836 
1837 	array_init(return_value);
1838 
1839 	add_assoc_long(return_value, "lifetime", PS(cookie_lifetime));
1840 	add_assoc_string(return_value, "path", PS(cookie_path));
1841 	add_assoc_string(return_value, "domain", PS(cookie_domain));
1842 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
1843 	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
1844 	add_assoc_string(return_value, "samesite", PS(cookie_samesite));
1845 }
1846 /* }}} */
1847 
1848 /* {{{ proto string session_name([string newname])
1849    Return the current session name. If newname is given, the session name is replaced with newname */
PHP_FUNCTION(session_name)1850 static PHP_FUNCTION(session_name)
1851 {
1852 	zend_string *name = NULL;
1853 	zend_string *ini_name;
1854 
1855 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|S", &name) == FAILURE) {
1856 		return;
1857 	}
1858 
1859 	if (name && PS(session_status) == php_session_active) {
1860 		php_error_docref(NULL, E_WARNING, "Cannot change session name when session is active");
1861 		RETURN_FALSE;
1862 	}
1863 
1864 	if (name && SG(headers_sent)) {
1865 		php_error_docref(NULL, E_WARNING, "Cannot change session name when headers already sent");
1866 		RETURN_FALSE;
1867 	}
1868 
1869 	RETVAL_STRING(PS(session_name));
1870 
1871 	if (name) {
1872 		ini_name = zend_string_init("session.name", sizeof("session.name") - 1, 0);
1873 		zend_alter_ini_entry(ini_name, name, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1874 		zend_string_release_ex(ini_name, 0);
1875 	}
1876 }
1877 /* }}} */
1878 
1879 /* {{{ proto string session_module_name([string newname])
1880    Return the current module name used for accessing session data. If newname is given, the module name is replaced with newname */
PHP_FUNCTION(session_module_name)1881 static PHP_FUNCTION(session_module_name)
1882 {
1883 	zend_string *name = NULL;
1884 	zend_string *ini_name;
1885 
1886 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|S", &name) == FAILURE) {
1887 		return;
1888 	}
1889 
1890 	if (name && PS(session_status) == php_session_active) {
1891 		php_error_docref(NULL, E_WARNING, "Cannot change save handler module when session is active");
1892 		RETURN_FALSE;
1893 	}
1894 
1895 	if (name && SG(headers_sent)) {
1896 		php_error_docref(NULL, E_WARNING, "Cannot change save handler module when headers already sent");
1897 		RETURN_FALSE;
1898 	}
1899 
1900 	/* Set return_value to current module name */
1901 	if (PS(mod) && PS(mod)->s_name) {
1902 		RETVAL_STRING(PS(mod)->s_name);
1903 	} else {
1904 		RETVAL_EMPTY_STRING();
1905 	}
1906 
1907 	if (name) {
1908 		if (!_php_find_ps_module(ZSTR_VAL(name))) {
1909 			php_error_docref(NULL, E_WARNING, "Cannot find named PHP session module (%s)", ZSTR_VAL(name));
1910 
1911 			zval_ptr_dtor_str(return_value);
1912 			RETURN_FALSE;
1913 		}
1914 		if (PS(mod_data) || PS(mod_user_implemented)) {
1915 			PS(mod)->s_close(&PS(mod_data));
1916 		}
1917 		PS(mod_data) = NULL;
1918 
1919 		ini_name = zend_string_init("session.save_handler", sizeof("session.save_handler") - 1, 0);
1920 		zend_alter_ini_entry(ini_name, name, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1921 		zend_string_release_ex(ini_name, 0);
1922 	}
1923 }
1924 /* }}} */
1925 
set_user_save_handler_ini(void)1926 static inline void set_user_save_handler_ini(void) {
1927 	zend_string *ini_name, *ini_val;
1928 
1929 	ini_name = zend_string_init("session.save_handler", sizeof("session.save_handler") - 1, 0);
1930 	ini_val = zend_string_init("user", sizeof("user") - 1, 0);
1931 	PS(set_handler) = 1;
1932 	zend_alter_ini_entry(ini_name, ini_val, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
1933 	PS(set_handler) = 0;
1934 	zend_string_release_ex(ini_val, 0);
1935 	zend_string_release_ex(ini_name, 0);
1936 }
1937 
1938 /* {{{ proto bool session_set_save_handler(string open, string close, string read, string write, string destroy, string gc, string create_sid)
1939    Sets user-level functions */
PHP_FUNCTION(session_set_save_handler)1940 static PHP_FUNCTION(session_set_save_handler)
1941 {
1942 	zval *args = NULL;
1943 	int i, num_args, argc = ZEND_NUM_ARGS();
1944 
1945 	if (PS(session_status) == php_session_active) {
1946 		php_error_docref(NULL, E_WARNING, "Cannot change save handler when session is active");
1947 		RETURN_FALSE;
1948 	}
1949 
1950 	if (SG(headers_sent)) {
1951 		php_error_docref(NULL, E_WARNING, "Cannot change save handler when headers already sent");
1952 		RETURN_FALSE;
1953 	}
1954 
1955 	if (argc > 0 && argc <= 2) {
1956 		zval *obj = NULL;
1957 		zend_string *func_name;
1958 		zend_function *current_mptr;
1959 		zend_bool register_shutdown = 1;
1960 
1961 		if (zend_parse_parameters(ZEND_NUM_ARGS(), "O|b", &obj, php_session_iface_entry, &register_shutdown) == FAILURE) {
1962 			RETURN_FALSE;
1963 		}
1964 
1965 		/* For compatibility reason, implemented interface is not checked */
1966 		/* Find implemented methods - SessionHandlerInterface */
1967 		i = 0;
1968 		ZEND_HASH_FOREACH_STR_KEY(&php_session_iface_entry->function_table, func_name) {
1969 			if ((current_mptr = zend_hash_find_ptr(&Z_OBJCE_P(obj)->function_table, func_name))) {
1970 				if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
1971 					zval_ptr_dtor(&PS(mod_user_names).names[i]);
1972 				}
1973 
1974 				array_init_size(&PS(mod_user_names).names[i], 2);
1975 				Z_ADDREF_P(obj);
1976 				add_next_index_zval(&PS(mod_user_names).names[i], obj);
1977 				add_next_index_str(&PS(mod_user_names).names[i], zend_string_copy(func_name));
1978 			} else {
1979 				php_error_docref(NULL, E_ERROR, "Session handler's function table is corrupt");
1980 				RETURN_FALSE;
1981 			}
1982 
1983 			++i;
1984 		} ZEND_HASH_FOREACH_END();
1985 
1986 		/* Find implemented methods - SessionIdInterface (optional) */
1987 		ZEND_HASH_FOREACH_STR_KEY(&php_session_id_iface_entry->function_table, func_name) {
1988 			if ((current_mptr = zend_hash_find_ptr(&Z_OBJCE_P(obj)->function_table, func_name))) {
