Created
March 28, 2012 06:48
-
-
Save yohgaki/2224360 to your computer and use it in GitHub Desktop.
PHP 5.3: Strict Session patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c | |
| index ec25bea..2046934 100644 | |
| --- a/ext/session/mod_files.c | |
| +++ b/ext/session/mod_files.c | |
| @@ -61,40 +61,9 @@ typedef struct { | |
| } ps_files; | |
| ps_module ps_mod_files = { | |
| - PS_MOD(files) | |
| + PS_MOD_SID(files) | |
| }; | |
| -/* If you change the logic here, please also update the error message in | |
| - * ps_files_open() appropriately */ | |
| -static int ps_files_valid_key(const char *key) | |
| -{ | |
| - size_t len; | |
| - const char *p; | |
| - char c; | |
| - int ret = 1; | |
| - | |
| - for (p = key; (c = *p); p++) { | |
| - /* valid characters are a..z,A..Z,0..9 */ | |
| - if (!((c >= 'a' && c <= 'z') | |
| - || (c >= 'A' && c <= 'Z') | |
| - || (c >= '0' && c <= '9') | |
| - || c == ',' | |
| - || c == '-')) { | |
| - ret = 0; | |
| - break; | |
| - } | |
| - } | |
| - | |
| - len = p - key; | |
| - | |
| - /* Somewhat arbitrary length limit here, but should be way more than | |
| - anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ | |
| - if (len == 0 || len > 128) { | |
| - ret = 0; | |
| - } | |
| - | |
| - return ret; | |
| -} | |
| static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key) | |
| { | |
| @@ -155,11 +124,12 @@ static void ps_files_open(ps_files *data, const char *key TSRMLS_DC) | |
| ps_files_close(data); | |
| - if (!ps_files_valid_key(key)) { | |
| - php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'"); | |
| + if (php_session_validate_key(key) == FAILURE) { | |
| PS(invalid_session_id) = 1; | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'"); | |
| return; | |
| } | |
| + | |
| if (!ps_files_path_create(buf, sizeof(buf), data, key)) { | |
| return; | |
| } | |
| @@ -259,6 +229,45 @@ static int ps_files_cleanup_dir(const char *dirname, int maxlifetime TSRMLS_DC) | |
| return (nrdels); | |
| } | |
| +static int ps_files_validate_sid(ps_files *data, char *key TSRMLS_DC) | |
| +{ | |
| + char buf[MAXPATHLEN]; | |
| + int fd; | |
| + | |
| + if (!ps_files_path_create(buf, sizeof(buf), data, key)) { | |
| + PS(invalid_session_id) = 1; | |
| + return FAILURE; | |
| + } | |
| + | |
| + fd = VCWD_OPEN_MODE(buf, O_RDWR | O_BINARY, data->filemode); | |
| + | |
| + if (fd != -1) { | |
| + close(fd); | |
| + return SUCCESS; | |
| + } | |
| + | |
| + PS(invalid_session_id) = 1; | |
| + return FAILURE; | |
| +} | |
| + | |
| +static int ps_files_check_collision(ps_files *data, char *key TSRMLS_DC) | |
| +{ | |
| + char buf[MAXPATHLEN]; | |
| + struct stat sbuf; | |
| + | |
| + if (!ps_files_path_create(buf, sizeof(buf), data, key)) { | |
| + PS(invalid_session_id) = 1; | |
| + return FAILURE; | |
| + } | |
| + | |
| + if (!VCWD_STAT(buf, &sbuf)) { | |
| + PS(invalid_session_id) = 1; | |
| + return FAILURE; | |
| + } | |
| + return SUCCESS; | |
| +} | |
| + | |
| + | |
| #define PS_FILES_DATA ps_files *data = PS_GET_MOD_DATA() | |
| PS_OPEN_FUNC(files) | |
| @@ -345,10 +354,31 @@ PS_CLOSE_FUNC(files) | |
| PS_READ_FUNC(files) | |
| { | |
| long n; | |
| + int cnt = 0; | |
| struct stat sbuf; | |
| PS_FILES_DATA; | |
| - ps_files_open(data, key TSRMLS_CC); | |
| + /* If there is an ID and strict mode, verify it */ | |
| + if (PS(id) && PS(use_strict_mode) | |
| + && ps_files_validate_sid(data, PS(id) TSRMLS_CC) == FAILURE) { | |
| + efree(PS(id)); | |
| + PS(id) = NULL; | |
| + } | |
| + | |
| + /* If there is no ID, use session module to create one */ | |
| + while(!PS(id)) { | |
| + PS(id) = PS(mod)->s_create_sid((void **)&data, NULL TSRMLS_CC); | |
| + if (cnt++ > 3) { | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to create session ID more than twice. Check your save_path."); | |
| + return FAILURE; | |
| + } | |