1989 				if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
1990 					zval_ptr_dtor(&PS(mod_user_names).names[i]);
1991 				}
1992 				array_init_size(&PS(mod_user_names).names[i], 2);
1993 				Z_ADDREF_P(obj);
1994 				add_next_index_zval(&PS(mod_user_names).names[i], obj);
1995 				add_next_index_str(&PS(mod_user_names).names[i], zend_string_copy(func_name));
1996 			} else {
1997 				if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
1998 					zval_ptr_dtor(&PS(mod_user_names).names[i]);
1999 					ZVAL_UNDEF(&PS(mod_user_names).names[i]);
2000 				}
2001 			}
2002 
2003 			++i;
2004 		} ZEND_HASH_FOREACH_END();
2005 
2006 		/* Find implemented methods - SessionUpdateTimestampInterface (optional) */
2007 		ZEND_HASH_FOREACH_STR_KEY(&php_session_update_timestamp_iface_entry->function_table, func_name) {
2008 			if ((current_mptr = zend_hash_find_ptr(&Z_OBJCE_P(obj)->function_table, func_name))) {
2009 				if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
2010 					zval_ptr_dtor(&PS(mod_user_names).names[i]);
2011 				}
2012 				array_init_size(&PS(mod_user_names).names[i], 2);
2013 				Z_ADDREF_P(obj);
2014 				add_next_index_zval(&PS(mod_user_names).names[i], obj);
2015 				add_next_index_str(&PS(mod_user_names).names[i], zend_string_copy(func_name));
2016 			} else {
2017 				if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
2018 					zval_ptr_dtor(&PS(mod_user_names).names[i]);
2019 					ZVAL_UNDEF(&PS(mod_user_names).names[i]);
2020 				}
2021 			}
2022 			++i;
2023 		} ZEND_HASH_FOREACH_END();
2024 
2025 		if (register_shutdown) {
2026 			/* create shutdown function */
2027 			php_shutdown_function_entry shutdown_function_entry;
2028 			shutdown_function_entry.arg_count = 1;
2029 			shutdown_function_entry.arguments = (zval *) safe_emalloc(sizeof(zval), 1, 0);
2030 
2031 			ZVAL_STRING(&shutdown_function_entry.arguments[0], "session_register_shutdown");
2032 
2033 			/* add shutdown function, removing the old one if it exists */
2034 			if (!register_user_shutdown_function("session_shutdown", sizeof("session_shutdown") - 1, &shutdown_function_entry)) {
2035 				zval_ptr_dtor(&shutdown_function_entry.arguments[0]);
2036 				efree(shutdown_function_entry.arguments);
2037 				php_error_docref(NULL, E_WARNING, "Unable to register session shutdown function");
2038 				RETURN_FALSE;
2039 			}
2040 		} else {
2041 			/* remove shutdown function */
2042 			remove_user_shutdown_function("session_shutdown", sizeof("session_shutdown") - 1);
2043 		}
2044 
2045 		if (PS(session_status) != php_session_active && (!PS(mod) || PS(mod) != &ps_mod_user)) {
2046 			set_user_save_handler_ini();
2047 		}
2048 
2049 		RETURN_TRUE;
2050 	}
2051 
2052 	/* Set procedural save handler functions */
2053 	if (argc < 6 || PS_NUM_APIS < argc) {
2054 		WRONG_PARAM_COUNT;
2055 	}
2056 
2057 	if (zend_parse_parameters(argc, "+", &args, &num_args) == FAILURE) {
2058 		return;
2059 	}
2060 
2061 	/* remove shutdown function */
2062 	remove_user_shutdown_function("session_shutdown", sizeof("session_shutdown") - 1);
2063 
2064 	/* At this point argc can only be between 6 and PS_NUM_APIS */
2065 	for (i = 0; i < argc; i++) {
2066 		if (!zend_is_callable(&args[i], 0, NULL)) {
2067 			zend_string *name = zend_get_callable_name(&args[i]);
2068 			php_error_docref(NULL, E_WARNING, "Argument %d is not a valid callback", i+1);
2069 			zend_string_release_ex(name, 0);
2070 			RETURN_FALSE;
2071 		}
2072 	}
2073 
2074 	if (!PS(mod) || PS(mod) != &ps_mod_user) {
2075 		set_user_save_handler_ini();
2076 	}
2077 
2078 	for (i = 0; i < argc; i++) {
2079 		if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
2080 			zval_ptr_dtor(&PS(mod_user_names).names[i]);
2081 		}
2082 		ZVAL_COPY(&PS(mod_user_names).names[i], &args[i]);
2083 	}
2084 
2085 	RETURN_TRUE;
2086 }
2087 /* }}} */
2088 
2089 /* {{{ proto string session_save_path([string newname])
2090    Return the current save path passed to module_name. If newname is given, the save path is replaced with newname */
PHP_FUNCTION(session_save_path)2091 static PHP_FUNCTION(session_save_path)
2092 {
2093 	zend_string *name = NULL;
2094 	zend_string *ini_name;
2095 
2096 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|S", &name) == FAILURE) {
2097 		return;
2098 	}
2099 
2100 	if (name && PS(session_status) == php_session_active) {
2101 		php_error_docref(NULL, E_WARNING, "Cannot change save path when session is active");
2102 		RETURN_FALSE;
2103 	}
2104 
2105 	if (name && SG(headers_sent)) {
2106 		php_error_docref(NULL, E_WARNING, "Cannot change save path when headers already sent");
2107 		RETURN_FALSE;
2108 	}
2109 
2110 	RETVAL_STRING(PS(save_path));
2111 
2112 	if (name) {
2113 		if (memchr(ZSTR_VAL(name), '\0', ZSTR_LEN(name)) != NULL) {
2114 			php_error_docref(NULL, E_WARNING, "The save_path cannot contain NULL characters");
2115 			zval_ptr_dtor_str(return_value);
2116 			RETURN_FALSE;
2117 		}
2118 		ini_name = zend_string_init("session.save_path", sizeof("session.save_path") - 1, 0);
2119 		zend_alter_ini_entry(ini_name, name, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
2120 		zend_string_release_ex(ini_name, 0);
2121 	}
2122 }
2123 /* }}} */
2124 
2125 /* {{{ proto string session_id([string newid])
2126    Return the current session id. If newid is given, the session id is replaced with newid */
PHP_FUNCTION(session_id)2127 static PHP_FUNCTION(session_id)
2128 {
2129 	zend_string *name = NULL;
2130 	int argc = ZEND_NUM_ARGS();
2131 
2132 	if (zend_parse_parameters(argc, "|S", &name) == FAILURE) {
2133 		return;
2134 	}
2135 
2136 	if (name && PS(use_cookies) && SG(headers_sent)) {
2137 		php_error_docref(NULL, E_WARNING, "Cannot change session id when headers already sent");
2138 		RETURN_FALSE;
2139 	}
2140 
2141 	if (name && PS(session_status) == php_session_active) {
2142 		php_error_docref(NULL, E_WARNING, "Cannot change session id when session is active");
2143 		RETURN_FALSE;
2144 	}
2145 
2146 	if (PS(id)) {
2147 		/* keep compatibility for "\0" characters ???