| + if (!PS(id) || ps_files_check_collision(data, PS(id) TSRMLS_CC) == FAILURE) { | |
| + continue; | |
| + } | |
| + PS(invalid_session_id) = 0; | |
| + } | |
| + | |
| + ps_files_open(data, PS(id) TSRMLS_CC); | |
| if (data->fd < 0) { | |
| return FAILURE; | |
| } | |
| @@ -460,6 +490,24 @@ PS_GC_FUNC(files) | |
| return SUCCESS; | |
| } | |
| +PS_CREATE_SID_FUNC(files) | |
| +{ | |
| + char *sid; | |
| + PS_FILES_DATA; | |
| + | |
| + sid = php_session_create_id((void **)&data, newlen TSRMLS_CC); | |
| + | |
| + if (!sid) { | |
| + int newlen, old_hash; | |
| + old_hash = PS(hash_func); | |
| + PS(hash_func) = PS_HASH_FUNC_SHA1; /* use SHA1 so that it never fails */ | |
| + PS(id) = php_session_create_id((void **)&data, &newlen TSRMLS_CC); | |
| + PS(hash_func) = old_hash; | |
| + } | |
| + return sid; | |
| +} | |
| + | |
| + | |
| /* | |
| * Local variables: | |
| * tab-width: 4 | |
| diff --git a/ext/session/mod_files.h b/ext/session/mod_files.h | |
| index 43ac47f..3cdcad4 100644 | |
| --- a/ext/session/mod_files.h | |
| +++ b/ext/session/mod_files.h | |
| @@ -24,6 +24,6 @@ | |
| extern ps_module ps_mod_files; | |
| #define ps_files_ptr &ps_mod_files | |
| -PS_FUNCS(files); | |
| +PS_FUNCS_SID(files); | |
| #endif | |
| diff --git a/ext/session/mod_mm.c b/ext/session/mod_mm.c | |
| index b99dd82..cfa9a3b 100644 | |
| --- a/ext/session/mod_mm.c | |
| +++ b/ext/session/mod_mm.c | |
| @@ -124,7 +124,7 @@ static ps_sd *ps_sd_new(ps_mm *data, const char *key) | |
| if (!sd) { | |
| TSRMLS_FETCH(); | |
| - php_error_docref(NULL TSRMLS_CC, E_WARNING, "mm_malloc failed, avail %d, err %s", mm_available(data->mm), mm_error()); | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "mm_malloc failed, avail %ld, err %s", mm_available(data->mm), mm_error()); | |
| return NULL; | |
| } | |
| @@ -208,8 +208,38 @@ static ps_sd *ps_sd_lookup(ps_mm *data, const char *key, int rw) | |
| return ret; | |
| } | |
| +static int ps_mm_validate_sid(ps_mm *data, const char *key) | |
| +{ | |
| + ps_sd *sd; | |
| + | |
| + if (php_session_validate_key(key) == FAILURE) { | |
| + PS(invalid_session_id) = 1; | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'"); | |
| + return FAILURE; | |
| + } | |
| + | |
| + sd = ps_sd_lookup(data, key, 0); | |
| + if (sd) { | |
| + return FAILURE; | |
| + } | |
| + PS(invalid_session_id) = 1; | |
| + return SUCCESS; | |
| +} | |
| + | |
| +static int ps_mm_check_collision(ps_mm *data, const char *key) | |
| +{ | |
| + ps_sd *sd; | |
| + | |
| + sd = ps_sd_lookup(data, key, 0); | |
| + if (sd) { | |
| + PS(invalid_session_id) = 1; | |
| + return FAILURE; | |
| + } | |
| + return SUCCESS; | |
| +} | |
| + | |
| ps_module ps_mod_mm = { | |
| - PS_MOD(mm) | |
| + PS_MOD_SID(mm) | |
| }; | |
| #define PS_MM_DATA ps_mm *data = PS_GET_MOD_DATA() | |
| @@ -257,6 +287,7 @@ static void ps_mm_destroy(ps_mm *data) | |
| free(data); | |
| } | |
| + | |
| PHP_MINIT_FUNCTION(ps_mm) | |
| { | |
| int save_path_len = strlen(PS(save_path)); | |
| @@ -314,6 +345,9 @@ PHP_MSHUTDOWN_FUNCTION(ps_mm) | |
| PS_OPEN_FUNC(mm) | |
| { | |
| + int cnt = 0; | |
| + PS_MM_DATA; | |
| + | |
| ps_mm_debug(("open: ps_mm_instance=%p\n", ps_mm_instance)); | |
| if (!ps_mm_instance) { | |
| @@ -321,6 +355,29 @@ PS_OPEN_FUNC(mm) | |
| } | |
| PS_SET_MOD_DATA(ps_mm_instance); | |
| + /* If there is an ID and strict mode, verify it */ | |
| + if (PS(id) && PS(use_strict_mode) | |
| + && ps_mm_validate_sid(data, PS(id) TSRMLS_CC) == FAILURE) { | |
| + efree(PS(id)); | |
| + PS(id) = NULL; | |
| + } | |
| + | |
| + /* If there is no ID, use session module to create one */ | |
| + while(!PS(id)) { | |
| + PS(id) = PS(mod)->s_create_sid((void **)&data, NULL TSRMLS_CC); | |
| + if (cnt++ > 3) { | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to create session ID more than twice. Check your save_path."); | |
| + return FAILURE; | |
| + } | |