2148 		 * see: ext/session/tests/session_id_error3.phpt */
2149 		size_t len = strlen(ZSTR_VAL(PS(id)));
2150 		if (UNEXPECTED(len != ZSTR_LEN(PS(id)))) {
2151 			RETVAL_NEW_STR(zend_string_init(ZSTR_VAL(PS(id)), len, 0));
2152 		} else {
2153 			RETVAL_STR_COPY(PS(id));
2154 		}
2155 	} else {
2156 		RETVAL_EMPTY_STRING();
2157 	}
2158 
2159 	if (name) {
2160 		if (PS(id)) {
2161 			zend_string_release_ex(PS(id), 0);
2162 		}
2163 		PS(id) = zend_string_copy(name);
2164 	}
2165 }
2166 /* }}} */
2167 
2168 /* {{{ proto bool session_regenerate_id([bool delete_old_session])
2169    Update the current session id with a newly generated one. If delete_old_session is set to true, remove the old session. */
PHP_FUNCTION(session_regenerate_id)2170 static PHP_FUNCTION(session_regenerate_id)
2171 {
2172 	zend_bool del_ses = 0;
2173 	zend_string *data;
2174 
2175 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|b", &del_ses) == FAILURE) {
2176 		return;
2177 	}
2178 
2179 	if (PS(session_status) != php_session_active) {
2180 		php_error_docref(NULL, E_WARNING, "Cannot regenerate session id - session is not active");
2181 		RETURN_FALSE;
2182 	}
2183 
2184 	if (SG(headers_sent)) {
2185 		php_error_docref(NULL, E_WARNING, "Cannot regenerate session id - headers already sent");
2186 		RETURN_FALSE;
2187 	}
2188 
2189 	/* Process old session data */
2190 	if (del_ses) {
2191 		if (PS(mod)->s_destroy(&PS(mod_data), PS(id)) == FAILURE) {
2192 			PS(mod)->s_close(&PS(mod_data));
2193 			PS(session_status) = php_session_none;
2194 			php_error_docref(NULL, E_WARNING, "Session object destruction failed.  ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
2195 			RETURN_FALSE;
2196 		}
2197 	} else {
2198 		int ret;
2199 		data = php_session_encode();
2200 		if (data) {
2201 			ret = PS(mod)->s_write(&PS(mod_data), PS(id), data, PS(gc_maxlifetime));
2202 			zend_string_release_ex(data, 0);
2203 		} else {
2204 			ret = PS(mod)->s_write(&PS(mod_data), PS(id), ZSTR_EMPTY_ALLOC(), PS(gc_maxlifetime));
2205 		}
2206 		if (ret == FAILURE) {
2207 			PS(mod)->s_close(&PS(mod_data));
2208 			PS(session_status) = php_session_none;
2209 			php_error_docref(NULL, E_WARNING, "Session write failed. ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
2210 			RETURN_FALSE;
2211 		}
2212 	}
2213 	PS(mod)->s_close(&PS(mod_data));
2214 
2215 	/* New session data */
2216 	if (PS(session_vars)) {
2217 		zend_string_release_ex(PS(session_vars), 0);
2218 		PS(session_vars) = NULL;
2219 	}
2220 	zend_string_release_ex(PS(id), 0);
2221 	PS(id) = NULL;
2222 
2223 	if (PS(mod)->s_open(&PS(mod_data), PS(save_path), PS(session_name)) == FAILURE) {
2224 		PS(session_status) = php_session_none;
2225 		zend_throw_error(NULL, "Failed to open session: %s (path: %s)", PS(mod)->s_name, PS(save_path));
2226 		RETURN_FALSE;
2227 	}
2228 
2229 	PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
2230 	if (!PS(id)) {
2231 		PS(session_status) = php_session_none;
2232 		zend_throw_error(NULL, "Failed to create new session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
2233 		RETURN_FALSE;
2234 	}
2235 	if (PS(use_strict_mode) && PS(mod)->s_validate_sid &&
2236 		PS(mod)->s_validate_sid(&PS(mod_data), PS(id)) == SUCCESS) {
2237 		zend_string_release_ex(PS(id), 0);
2238 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
2239 		if (!PS(id)) {
2240 			PS(mod)->s_close(&PS(mod_data));
2241 			PS(session_status) = php_session_none;
2242 			zend_throw_error(NULL, "Failed to create session ID by collision: %s (path: %s)", PS(mod)->s_name, PS(save_path));
2243 			RETURN_FALSE;
2244 		}
2245 	}
2246 	/* Read is required to make new session data at this point. */
2247 	if (PS(mod)->s_read(&PS(mod_data), PS(id), &data, PS(gc_maxlifetime)) == FAILURE) {
2248 		PS(mod)->s_close(&PS(mod_data));
2249 		PS(session_status) = php_session_none;
2250 		zend_throw_error(NULL, "Failed to create(read) session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
2251 		RETURN_FALSE;
2252 	}
2253 	if (data) {
2254 		zend_string_release_ex(data, 0);
2255 	}
2256 
2257 	if (PS(use_cookies)) {
2258 		PS(send_cookie) = 1;
2259 	}
2260 	if (php_session_reset_id() == FAILURE) {
2261 		RETURN_FALSE;
2262 	}
2263 
2264 	RETURN_TRUE;
2265 }
2266 /* }}} */
2267 
2268 /* {{{ proto string session_create_id([string prefix])
2269    Generate new session ID. Intended for user save handlers. */
2270 /* This is not used yet */
PHP_FUNCTION(session_create_id)2271 static PHP_FUNCTION(session_create_id)
2272 {
2273 	zend_string *prefix = NULL, *new_id;
2274 	smart_str id = {0};
2275 
2276 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|S", &prefix) == FAILURE) {
2277 		return;
2278 	}
2279 
2280 	if (prefix && ZSTR_LEN(prefix)) {
2281 		if (php_session_valid_key(ZSTR_VAL(prefix)) == FAILURE) {
2282 			/* E_ERROR raised for security reason. */
2283 			php_error_docref(NULL, E_WARNING, "Prefix cannot contain special characters. Only aphanumeric, ',', '-' are allowed");
2284 			RETURN_FALSE;
2285 		} else {
2286 			smart_str_append(&id, prefix);
2287 		}
2288 	}
2289 
2290 	if (!PS(in_save_handler) && PS(session_status) == php_session_active) {
2291 		int limit = 3;
2292 		while (limit--) {
2293 			new_id = PS(mod)->s_create_sid(&PS(mod_data));
2294 			if (!PS(mod)->s_validate_sid) {
2295 				break;
2296 			} else {
2297 				/* Detect collision and retry */
2298 				if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == SUCCESS) {
2299 					zend_string_release_ex(new_id, 0);
2300                     new_id = NULL;
2301 					continue;
2302 				}
2303 				break;
2304 			}
2305 		}
2306 	} else {
2307 		new_id = php_session_create_id(NULL);
2308 	}
2309 
2310 	if (new_id) {
2311 		smart_str_append(&id, new_id);
2312 		zend_string_release_ex(new_id, 0);
2313 	} else {
2314 		smart_str_free(&id);
2315 		php_error_docref(NULL, E_WARNING, "Failed to create new ID");
2316 		RETURN_FALSE;
2317 	}
2318 	smart_str_0(&id);
2319 	RETVAL_NEW_STR(id.s);
2320 }
2321 /* }}} */
2322 
2323 /* {{{ proto string session_cache_limiter([string new_cache_limiter])
2324    Return the current cache limiter. If new_cache_limited is given, the current cache_limiter is replaced with new_cache_limiter */
PHP_FUNCTION(session_cache_limiter)2325 static PHP_FUNCTION(session_cache_limiter)
2326 {
2327 	zend_string *limiter = NULL;
2328 	zend_string *ini_name;
2329 
2330 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|S", &limiter) == FAILURE) {
2331 		return;
2332 	}
2333 
2334 	if (limiter && PS(session_status) == php_session_active) {
2335 		php_error_docref(NULL, E_WARNING, "Cannot change cache limiter when session is active");
2336 		RETURN_FALSE;
2337 	}
2338 
2339 	if (limiter && SG(headers_sent)) {
2340 		php_error_docref(NULL, E_WARNING, "Cannot change cache limiter when headers already sent");
2341 		RETURN_FALSE;
2342 	}
2343 
2344 	RETVAL_STRING(PS(cache_limiter));
2345 
2346 	if (limiter) {
2347 		ini_name = zend_string_init("session.cache_limiter", sizeof("session.cache_limiter") - 1, 0);
2348 		zend_alter_ini_entry(ini_name, limiter, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
2349 		zend_string_release_ex(ini_name, 0);
2350 	}
2351 }
2352 /* }}} */
2353 
2354 /* {{{ proto int session_cache_expire([int new_cache_expire])
2355    Return the current cache expire. If new_cache_expire is given, the current cache_expire is replaced with new_cache_expire */
PHP_FUNCTION(session_cache_expire)2356 static PHP_FUNCTION(session_cache_expire)
2357 {
2358 	zval *expires = NULL;
2359 	zend_string *ini_name;
2360 
2361 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|z", &expires) == FAILURE) {
2362 		return;
2363 	}
2364 
2365 	if (expires && PS(session_status) == php_session_active) {
2366 		php_error_docref(NULL, E_WARNING, "Cannot change cache expire when session is active");
2367 		RETURN_LONG(PS(cache_expire));
2368 	}
2369 
2370 	if (expires && SG(headers_sent)) {
2371 		php_error_docref(NULL, E_WARNING, "Cannot change cache expire when headers already sent");
2372 		RETURN_FALSE;
2373 	}
2374 
2375 	RETVAL_LONG(PS(cache_expire));
2376 
2377 	if (expires) {
2378 		if (!try_convert_to_string(expires)) {
2379 			return;
2380 		}
2381 
2382 		ini_name = zend_string_init("session.cache_expire", sizeof("session.cache_expire") - 1, 0);
2383 		zend_alter_ini_entry(ini_name, Z_STR_P(expires), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME);
2384 		zend_string_release_ex(ini_name, 0);
2385 	}
2386 }
2387 /* }}} */
2388 
2389 /* {{{ proto string session_encode(void)
2390    Serializes the current setup and returns the serialized representation */
PHP_FUNCTION(session_encode)2391 static PHP_FUNCTION(session_encode)
2392 {
2393 	zend_string *enc;
2394 
2395 	if (zend_parse_parameters_none() == FAILURE) {
2396 		return;
2397 	}
2398 
2399 	enc = php_session_encode();
2400 	if (enc == NULL) {
2401 		RETURN_FALSE;
2402 	}
2403 
2404 	RETURN_STR(enc);
2405 }
2406 /* }}} */
2407 
2408 /* {{{ proto bool session_decode(string data)
2409    Deserializes data and reinitializes the variables */
PHP_FUNCTION(session_decode)2410 static PHP_FUNCTION(session_decode)
2411 {
2412 	zend_string *str = NULL;
2413 
2414 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "S", &str) == FAILURE) {
2415 		return;
2416 	}
2417 
2418 	if (PS(session_status) != php_session_active) {
2419 		php_error_docref(NULL, E_WARNING, "Session is not active. You cannot decode session data");
2420 		RETURN_FALSE;
2421 	}
2422 
2423 	if (php_session_decode(str) == FAILURE) {
2424 		RETURN_FALSE;
2425 	}
2426 	RETURN_TRUE;
2427 }
2428 /* }}} */
2429 
php_session_start_set_ini(zend_string * varname,zend_string * new_value)2430 static int php_session_start_set_ini(zend_string *varname, zend_string *new_value) {
2431 	int ret;
2432 	smart_str buf ={0};
2433 	smart_str_appends(&buf, "session");
2434 	smart_str_appendc(&buf, '.');
2435 	smart_str_append(&buf, varname);
2436 	smart_str_0(&buf);
2437 	ret = zend_alter_ini_entry_ex(buf.s, new_value, PHP_INI_USER, PHP_INI_STAGE_RUNTIME, 0);
2438 	smart_str_free(&buf);
2439 	return ret;
2440 }
2441 
2442 /* {{{ proto bool session_start([array options])
2443 +   Begin session */
PHP_FUNCTION(session_start)2444 static PHP_FUNCTION(session_start)
2445 {
2446 	zval *options = NULL;
2447 	zval *value;
2448 	zend_ulong num_idx;
2449 	zend_string *str_idx;
2450 	zend_long read_and_close = 0;
2451 
2452 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a", &options) == FAILURE) {
2453 		RETURN_FALSE;
2454 	}
2455 
2456 	if (PS(session_status) == php_session_active) {
2457 		php_error_docref(NULL, E_NOTICE, "A session had already been started - ignoring");
2458 		RETURN_TRUE;
2459 	}
2460 
2461 	/*
2462 	 * TODO: To prevent unusable session with trans sid, actual output started status is
2463 	 * required. i.e. There shouldn't be any outputs in output buffer, otherwise session
2464 	 * module is unable to rewrite output.
2465 	 */
2466 	if (PS(use_cookies) && SG(headers_sent)) {
2467 		php_error_docref(NULL, E_WARNING, "Cannot start session when headers already sent");
2468 		RETURN_FALSE;
2469 	}
2470 
2471 	/* set options */
2472 	if (options) {
2473 		ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(options), num_idx, str_idx, value) {
2474 			if (str_idx) {
2475 				switch(Z_TYPE_P(value)) {
2476 					case IS_STRING:
2477 					case IS_TRUE:
2478 					case IS_FALSE:
2479 					case IS_LONG:
2480 						if (zend_string_equals_literal(str_idx, "read_and_close")) {
2481 							read_and_close = zval_get_long(value);
2482 						} else {
2483 							zend_string *tmp_val;
2484 							zend_string *val = zval_get_tmp_string(value, &tmp_val);
2485 							if (php_session_start_set_ini(str_idx, val) == FAILURE) {
2486 								php_error_docref(NULL, E_WARNING, "Setting option '%s' failed", ZSTR_VAL(str_idx));
2487 							}
2488 							zend_tmp_string_release(tmp_val);
2489 						}
2490 						break;
2491 					default:
2492 						php_error_docref(NULL, E_WARNING, "Option(%s) value must be string, boolean or long", ZSTR_VAL(str_idx));
2493 						break;
2494 				}
2495 			}
2496 			(void) num_idx;
2497 		} ZEND_HASH_FOREACH_END();
2498 	}
2499 
2500 	php_session_start();
2501 
2502 	if (PS(session_status) != php_session_active) {
2503 		IF_SESSION_VARS() {
2504 			zval *sess_var = Z_REFVAL(PS(http_session_vars));
2505 			SEPARATE_ARRAY(sess_var);
2506 			/* Clean $_SESSION. */
2507 			zend_hash_clean(Z_ARRVAL_P(sess_var));
2508 		}
2509 		RETURN_FALSE;
2510 	}
2511 
2512 	if (read_and_close) {
2513 		php_session_flush(0);
2514 	}
2515 
2516 	RETURN_TRUE;
2517 }
2518 /* }}} */
2519 
2520 /* {{{ proto bool session_destroy(void)
2521    Destroy the current session and all data associated with it */
PHP_FUNCTION(session_destroy)2522 static PHP_FUNCTION(session_destroy)
2523 {
2524 	if (zend_parse_parameters_none() == FAILURE) {
2525 		return;
2526 	}
2527 
2528 	RETURN_BOOL(php_session_destroy() == SUCCESS);
2529 }
2530 /* }}} */
2531 
2532 /* {{{ proto bool session_unset(void)
2533    Unset all registered variables */
PHP_FUNCTION(session_unset)2534 static PHP_FUNCTION(session_unset)
2535 {
2536 	if (zend_parse_parameters_none() == FAILURE) {
2537 		return;
2538 	}
2539 
2540 	if (PS(session_status) != php_session_active) {
2541 		RETURN_FALSE;
2542 	}
2543 
2544 	IF_SESSION_VARS() {
2545 		zval *sess_var = Z_REFVAL(PS(http_session_vars));
2546 		SEPARATE_ARRAY(sess_var);
2547 
2548 		/* Clean $_SESSION. */
2549 		zend_hash_clean(Z_ARRVAL_P(sess_var));
2550 	}
2551 	RETURN_TRUE;
2552 }
2553 /* }}} */
2554 
2555 /* {{{ proto int session_gc(void)
2556    Perform GC and return number of deleted sessions */
PHP_FUNCTION(session_gc)2557 static PHP_FUNCTION(session_gc)
2558 {
2559 	zend_long num;
2560 
2561 	if (zend_parse_parameters_none() == FAILURE) {
2562 		return;
2563 	}
2564 
2565 	if (PS(session_status) != php_session_active) {
2566 		php_error_docref(NULL, E_WARNING, "Session is not active");
2567 		RETURN_FALSE;
2568 	}
2569 
2570 	num = php_session_gc(1);
2571 	if (num < 0) {
2572 		RETURN_FALSE;
2573 	}
2574 
2575 	RETURN_LONG(num);
2576 }
2577 /* }}} */
2578 
2579 
2580 /* {{{ proto bool session_write_close(void)
2581    Write session data and end session */
PHP_FUNCTION(session_write_close)2582 static PHP_FUNCTION(session_write_close)
2583 {
2584 	if (zend_parse_parameters_none() == FAILURE) {
2585 		return;
2586 	}
2587 
2588 	if (PS(session_status) != php_session_active) {
2589 		RETURN_FALSE;
2590 	}
2591 	php_session_flush(1);
2592 	RETURN_TRUE;
2593 }
2594 /* }}} */
2595 
2596 /* {{{ proto bool session_abort(void)
2597    Abort session and end session. Session data will not be written */
PHP_FUNCTION(session_abort)2598 static PHP_FUNCTION(session_abort)
2599 {
2600 	if (zend_parse_parameters_none() == FAILURE) {
2601 		return;
2602 	}
2603 
2604 	if (PS(session_status) != php_session_active) {
2605 		RETURN_FALSE;
2606 	}
2607 	php_session_abort();
2608 	RETURN_TRUE;
2609 }
2610 /* }}} */
2611 
2612 /* {{{ proto bool session_reset(void)
2613    Reset session data from saved session data */
PHP_FUNCTION(session_reset)2614 static PHP_FUNCTION(session_reset)
2615 {
2616 	if (zend_parse_parameters_none() == FAILURE) {
2617 		return;
2618 	}
2619 
2620 	if (PS(session_status) != php_session_active) {
2621 		RETURN_FALSE;
2622 	}
2623 	php_session_reset();
2624 	RETURN_TRUE;
2625 }
2626 /* }}} */
2627 
2628 /* {{{ proto int session_status(void)
2629    Returns the current session status */
PHP_FUNCTION(session_status)2630 static PHP_FUNCTION(session_status)
2631 {
2632 	if (zend_parse_parameters_none() == FAILURE) {
2633 		return;
2634 	}
2635 
2636 	RETURN_LONG(PS(session_status));
2637 }
2638 /* }}} */
2639 
2640 /* {{{ proto void session_register_shutdown(void)
2641    Registers session_write_close() as a shutdown function */
PHP_FUNCTION(session_register_shutdown)2642 static PHP_FUNCTION(session_register_shutdown)
2643 {
2644 	php_shutdown_function_entry shutdown_function_entry;
2645 
2646 	/* This function is registered itself as a shutdown function by
2647 	 * session_set_save_handler($obj). The reason we now register another
2648 	 * shutdown function is in case the user registered their own shutdown
2649 	 * function after calling session_set_save_handler(), which expects
2650 	 * the session still to be available.