| + if (!PS(id) || ps_mm_check_collision(data, PS(id) TSRMLS_CC) == FAILURE) { | |
| + continue; | |
| + } | |
| + PS(invalid_session_id) = 0; | |
| + if (PS(use_cookies)) { | |
| + PS(send_cookie) = 1; | |
| + } | |
| + } | |
| + | |
| return SUCCESS; | |
| } | |
| @@ -442,6 +499,24 @@ PS_GC_FUNC(mm) | |
| return SUCCESS; | |
| } | |
| +PS_CREATE_SID_FUNC(mm) | |
| +{ | |
| + char *sid; | |
| + PS_MM_DATA; | |
| + | |
| + sid = php_session_create_id((void **)&data, newlen); | |
| + | |
| + if (!sid) { | |
| + int newlen, old_hash; | |
| + old_hash = PS(hash_func); | |
| + PS(hash_func) = PS_HASH_FUNC_SHA1; /* use SHA1 so that it never fails */ | |
| + PS(id) = php_session_create_id((void **)&data, &newlen TSRMLS_CC); | |
| + PS(hash_func) = old_hash; | |
| + } | |
| + | |
| + return sid; | |
| +} | |
| + | |
| #endif | |
| /* | |
| diff --git a/ext/session/mod_mm.h b/ext/session/mod_mm.h | |
| index adec504..98f7d09 100644 | |
| --- a/ext/session/mod_mm.h | |
| +++ b/ext/session/mod_mm.h | |
| @@ -31,7 +31,7 @@ PHP_MSHUTDOWN_FUNCTION(ps_mm); | |
| extern ps_module ps_mod_mm; | |
| #define ps_mm_ptr &ps_mod_mm | |
| -PS_FUNCS(mm); | |
| +PS_FUNCS_SID(mm); | |
| #endif | |
| #endif | |
| diff --git a/ext/session/mod_user.c b/ext/session/mod_user.c | |
| index 17af624..ac5c770 100644 | |
| --- a/ext/session/mod_user.c | |
| +++ b/ext/session/mod_user.c | |
| @@ -85,6 +85,7 @@ PS_OPEN_FUNC(user) | |
| { | |
| zval *args[2]; | |
| static char dummy = 0; | |
| + int cnt = 0; | |
| STDVARS1; | |
| if (PSF(open) == NULL) { | |
| @@ -107,6 +108,25 @@ PS_OPEN_FUNC(user) | |
| PS_SET_MOD_DATA(&dummy); | |
| } | |
| + /* If there is no SID, use session module to create one. | |
| + * mod_user do not validate SID, nor check SID collision. | |
| + * Users are responsible to do that. | |
| + */ | |
| + while(!PS(id)) { | |
| + PS(id) = php_session_create_id((void **)mod_data, NULL TSRMLS_CC); | |
| + if (cnt++ > 3) { | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to create session ID more than twice. Check your save_path."); | |
| + return FAILURE; | |
| + } | |
| + PS(invalid_session_id) = 0; | |
| + } | |
| + | |
| + if (PS(use_strict_mode) && php_session_validate_key(PS(id)) == FAILURE) { | |
| + PS(invalid_session_id) = 1; | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'"); | |
| + return FAILURE; | |
| + } | |
| + | |
| FINISH; | |
| } | |
| @@ -124,9 +144,10 @@ PS_CLOSE_FUNC(user) | |
| PS_READ_FUNC(user) | |
| { | |
| zval *args[1]; | |
| + int cnt = 0; | |
| STDVARS; | |
| - SESS_ZVAL_STRING((char*)key, args[0]); | |
| + SESS_ZVAL_STRING(PS(id), args[0]); | |
| retval = ps_call_handler(PSF(read), 1, args TSRMLS_CC); | |
| diff --git a/ext/session/mod_user.h b/ext/session/mod_user.h | |
| index ea1980a..a25fa6d 100644 | |
| --- a/ext/session/mod_user.h | |
| +++ b/ext/session/mod_user.h | |
| @@ -24,6 +24,6 @@ | |
| extern ps_module ps_mod_user; | |
| #define ps_user_ptr &ps_mod_user | |
| -PS_FUNCS(user); | |
| +PS_FUNCS_SID(user); | |
| #endif | |
| diff --git a/ext/session/php_session.h b/ext/session/php_session.h | |
| index 29b50b2..4f8827b 100644 | |
| --- a/ext/session/php_session.h | |
| +++ b/ext/session/php_session.h | |
| @@ -39,6 +39,8 @@ | |
| /* default create id function */ | |
| PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS); | |
| +/* default session id validation function */ | |
| +PHPAPI int php_session_validate_key(const char *key); | |
| typedef struct ps_module_struct { | |
| const char *s_name; | |
| @@ -75,7 +77,7 @@ typedef struct ps_module_struct { | |
| #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \ | |
| ps_delete_##x, ps_gc_##x, php_session_create_id | |
| -/* SID enabled module handler definitions */ | |
| +/* SID creation enabled module handler definitions */ | |
| #define PS_FUNCS_SID(x) \ | |
| PS_OPEN_FUNC(x); \ | |
| PS_CLOSE_FUNC(x); \ | |
| @@ -89,6 +91,12 @@ typedef struct ps_module_struct { | |