2651 	 */
2652 
2653 	shutdown_function_entry.arg_count = 1;
2654 	shutdown_function_entry.arguments = (zval *) safe_emalloc(sizeof(zval), 1, 0);
2655 
2656 	ZVAL_STRING(&shutdown_function_entry.arguments[0], "session_write_close");
2657 
2658 	if (!append_user_shutdown_function(shutdown_function_entry)) {
2659 		zval_ptr_dtor(&shutdown_function_entry.arguments[0]);
2660 		efree(shutdown_function_entry.arguments);
2661 
2662 		/* Unable to register shutdown function, presumably because of lack
2663 		 * of memory, so flush the session now. It would be done in rshutdown
2664 		 * anyway but the handler will have had it's dtor called by then.
2665 		 * If the user does have a later shutdown function which needs the
2666 		 * session then tough luck.
2667 		 */
2668 		php_session_flush(1);
2669 		php_error_docref(NULL, E_WARNING, "Unable to register session flush function");
2670 	}
2671 }
2672 /* }}} */
2673 
2674 /* {{{ arginfo */
2675 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_name, 0, 0, 0)
2676 	ZEND_ARG_INFO(0, name)
2677 ZEND_END_ARG_INFO()
2678 
2679 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_module_name, 0, 0, 0)
2680 	ZEND_ARG_INFO(0, module)
2681 ZEND_END_ARG_INFO()
2682 
2683 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_save_path, 0, 0, 0)
2684 	ZEND_ARG_INFO(0, path)
2685 ZEND_END_ARG_INFO()
2686 
2687 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_id, 0, 0, 0)
2688 	ZEND_ARG_INFO(0, id)
2689 ZEND_END_ARG_INFO()
2690 
2691 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_create_id, 0, 0, 0)
2692 	ZEND_ARG_INFO(0, prefix)
2693 ZEND_END_ARG_INFO()
2694 
2695 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_regenerate_id, 0, 0, 0)
2696 	ZEND_ARG_INFO(0, delete_old_session)
2697 ZEND_END_ARG_INFO()
2698 
2699 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_decode, 0, 0, 1)
2700 	ZEND_ARG_INFO(0, data)
2701 ZEND_END_ARG_INFO()
2702 
2703 ZEND_BEGIN_ARG_INFO(arginfo_session_void, 0)
2704 ZEND_END_ARG_INFO()
2705 
2706 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_set_save_handler, 0, 0, 1)
2707 	ZEND_ARG_INFO(0, open)
2708 	ZEND_ARG_INFO(0, close)
2709 	ZEND_ARG_INFO(0, read)
2710 	ZEND_ARG_INFO(0, write)
2711 	ZEND_ARG_INFO(0, destroy)
2712 	ZEND_ARG_INFO(0, gc)
2713 	ZEND_ARG_INFO(0, create_sid)
2714 	ZEND_ARG_INFO(0, validate_sid)
2715 	ZEND_ARG_INFO(0, update_timestamp)
2716 ZEND_END_ARG_INFO()
2717 
2718 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_cache_limiter, 0, 0, 0)
2719 	ZEND_ARG_INFO(0, cache_limiter)
2720 ZEND_END_ARG_INFO()
2721 
2722 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_cache_expire, 0, 0, 0)
2723 	ZEND_ARG_INFO(0, new_cache_expire)
2724 ZEND_END_ARG_INFO()
2725 
2726 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_set_cookie_params, 0, 0, 1)
2727 	ZEND_ARG_INFO(0, lifetime_or_options)
2728 	ZEND_ARG_INFO(0, path)
2729 	ZEND_ARG_INFO(0, domain)
2730 	ZEND_ARG_INFO(0, secure)
2731 	ZEND_ARG_INFO(0, httponly)
2732 ZEND_END_ARG_INFO()
2733 
2734 ZEND_BEGIN_ARG_INFO(arginfo_session_class_open, 0)
2735 	ZEND_ARG_INFO(0, save_path)
2736 	ZEND_ARG_INFO(0, session_name)
2737 ZEND_END_ARG_INFO()
2738 
2739 ZEND_BEGIN_ARG_INFO(arginfo_session_class_close, 0)
2740 ZEND_END_ARG_INFO()
2741 
2742 ZEND_BEGIN_ARG_INFO(arginfo_session_class_read, 0)
2743 	ZEND_ARG_INFO(0, key)
2744 ZEND_END_ARG_INFO()
2745 
2746 ZEND_BEGIN_ARG_INFO(arginfo_session_class_write, 0)
2747 	ZEND_ARG_INFO(0, key)
2748 	ZEND_ARG_INFO(0, val)
2749 ZEND_END_ARG_INFO()
2750 
2751 ZEND_BEGIN_ARG_INFO(arginfo_session_class_destroy, 0)
2752 	ZEND_ARG_INFO(0, key)
2753 ZEND_END_ARG_INFO()
2754 
2755 ZEND_BEGIN_ARG_INFO(arginfo_session_class_gc, 0)
2756 	ZEND_ARG_INFO(0, maxlifetime)
2757 ZEND_END_ARG_INFO()
2758 
2759 ZEND_BEGIN_ARG_INFO(arginfo_session_class_create_sid, 0)
2760 ZEND_END_ARG_INFO()
2761 
2762 ZEND_BEGIN_ARG_INFO(arginfo_session_class_validateId, 0)
2763 	ZEND_ARG_INFO(0, key)
2764 ZEND_END_ARG_INFO()
2765 
2766 ZEND_BEGIN_ARG_INFO(arginfo_session_class_updateTimestamp, 0)
2767 	ZEND_ARG_INFO(0, key)
2768 	ZEND_ARG_INFO(0, val)
2769 ZEND_END_ARG_INFO()
2770 
2771 ZEND_BEGIN_ARG_INFO_EX(arginfo_session_start, 0, 0, 0)
2772 	ZEND_ARG_INFO(0, options) /* array */
2773 ZEND_END_ARG_INFO()
2774 /* }}} */
2775 
2776 /* {{{ session_functions[]
2777  */
2778 static const zend_function_entry session_functions[] = {
2779 	PHP_FE(session_name,              arginfo_session_name)
2780 	PHP_FE(session_module_name,       arginfo_session_module_name)
2781 	PHP_FE(session_save_path,         arginfo_session_save_path)
2782 	PHP_FE(session_id,                arginfo_session_id)
2783 	PHP_FE(session_create_id,         arginfo_session_create_id)
2784 	PHP_FE(session_regenerate_id,     arginfo_session_regenerate_id)
2785 	PHP_FE(session_decode,            arginfo_session_decode)
2786 	PHP_FE(session_encode,            arginfo_session_void)
2787 	PHP_FE(session_start,             arginfo_session_start)
2788 	PHP_FE(session_destroy,           arginfo_session_void)
2789 	PHP_FE(session_unset,             arginfo_session_void)
2790 	PHP_FE(session_gc,                arginfo_session_void)
2791 	PHP_FE(session_set_save_handler,  arginfo_session_set_save_handler)
2792 	PHP_FE(session_cache_limiter,     arginfo_session_cache_limiter)
2793 	PHP_FE(session_cache_expire,      arginfo_session_cache_expire)
2794 	PHP_FE(session_set_cookie_params, arginfo_session_set_cookie_params)
2795 	PHP_FE(session_get_cookie_params, arginfo_session_void)
2796 	PHP_FE(session_write_close,       arginfo_session_void)
2797 	PHP_FE(session_abort,             arginfo_session_void)
2798 	PHP_FE(session_reset,             arginfo_session_void)
2799 	PHP_FE(session_status,            arginfo_session_void)
2800 	PHP_FE(session_register_shutdown, arginfo_session_void)
2801 	PHP_FALIAS(session_commit, session_write_close, arginfo_session_void)
2802 	PHP_FE_END
2803 };