| #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \ | |
| ps_delete_##x, ps_gc_##x, ps_create_sid_##x | |
| +enum { | |
| + PS_HASH_FUNC_MD5, | |
| + PS_HASH_FUNC_SHA1, | |
| + PS_HASH_FUNC_OTHER | |
| +}; | |
| + | |
| typedef enum { | |
| php_session_disabled, | |
| php_session_none, | |
| @@ -145,6 +153,8 @@ typedef struct _php_ps_globals { | |
| int send_cookie; | |
| int define_sid; | |
| zend_bool invalid_session_id; /* allows the driver to report about an invalid session id and request id regeneration */ | |
| + | |
| + zend_bool use_strict_mode; /* whether or not PHP accepts unknown session ids */ | |
| } php_ps_globals; | |
| typedef php_ps_globals zend_ps_globals; | |
| diff --git a/ext/session/session.c b/ext/session/session.c | |
| index 6d5acb9..911cc02 100644 | |
| --- a/ext/session/session.c | |
| +++ b/ext/session/session.c | |
| @@ -297,12 +297,6 @@ static void php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ | |
| static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-"; | |
| -enum { | |
| - PS_HASH_FUNC_MD5, | |
| - PS_HASH_FUNC_SHA1, | |
| - PS_HASH_FUNC_OTHER | |
| -}; | |
| - | |
| /* returns a pointer to the byte after the last valid character in out */ | |
| static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {{{ */ | |
| { | |
| @@ -491,6 +485,41 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ | |
| } | |
| /* }}} */ | |
| +/* Default char validation function allowed by ps_modules. | |
| + * If you change the logic here, please also update the error message in | |
| + * ps_modules appropriately */ | |
| +PHPAPI int php_session_validate_key(const char *key) /* {{{ */ | |
| +{ | |
| + size_t len; | |
| + const char *p; | |
| + char c; | |
| + int ret = SUCCESS; | |
| + | |
| + for (p = key; (c = *p); p++) { | |
| + /* valid characters are a..z,A..Z,0..9 */ | |
| + if (!((c >= 'a' && c <= 'z') | |
| + || (c >= 'A' && c <= 'Z') | |
| + || (c >= '0' && c <= '9') | |
| + || c == ',' | |
| + || c == '-')) { | |
| + ret = FAILURE; | |
| + break; | |
| + } | |
| + } | |
| + | |
| + len = p - key; | |
| + | |
| + /* Somewhat arbitrary length limit here, but should be way more than | |
| + anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ | |
| + if (len == 0 || len > 128) { | |
| + ret = FAILURE; | |
| + } | |
| + | |
| + return ret; | |
| +} | |
| +/* }}} */ | |
| + | |
| + | |
| static void php_session_initialize(TSRMLS_D) /* {{{ */ | |
| { | |
| char *val; | |
| @@ -513,31 +542,19 @@ static void php_session_initialize(TSRMLS_D) /* {{{ */ | |
| return; | |
| } | |
| - /* If there is no ID, use session module to create one */ | |
| - if (!PS(id)) { | |
| -new_session: | |
| - PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC); | |
| - if (PS(use_cookies)) { | |
| - PS(send_cookie) = 1; | |
| - } | |
| - } | |
| - | |
| /* Read data */ | |
| /* Question: if you create a SID here, should you also try to read data? | |
| * I'm not sure, but while not doing so will remove one session operation | |
| * it could prove usefull for those sites which wish to have "default" | |
| * session information. */ | |
| php_session_track_init(TSRMLS_C); | |
| - PS(invalid_session_id) = 0; | |
| if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) == SUCCESS) { | |
| php_session_decode(val, vallen TSRMLS_CC); | |
| efree(val); | |
| - } else if (PS(invalid_session_id)) { /* address instances where the session read fails due to an invalid id */ | |
| - PS(invalid_session_id) = 0; | |
| - efree(PS(id)); | |
| - PS(id) = NULL; | |
| - goto new_session; | |
| } | |
| + /* We should not address read failure here, since it may cause infinate | |
| + * loop by db/storage/network/etc errors depending on save handler's implementation. | |
| + */ | |
| } | |
| /* }}} */ | |
| @@ -803,6 +820,7 @@ PHP_INI_BEGIN() | |
| STD_PHP_INI_BOOLEAN("session.cookie_httponly", "", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals) | |
| STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) | |
| STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) | |
| + STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) | |
| STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) | |
| STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) | |
| STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) | |
| @@ -1709,9 +1727,9 @@ static PHP_FUNCTION(session_save_path) | |
| static PHP_FUNCTION(session_id) | |
| { | |
| char *name = NULL; | |
| - int name_len; | |
| + int name_len, argc = ZEND_NUM_ARGS(); | |
| - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|s", &name, &name_len) == FAILURE) { | |
| + if (zend_parse_parameters(argc TSRMLS_CC, "|s", &name, &name_len) == FAILURE) { | |
| return; | |
| } | |
| @@ -1722,10 +1740,14 @@ static PHP_FUNCTION(session_id) | |
| } | |
| if (name) { | |
| - if (PS(id)) { | |
| - efree(PS(id)); | |
| + if (PS(use_strict_mode) && argc) { | |
| + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot set session ID when session.use_strict_mode is enabled"); | |
| + } else { | |
| + if (PS(id)) { | |
| + efree(PS(id)); | |
| + } | |
| + PS(id) = estrndup(name, name_len); | |
| } | |
| - PS(id) = estrndup(name, name_len); | |
| } | |
| } | |
| /* }}} */ | |
| diff --git a/ext/session/tests/003.phpt b/ext/session/tests/003.phpt | |
| index 677a958..8a03686 100644 | |
| --- a/ext/session/tests/003.phpt | |
| +++ b/ext/session/tests/003.phpt | |
| @@ -4,6 +4,7 @@ session object deserialization | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.serialize_handler=php | |
| diff --git a/ext/session/tests/004.phpt b/ext/session/tests/004.phpt | |
| index 3e6de25..7d7b1e5 100644 | |
| --- a/ext/session/tests/004.phpt | |
| +++ b/ext/session/tests/004.phpt | |
| @@ -4,6 +4,7 @@ session_set_save_handler test | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.name=PHPSESSID | |
| diff --git a/ext/session/tests/005.phpt b/ext/session/tests/005.phpt | |
| index 4e6682c..045feea 100644 | |
| --- a/ext/session/tests/005.phpt | |
| +++ b/ext/session/tests/005.phpt | |
| @@ -4,6 +4,7 @@ custom save handler, multiple session_start()s, complex data structure test. | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.name=PHPSESSID | |
| diff --git a/ext/session/tests/006.phpt b/ext/session/tests/006.phpt | |
| index 9ab28f6..eb96dd2 100644 | |
| --- a/ext/session/tests/006.phpt | |
| +++ b/ext/session/tests/006.phpt | |
| @@ -4,6 +4,7 @@ correct instantiation of references between variables in sessions | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.serialize_handler=php | |
| diff --git a/ext/session/tests/007.phpt b/ext/session/tests/007.phpt | |
| index 54768e2..c59af0e 100644 | |
| --- a/ext/session/tests/007.phpt | |
| +++ b/ext/session/tests/007.phpt | |
| @@ -5,6 +5,7 @@ bug compatibility: unset($c) with enabled register_globals | |
| --INI-- | |
| register_long_arrays=1 | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.bug_compat_42=1 | |
| diff --git a/ext/session/tests/008-php4.2.3.phpt b/ext/session/tests/008-php4.2.3.phpt | |
| index 9464ecd..61de4db 100644 | |
| --- a/ext/session/tests/008-php4.2.3.phpt | |
| +++ b/ext/session/tests/008-php4.2.3.phpt | |
| @@ -7,6 +7,7 @@ bug compatibility: global is used albeit register_globals=0 | |
| --INI-- | |
| register_long_arrays=1 | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=0 | |
| session.bug_compat_42=1 | |
| diff --git a/ext/session/tests/009.phpt b/ext/session/tests/009.phpt | |
| index 1a7e87c..9cde97f 100644 | |
| --- a/ext/session/tests/009.phpt | |
| +++ b/ext/session/tests/009.phpt | |
| @@ -5,6 +5,7 @@ unset($_SESSION["name"]); should work with register_globals=off | |
| --INI-- | |
| register_long_arrays=1 | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=0 | |
| session.bug_compat_42=1 | |
| diff --git a/ext/session/tests/012.phpt b/ext/session/tests/012.phpt | |
| index b52333a..7c50e2f 100644 | |
| --- a/ext/session/tests/012.phpt | |
| +++ b/ext/session/tests/012.phpt | |
| @@ -4,6 +4,7 @@ registering $_SESSION should not segfault | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.bug_compat_42=1 | |
| diff --git a/ext/session/tests/013.phpt b/ext/session/tests/013.phpt | |
| index 04322f9..cc267fb 100644 | |
| --- a/ext/session/tests/013.phpt | |
| +++ b/ext/session/tests/013.phpt | |
| @@ -4,6 +4,7 @@ redefining SID should not cause warnings | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.bug_compat_42=1 | |
| diff --git a/ext/session/tests/014.phpt b/ext/session/tests/014.phpt | |
| index 09ad0f5..4f9791e 100644 | |
| --- a/ext/session/tests/014.phpt | |
| +++ b/ext/session/tests/014.phpt | |
| @@ -5,6 +5,7 @@ a script should not be able to modify session.use_trans_sid | |
| --INI-- | |
| session.use_trans_sid=0 | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.bug_compat_42=1 | |
| diff --git a/ext/session/tests/015.phpt b/ext/session/tests/015.phpt | |
| index 7d7b737..527b86b 100644 | |
| --- a/ext/session/tests/015.phpt | |
| +++ b/ext/session/tests/015.phpt | |
| @@ -6,6 +6,7 @@ use_trans_sid should not affect SID | |
| session.use_trans_sid=1 | |
| session.use_cookies=0 | |
| session.use_only_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| arg_separator.output=& | |
| session.name=PHPSESSID | |
| diff --git a/ext/session/tests/018.phpt b/ext/session/tests/018.phpt | |
| index def1f41..5ec132b 100644 | |
| --- a/ext/session/tests/018.phpt | |
| +++ b/ext/session/tests/018.phpt | |
| @@ -5,6 +5,7 @@ rewriter correctly handles attribute names which contain dashes | |
| --INI-- | |
| session.use_cookies=0 | |
| session.use_only_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.use_trans_sid=1 | |
| session.name=PHPSESSID | |
| diff --git a/ext/session/tests/019.phpt b/ext/session/tests/019.phpt | |
| index 9c4f8ca..4f0fb7f 100644 | |
| --- a/ext/session/tests/019.phpt | |
| +++ b/ext/session/tests/019.phpt | |
| @@ -4,6 +4,7 @@ serializing references test case using globals | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| register_globals=1 | |
| session.serialize_handler=php | |
| diff --git a/ext/session/tests/020.phpt b/ext/session/tests/020.phpt | |
| index f43bac5..7b18424 100644 | |
| --- a/ext/session/tests/020.phpt | |
| +++ b/ext/session/tests/020.phpt | |
| @@ -5,6 +5,7 @@ rewriter uses arg_seperator.output for modifying URLs | |
| --INI-- | |
| session.use_cookies=0 | |
| session.use_only_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.use_trans_sid=1 | |
| arg_separator.output="&" | |
| diff --git a/ext/session/tests/021.phpt b/ext/session/tests/021.phpt | |
| index 1ad3c5d..e199972 100644 | |
| --- a/ext/session/tests/021.phpt | |
| +++ b/ext/session/tests/021.phpt | |
| @@ -5,6 +5,7 @@ rewriter handles form and fieldset tags correctly | |
| --INI-- | |
| session.use_cookies=0 | |
| session.use_only_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.use_trans_sid=1 | |
| url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset=" | |
| diff --git a/ext/session/tests/023.phpt b/ext/session/tests/023.phpt | |
| index 42b1e5b..592b4a8 100644 | |
| --- a/ext/session/tests/023.phpt | |
| +++ b/ext/session/tests/023.phpt | |
| @@ -4,6 +4,7 @@ session object deserialization | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.serialize_handler=php | |
| session.save_handler=files | |
| diff --git a/ext/session/tests/024.phpt b/ext/session/tests/024.phpt | |
| index 2ad2606..2b273e2 100644 | |
| --- a/ext/session/tests/024.phpt | |
| +++ b/ext/session/tests/024.phpt | |
| @@ -4,6 +4,7 @@ session_set_save_handler test | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.name=PHPSESSID | |
| session.serialize_handler=php | |