2804 /* }}} */
2805 
2806 /* {{{ SessionHandlerInterface functions[]
2807 */
2808 static const zend_function_entry php_session_iface_functions[] = {
2809 	PHP_ABSTRACT_ME(SessionHandlerInterface, open, arginfo_session_class_open)
2810 	PHP_ABSTRACT_ME(SessionHandlerInterface, close, arginfo_session_class_close)
2811 	PHP_ABSTRACT_ME(SessionHandlerInterface, read, arginfo_session_class_read)
2812 	PHP_ABSTRACT_ME(SessionHandlerInterface, write, arginfo_session_class_write)
2813 	PHP_ABSTRACT_ME(SessionHandlerInterface, destroy, arginfo_session_class_destroy)
2814 	PHP_ABSTRACT_ME(SessionHandlerInterface, gc, arginfo_session_class_gc)
2815 	PHP_FE_END
2816 };
2817 /* }}} */
2818 
2819 /* {{{ SessionIdInterface functions[]
2820 */
2821 static const zend_function_entry php_session_id_iface_functions[] = {
2822 	PHP_ABSTRACT_ME(SessionIdInterface, create_sid, arginfo_session_class_create_sid)
2823 	PHP_FE_END
2824 };
2825 /* }}} */
2826 
2827 /* {{{ SessionUpdateTimestampHandler functions[]
2828  */
2829 static const zend_function_entry php_session_update_timestamp_iface_functions[] = {
2830 	PHP_ABSTRACT_ME(SessionUpdateTimestampHandlerInterface, validateId, arginfo_session_class_validateId)
2831 	PHP_ABSTRACT_ME(SessionUpdateTimestampHandlerInterface, updateTimestamp, arginfo_session_class_updateTimestamp)
2832 	PHP_FE_END
2833 };
2834 /* }}} */
2835 
2836 /* {{{ SessionHandler functions[]
2837  */
2838 static const zend_function_entry php_session_class_functions[] = {
2839 	PHP_ME(SessionHandler, open, arginfo_session_class_open, ZEND_ACC_PUBLIC)
2840 	PHP_ME(SessionHandler, close, arginfo_session_class_close, ZEND_ACC_PUBLIC)
2841 	PHP_ME(SessionHandler, read, arginfo_session_class_read, ZEND_ACC_PUBLIC)
2842 	PHP_ME(SessionHandler, write, arginfo_session_class_write, ZEND_ACC_PUBLIC)
2843 	PHP_ME(SessionHandler, destroy, arginfo_session_class_destroy, ZEND_ACC_PUBLIC)
2844 	PHP_ME(SessionHandler, gc, arginfo_session_class_gc, ZEND_ACC_PUBLIC)
2845 	PHP_ME(SessionHandler, create_sid, arginfo_session_class_create_sid, ZEND_ACC_PUBLIC)
2846 	PHP_FE_END
2847 };
2848 /* }}} */
2849 
2850 /* ********************************
2851    * Module Setup and Destruction *
2852    ******************************** */
2853 
php_rinit_session(zend_bool auto_start)2854 static int php_rinit_session(zend_bool auto_start) /* {{{ */
2855 {
2856 	php_rinit_session_globals();
2857 
2858 	PS(mod) = NULL;
2859 	{
2860 		char *value;
2861 
2862 		value = zend_ini_string("session.save_handler", sizeof("session.save_handler") - 1, 0);
2863 		if (value) {
2864 			PS(mod) = _php_find_ps_module(value);
2865 		}
2866 	}
2867 
2868 	if (PS(serializer) == NULL) {
2869 		char *value;
2870 
2871 		value = zend_ini_string("session.serialize_handler", sizeof("session.serialize_handler") - 1, 0);
2872 		if (value) {
2873 			PS(serializer) = _php_find_ps_serializer(value);
2874 		}
2875 	}
2876 
2877 	if (PS(mod) == NULL || PS(serializer) == NULL) {
2878 		/* current status is unusable */
2879 		PS(session_status) = php_session_disabled;
2880 		return SUCCESS;
2881 	}
2882 
2883 	if (auto_start) {
2884 		php_session_start();
2885 	}
2886 
2887 	return SUCCESS;
2888 } /* }}} */
2889 
PHP_RINIT_FUNCTION(session)2890 static PHP_RINIT_FUNCTION(session) /* {{{ */
2891 {
2892 	return php_rinit_session(PS(auto_start));
2893 }
2894 /* }}} */
2895 
PHP_RSHUTDOWN_FUNCTION(session)2896 static PHP_RSHUTDOWN_FUNCTION(session) /* {{{ */
2897 {
2898 	int i;
2899 
2900 	if (PS(session_status) == php_session_active) {
2901 		zend_try {
2902 			php_session_flush(1);
2903 		} zend_end_try();
2904 	}
2905 	php_rshutdown_session_globals();
2906 
2907 	/* this should NOT be done in php_rshutdown_session_globals() */
2908 	for (i = 0; i < PS_NUM_APIS; i++) {
2909 		if (!Z_ISUNDEF(PS(mod_user_names).names[i])) {
2910 			zval_ptr_dtor(&PS(mod_user_names).names[i]);
2911 			ZVAL_UNDEF(&PS(mod_user_names).names[i]);
2912 		}
2913 	}
2914 
2915 	return SUCCESS;
2916 }
2917 /* }}} */
2918 
PHP_GINIT_FUNCTION(ps)2919 static PHP_GINIT_FUNCTION(ps) /* {{{ */
2920 {
2921 	int i;
2922 
2923 #if defined(COMPILE_DL_SESSION) && defined(ZTS)
2924 	ZEND_TSRMLS_CACHE_UPDATE();
2925 #endif
2926 
2927 	ps_globals->save_path = NULL;
2928 	ps_globals->session_name = NULL;
2929 	ps_globals->id = NULL;
2930 	ps_globals->mod = NULL;
2931 	ps_globals->serializer = NULL;
2932 	ps_globals->mod_data = NULL;
2933 	ps_globals->session_status = php_session_none;
2934 	ps_globals->default_mod = NULL;
2935 	ps_globals->mod_user_implemented = 0;
2936 	ps_globals->mod_user_is_open = 0;
2937 	ps_globals->session_vars = NULL;
2938 	ps_globals->set_handler = 0;
2939 	for (i = 0; i < PS_NUM_APIS; i++) {
2940 		ZVAL_UNDEF(&ps_globals->mod_user_names.names[i]);
2941 	}
2942 	ZVAL_UNDEF(&ps_globals->http_session_vars);
2943 }
2944 /* }}} */
2945 
PHP_MINIT_FUNCTION(session)2946 static PHP_MINIT_FUNCTION(session) /* {{{ */
2947 {
2948 	zend_class_entry ce;
2949 
2950 	zend_register_auto_global(zend_string_init_interned("_SESSION", sizeof("_SESSION") - 1, 1), 0, NULL);
2951 
2952 	my_module_number = module_number;
2953 	PS(module_number) = module_number;
2954 
2955 	PS(session_status) = php_session_none;
2956 	REGISTER_INI_ENTRIES();
2957 
2958 #ifdef HAVE_LIBMM
2959 	PHP_MINIT(ps_mm) (INIT_FUNC_ARGS_PASSTHRU);
2960 #endif
2961 	php_session_rfc1867_orig_callback = php_rfc1867_callback;
2962 	php_rfc1867_callback = php_session_rfc1867_callback;
2963 
2964 	/* Register interfaces */
2965 	INIT_CLASS_ENTRY(ce, PS_IFACE_NAME, php_session_iface_functions);
2966 	php_session_iface_entry = zend_register_internal_class(&ce);
2967 	php_session_iface_entry->ce_flags |= ZEND_ACC_INTERFACE;
2968 
2969 	INIT_CLASS_ENTRY(ce, PS_SID_IFACE_NAME, php_session_id_iface_functions);
2970 	php_session_id_iface_entry = zend_register_internal_class(&ce);
2971 	php_session_id_iface_entry->ce_flags |= ZEND_ACC_INTERFACE;
2972 
2973 	INIT_CLASS_ENTRY(ce, PS_UPDATE_TIMESTAMP_IFACE_NAME, php_session_update_timestamp_iface_functions);
2974 	php_session_update_timestamp_iface_entry = zend_register_internal_class(&ce);
2975 	php_session_update_timestamp_iface_entry->ce_flags |= ZEND_ACC_INTERFACE;
2976 
2977 	/* Register base class */
2978 	INIT_CLASS_ENTRY(ce, PS_CLASS_NAME, php_session_class_functions);
2979 	php_session_class_entry = zend_register_internal_class(&ce);
2980 	zend_class_implements(php_session_class_entry, 1, php_session_iface_entry);
2981 	zend_class_implements(php_session_class_entry, 1, php_session_id_iface_entry);
2982 
2983 	REGISTER_LONG_CONSTANT("PHP_SESSION_DISABLED", php_session_disabled, CONST_CS | CONST_PERSISTENT);
2984 	REGISTER_LONG_CONSTANT("PHP_SESSION_NONE", php_session_none, CONST_CS | CONST_PERSISTENT);
2985 	REGISTER_LONG_CONSTANT("PHP_SESSION_ACTIVE", php_session_active, CONST_CS | CONST_PERSISTENT);
2986 
2987 	return SUCCESS;
2988 }
2989 /* }}} */
2990 
PHP_MSHUTDOWN_FUNCTION(session)2991 static PHP_MSHUTDOWN_FUNCTION(session) /* {{{ */
2992 {
2993 	UNREGISTER_INI_ENTRIES();
2994 
2995 #ifdef HAVE_LIBMM
2996 	PHP_MSHUTDOWN(ps_mm) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
2997 #endif
2998 
2999 	/* reset rfc1867 callbacks */
3000 	php_session_rfc1867_orig_callback = NULL;
3001 	if (php_rfc1867_callback == php_session_rfc1867_callback) {
3002 		php_rfc1867_callback = NULL;
3003 	}
3004 
3005 	ps_serializers[PREDEFINED_SERIALIZERS].name = NULL;
3006 	memset(&ps_modules[PREDEFINED_MODULES], 0, (MAX_MODULES-PREDEFINED_MODULES)*sizeof(ps_module *));
3007 
3008 	return SUCCESS;
3009 }
3010 /* }}} */
3011 
PHP_MINFO_FUNCTION(session)3012 static PHP_MINFO_FUNCTION(session) /* {{{ */
3013 {
3014 	const ps_module **mod;
3015 	ps_serializer *ser;
3016 	smart_str save_handlers = {0};
3017 	smart_str ser_handlers = {0};
3018 	int i;
3019 
3020 	/* Get save handlers */
3021 	for (i = 0, mod = ps_modules; i < MAX_MODULES; i++, mod++) {
3022 		if (*mod && (*mod)->s_name) {
3023 			smart_str_appends(&save_handlers, (*mod)->s_name);
3024 			smart_str_appendc(&save_handlers, ' ');
3025 		}
3026 	}
3027 
3028 	/* Get serializer handlers */
3029 	for (i = 0, ser = ps_serializers; i < MAX_SERIALIZERS; i++, ser++) {
3030 		if (ser && ser->name) {
3031 			smart_str_appends(&ser_handlers, ser->name);
3032 			smart_str_appendc(&ser_handlers, ' ');
3033 		}
3034 	}
3035 
3036 	php_info_print_table_start();
3037 	php_info_print_table_row(2, "Session Support", "enabled" );
3038 
3039 	if (save_handlers.s) {
3040 		smart_str_0(&save_handlers);
3041 		php_info_print_table_row(2, "Registered save handlers", ZSTR_VAL(save_handlers.s));
3042 		smart_str_free(&save_handlers);
3043 	} else {
3044 		php_info_print_table_row(2, "Registered save handlers", "none");
3045 	}
3046 
3047 	if (ser_handlers.s) {
3048 		smart_str_0(&ser_handlers);
3049 		php_info_print_table_row(2, "Registered serializer handlers", ZSTR_VAL(ser_handlers.s));
3050 		smart_str_free(&ser_handlers);
3051 	} else {
3052 		php_info_print_table_row(2, "Registered serializer handlers", "none");
3053 	}
3054 
3055 	php_info_print_table_end();
3056 
3057 	DISPLAY_INI_ENTRIES();
3058 }
3059 /* }}} */
3060 
3061 static const zend_module_dep session_deps[] = { /* {{{ */
3062 	ZEND_MOD_OPTIONAL("hash")
3063 	ZEND_MOD_REQUIRED("spl")
3064 	ZEND_MOD_END
3065 };
3066 /* }}} */
3067 
3068 /* ************************
3069    * Upload hook handling *
3070    ************************ */
3071 
early_find_sid_in(zval * dest,int where,php_session_rfc1867_progress * progress)3072 static zend_bool early_find_sid_in(zval *dest, int where, php_session_rfc1867_progress *progress) /* {{{ */
3073 {
3074 	zval *ppid;
3075 
3076 	if (Z_ISUNDEF(PG(http_globals)[where])) {
3077 		return 0;
3078 	}
3079 
3080 	if ((ppid = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[where]), PS(session_name), progress->sname_len))
3081 			&& Z_TYPE_P(ppid) == IS_STRING) {
3082 		zval_ptr_dtor(dest);
3083 		ZVAL_COPY_DEREF(dest, ppid);
3084 		return 1;
3085 	}
3086 
3087 	return 0;
3088 } /* }}} */
3089 
php_session_rfc1867_early_find_sid(php_session_rfc1867_progress * progress)3090 static void php_session_rfc1867_early_find_sid(php_session_rfc1867_progress *progress) /* {{{ */
3091 {
3092 
3093 	if (PS(use_cookies)) {
3094 		sapi_module.treat_data(PARSE_COOKIE, NULL, NULL);
3095 		if (early_find_sid_in(&progress->sid, TRACK_VARS_COOKIE, progress)) {
3096 			progress->apply_trans_sid = 0;
3097 			return;
3098 		}
3099 	}
3100 	if (PS(use_only_cookies)) {
3101 		return;
3102 	}
3103 	sapi_module.treat_data(PARSE_GET, NULL, NULL);
3104 	early_find_sid_in(&progress->sid, TRACK_VARS_GET, progress);
3105 } /* }}} */
3106 
php_check_cancel_upload(php_session_rfc1867_progress * progress)3107 static zend_bool php_check_cancel_upload(php_session_rfc1867_progress *progress) /* {{{ */
3108 {
3109 	zval *progress_ary, *cancel_upload;
3110 
3111 	if ((progress_ary = zend_symtable_find(Z_ARRVAL_P(Z_REFVAL(PS(http_session_vars))), progress->key.s)) == NULL) {
3112 		return 0;
3113 	}
3114 	if (Z_TYPE_P(progress_ary) != IS_ARRAY) {
3115 		return 0;
3116 	}
3117 	if ((cancel_upload = zend_hash_str_find(Z_ARRVAL_P(progress_ary), "cancel_upload", sizeof("cancel_upload") - 1)) == NULL) {
3118 		return 0;
3119 	}
3120 	return Z_TYPE_P(cancel_upload) == IS_TRUE;
3121 } /* }}} */
3122 
php_session_rfc1867_update(php_session_rfc1867_progress * progress,int force_update)3123 static void php_session_rfc1867_update(php_session_rfc1867_progress *progress, int force_update) /* {{{ */
3124 {
3125 	if (!force_update) {
3126 		if (Z_LVAL_P(progress->post_bytes_processed) < progress->next_update) {
3127 			return;
3128 		}
3129 #ifdef HAVE_GETTIMEOFDAY
3130 		if (PS(rfc1867_min_freq) > 0.0) {
3131 			struct timeval tv = {0};
3132 			double dtv;
3133 			gettimeofday(&tv, NULL);
3134 			dtv = (double) tv.tv_sec + tv.tv_usec / 1000000.0;
3135 			if (dtv < progress->next_update_time) {
3136 				return;
3137 			}
3138 			progress->next_update_time = dtv + PS(rfc1867_min_freq);
3139 		}
3140 #endif
3141 		progress->next_update = Z_LVAL_P(progress->post_bytes_processed) + progress->update_step;
3142 	}
3143 
3144 	php_session_initialize();
3145 	PS(session_status) = php_session_active;
3146 	IF_SESSION_VARS() {
3147 		zval *sess_var = Z_REFVAL(PS(http_session_vars));
3148 		SEPARATE_ARRAY(sess_var);
3149 
3150 		progress->cancel_upload |= php_check_cancel_upload(progress);
3151 		Z_TRY_ADDREF(progress->data);
3152 		zend_hash_update(Z_ARRVAL_P(sess_var), progress->key.s, &progress->data);
3153 	}
3154 	php_session_flush(1);
3155 } /* }}} */
3156 
php_session_rfc1867_cleanup(php_session_rfc1867_progress * progress)3157 static void php_session_rfc1867_cleanup(php_session_rfc1867_progress *progress) /* {{{ */
3158 {
3159 	php_session_initialize();
3160 	PS(session_status) = php_session_active;
3161 	IF_SESSION_VARS() {
3162 		zval *sess_var = Z_REFVAL(PS(http_session_vars));
3163 		SEPARATE_ARRAY(sess_var);
3164 		zend_hash_del(Z_ARRVAL_P(sess_var), progress->key.s);
3165 	}
3166 	php_session_flush(1);
3167 } /* }}} */
3168 
php_session_rfc1867_callback(unsigned int event,void * event_data,void ** extra)3169 static int php_session_rfc1867_callback(unsigned int event, void *event_data, void **extra) /* {{{ */
3170 {
3171 	php_session_rfc1867_progress *progress;
3172 	int retval = SUCCESS;
3173 
3174 	if (php_session_rfc1867_orig_callback) {
3175 		retval = php_session_rfc1867_orig_callback(event, event_data, extra);
3176 	}
3177 	if (!PS(rfc1867_enabled)) {
3178 		return retval;
3179 	}
3180 
3181 	progress = PS(rfc1867_progress);
3182 
3183 	switch(event) {
3184 		case MULTIPART_EVENT_START: {
3185 			multipart_event_start *data = (multipart_event_start *) event_data;
3186 			progress = ecalloc(1, sizeof(php_session_rfc1867_progress));
3187 			progress->content_length = data->content_length;
3188 			progress->sname_len  = strlen(PS(session_name));
3189 			PS(rfc1867_progress) = progress;
3190 		}
3191 		break;
3192 		case MULTIPART_EVENT_FORMDATA: {
3193 			multipart_event_formdata *data = (multipart_event_formdata *) event_data;
3194 			size_t value_len;
3195 
3196 			if (Z_TYPE(progress->sid) && progress->key.s) {
3197 				break;
3198 			}
3199 
3200 			/* orig callback may have modified *data->newlength */
3201 			if (data->newlength) {
3202 				value_len = *data->newlength;
3203 			} else {
3204 				value_len = data->length;
3205 			}
3206 
3207 			if (data->name && data->value && value_len) {
3208 				size_t name_len = strlen(data->name);
3209 
3210 				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
3211 					zval_ptr_dtor(&progress->sid);
3212 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
3213 				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
3214 					smart_str_free(&progress->key);
3215 					smart_str_appends(&progress->key, PS(rfc1867_prefix));
3216 					smart_str_appendl(&progress->key, *data->value, value_len);
3217 					smart_str_0(&progress->key);
3218 
3219 					progress->apply_trans_sid = APPLY_TRANS_SID;
3220 					php_session_rfc1867_early_find_sid(progress);
3221 				}
3222 			}
3223 		}
3224 		break;
3225 		case MULTIPART_EVENT_FILE_START: {
3226 			multipart_event_file_start *data = (multipart_event_file_start *) event_data;
3227 
3228 			/* Do nothing when $_POST["PHP_SESSION_UPLOAD_PROGRESS"] is not set
3229 			 * or when we have no session id */
3230 			if (!Z_TYPE(progress->sid) || !progress->key.s) {
3231 				break;
3232 			}
3233 
3234 			/* First FILE_START event, initializing data */
3235 			if (Z_ISUNDEF(progress->data)) {
3236 
3237 				if (PS(rfc1867_freq) >= 0) {
3238 					progress->update_step = PS(rfc1867_freq);
3239 				} else if (PS(rfc1867_freq) < 0) { /* % of total size */
3240 					progress->update_step = progress->content_length * -PS(rfc1867_freq) / 100;
3241 				}
3242 				progress->next_update = 0;
3243 				progress->next_update_time = 0.0;
3244 
3245 				array_init(&progress->data);
3246 				array_init(&progress->files);
3247 
3248 				add_assoc_long_ex(&progress->data, "start_time", sizeof("start_time") - 1, (zend_long)sapi_get_request_time());
3249 				add_assoc_long_ex(&progress->data, "content_length",  sizeof("content_length") - 1, progress->content_length);
3250 				add_assoc_long_ex(&progress->data, "bytes_processed", sizeof("bytes_processed") - 1, data->post_bytes_processed);
3251 				add_assoc_bool_ex(&progress->data, "done", sizeof("done") - 1, 0);
3252 				add_assoc_zval_ex(&progress->data, "files", sizeof("files") - 1, &progress->files);
3253 
3254 				progress->post_bytes_processed = zend_hash_str_find(Z_ARRVAL(progress->data), "bytes_processed", sizeof("bytes_processed") - 1);
3255 
3256 				php_rinit_session(0);
3257 				PS(id) = zend_string_init(Z_STRVAL(progress->sid), Z_STRLEN(progress->sid), 0);
3258 				if (progress->apply_trans_sid) {
3259 					/* Enable trans sid by modifying flags */
3260 					PS(use_trans_sid) = 1;
3261 					PS(use_only_cookies) = 0;
3262 				}
3263 				PS(send_cookie) = 0;
3264 			}
3265 
3266 			array_init(&progress->current_file);
3267 
3268 			/* Each uploaded file has its own array. Trying to make it close to $_FILES entries. */
3269 			add_assoc_string_ex(&progress->current_file, "field_name", sizeof("field_name") - 1, data->name);
3270 			add_assoc_string_ex(&progress->current_file, "name", sizeof("name") - 1, *data->filename);
3271 			add_assoc_null_ex(&progress->current_file, "tmp_name", sizeof("tmp_name") - 1);
3272 			add_assoc_long_ex(&progress->current_file, "error", sizeof("error") - 1, 0);
3273 
3274 			add_assoc_bool_ex(&progress->current_file, "done", sizeof("done") - 1, 0);
3275 			add_assoc_long_ex(&progress->current_file, "start_time", sizeof("start_time") - 1, (zend_long)time(NULL));
3276