| diff --git a/ext/session/tests/025.phpt b/ext/session/tests/025.phpt | |
| index 4fd095f..a9ad8fb 100644 | |
| --- a/ext/session/tests/025.phpt | |
| +++ b/ext/session/tests/025.phpt | |
| @@ -4,6 +4,7 @@ custom save handler, multiple session_start()s, complex data structure test. | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.name=PHPSESSID | |
| session.serialize_handler=php | |
| diff --git a/ext/session/tests/026.phpt b/ext/session/tests/026.phpt | |
| index 06c135d..44f0ae0 100644 | |
| --- a/ext/session/tests/026.phpt | |
| +++ b/ext/session/tests/026.phpt | |
| @@ -4,6 +4,7 @@ correct instantiation of references between variables in sessions | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.serialize_handler=php | |
| session.save_handler=files | |
| diff --git a/ext/session/tests/027.phpt b/ext/session/tests/027.phpt | |
| index 600a992..6382852 100644 | |
| --- a/ext/session/tests/027.phpt | |
| +++ b/ext/session/tests/027.phpt | |
| @@ -4,6 +4,7 @@ unset($_SESSION["name"]); should work | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.serialize_handler=php | |
| session.save_handler=files | |
| diff --git a/ext/session/tests/030.phpt b/ext/session/tests/030.phpt | |
| index 8d0f284..32909eb 100644 | |
| --- a/ext/session/tests/030.phpt | |
| +++ b/ext/session/tests/030.phpt | |
| @@ -4,6 +4,7 @@ redefining SID should not cause warnings | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.cache_limiter= | |
| session.serialize_handler=php | |
| session.save_handler=files | |
| diff --git a/ext/session/tests/bug41600.phpt b/ext/session/tests/bug41600.phpt | |
| index 690347a..5380ee7 100644 | |
| --- a/ext/session/tests/bug41600.phpt | |
| +++ b/ext/session/tests/bug41600.phpt | |
| @@ -7,6 +7,7 @@ session.use_cookies=0 | |
| session.use_only_cookies=0 | |
| session.cache_limiter= | |
| session.use_trans_sid=1 | |
| +session.use_strict_mode=0 | |
| arg_separator.output="&" | |
| session.name=PHPSESSID | |
| session.serialize_handler=php | |
| diff --git a/ext/session/tests/session_commit_variation4.phpt b/ext/session/tests/session_commit_variation4.phpt | |
| index 57f4253..69854a6 100644 | |
| --- a/ext/session/tests/session_commit_variation4.phpt | |
| +++ b/ext/session/tests/session_commit_variation4.phpt | |
| @@ -2,6 +2,8 @@ | |
| Test session_commit() function : variation | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| +--INI-- | |
| +session.use_strict_mode=0 | |
| --FILE-- | |
| <?php | |
| diff --git a/ext/session/tests/session_id_basic.phpt b/ext/session/tests/session_id_basic.phpt | |
| index 5cb13c2..690e4ab 100644 | |
| --- a/ext/session/tests/session_id_basic.phpt | |
| +++ b/ext/session/tests/session_id_basic.phpt | |
| @@ -2,6 +2,8 @@ | |
| Test session_id() function : basic functionality | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| +--INI-- | |
| +session.use_strict_mode=0 | |
| --FILE-- | |
| <?php | |
| diff --git a/ext/session/tests/session_id_error.phpt b/ext/session/tests/session_id_error.phpt | |
| index 6337cb9..dc731e7 100644 | |
| --- a/ext/session/tests/session_id_error.phpt | |
| +++ b/ext/session/tests/session_id_error.phpt | |
| @@ -2,6 +2,8 @@ | |
| Test session_id() function : error functionality | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| +--INI-- | |
| +session.use_strict_mode=0 | |
| --FILE-- | |
| <?php | |
| diff --git a/ext/session/tests/session_id_error2.phpt b/ext/session/tests/session_id_error2.phpt | |
| index 05284e7..56b840c 100644 | |
| --- a/ext/session/tests/session_id_error2.phpt | |
| +++ b/ext/session/tests/session_id_error2.phpt | |
| @@ -2,6 +2,8 @@ | |
| Test session_id() function : error functionality | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| +--INI-- | |
| +session.use_strict_mode=0 | |
| --FILE-- | |
| <?php | |
| diff --git a/ext/session/tests/session_id_error3.phpt b/ext/session/tests/session_id_error3.phpt | |
| index fc29138..9dc1658 100644 | |
| --- a/ext/session/tests/session_id_error3.phpt | |
| +++ b/ext/session/tests/session_id_error3.phpt | |
| @@ -2,6 +2,8 @@ | |
| Test session_id() function : error functionality | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| +--INI-- | |
| +session.use_strict_mode=0 | |
| --FILE-- | |
| <?php | |
| diff --git a/ext/session/tests/session_set_save_handler_basic.phpt b/ext/session/tests/session_set_save_handler_basic.phpt | |
| index 3897ba9..ec7ef1a 100644 | |
| --- a/ext/session/tests/session_set_save_handler_basic.phpt | |
| +++ b/ext/session/tests/session_set_save_handler_basic.phpt | |
| @@ -1,6 +1,7 @@ | |
| --TEST-- | |
| Test session_set_save_handler() function : basic functionality | |
| --INI-- | |
| +session.use_strict_mode=0 | |
| session.save_path= | |
| session.name=PHPSESSID | |
| --SKIPIF-- | |
| diff --git a/ext/session/tests/session_set_save_handler_closures.phpt b/ext/session/tests/session_set_save_handler_closures.phpt | |
| index 21b2c68..b5254fb 100755 | |
| --- a/ext/session/tests/session_set_save_handler_closures.phpt | |
| +++ b/ext/session/tests/session_set_save_handler_closures.phpt | |
| @@ -1,6 +1,7 @@ | |
| --TEST-- | |
| Test session_set_save_handler() function : using closures as callbacks | |
| --INI-- | |
| +session.use_strict_mode=0 | |
| session.save_path= | |
| session.name=PHPSESSID | |
| --SKIPIF-- | |
| diff --git a/ext/session/tests/session_set_save_handler_variation4.phpt b/ext/session/tests/session_set_save_handler_variation4.phpt | |
| index 3485f23..1b453e8 100644 | |
| --- a/ext/session/tests/session_set_save_handler_variation4.phpt | |
| +++ b/ext/session/tests/session_set_save_handler_variation4.phpt | |
| @@ -3,6 +3,7 @@ Test session_set_save_handler() function : variation | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| +session.use_strict_mode=0 | |
| session.gc_probability=1 | |
| session.gc_divisor=1 | |
| session.gc_maxlifetime=0 | |
| diff --git a/ext/session/tests/session_write_close_variation4.phpt b/ext/session/tests/session_write_close_variation4.phpt | |
| index 249c155..9076dcf 100644 | |
| --- a/ext/session/tests/session_write_close_variation4.phpt | |
| +++ b/ext/session/tests/session_write_close_variation4.phpt | |
| @@ -2,6 +2,8 @@ | |
| Test session_write_close() function : variation | |
| --SKIPIF-- | |
| <?php include('skipif.inc'); ?> | |
| +--INI-- | |
| +session.use_strict_mode=0 | |
| --FILE-- | |
| <?php | |
| diff --git a/php.ini-development b/php.ini-development | |
| index 7effd70..3abdd98 100644 | |
| --- a/php.ini-development | |
| +++ b/php.ini-development | |
| @@ -1503,6 +1503,11 @@ session.use_cookies = 1 | |
| ; http://php.net/session.use-only-cookies | |
| session.use_only_cookies = 1 | |
| +; This option forces new session ID when browser supplied uninitialized session | |
| +; ID. By enabling this option, module prevents session fixation based on adoption. | |
| +; http://php.net/session.use-strict-mode | |
| +session.use_strict_mode = 1 | |
| + | |
| ; Name of the session (used as cookie name). | |
| ; http://php.net/session.name | |
| session.name = PHPSESSID | |
| diff --git a/php.ini-production b/php.ini-production | |
| index 499807a..c52cb8b 100644 | |
| --- a/php.ini-production | |
| +++ b/php.ini-production | |
| @@ -1503,6 +1503,11 @@ session.use_cookies = 1 | |
| ; http://php.net/session.use-only-cookies | |
| session.use_only_cookies = 1 | |
| +; This option forces new session ID when browser supplied uninitialized session | |
| +; ID. By enabling this option, module prevents session fixation based on adoption. | |
| +; http://php.net/session.use-strict-mode | |
| +session.use_strict_mode = 1 | |
| + | |
| ; Name of the session (used as cookie name). | |
| ; http://php.net/session.name | |
| session.name = PHPSESSID |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment