Session name with . or [ silently fails instead of giving warning/error #9932
Comments
As those are converted, it s better to make aware of the code caller of the naming inadequacy.
As those are converted, it s better to make aware of the code caller of the naming inadequacy.
|
https://www.php.net/manual/en/language.variables.external.php For compatibility you must use characters allowed when creating a variable, although using the cookie you must be compatible with the url cookie_name=id_value as well as the valid syntax to create $cookie_name variables https://www.php.net/manual/en/function.setcookie.php the historical reason is register_globals automatically created the variables as not all characters are valid for the variable name we have decided to use <?php
// $var[ = 'Hello'; //invalid
// $var. = 'Hello'; //Invalid
// $var+ = 'Hello' //invalid
// $var= = 'Hello' //invalid
// $var& = 'Hello' //invalid
//$var['b'] = 'Hello' // Valid array $var and first creation of $var
//Variables variable syntax
${'var2['} = 'Hello word';
var_dump(${'var2['}); // Output Hello word and first creation of $var2[ variable
// array
// [ is %5B
$var['+%5B'] = '/some_path/index.php?a=hello word';
echo 'https://www.domain.tld' . str_replace(array('%2F', '%2f', '%3F', '%3f', '%3D', '%3d'), array('/', '/', '?', '?', '=', '='), urlencode($var['+%5B']));
echo "\r\n";
?>previously the first page use $_SESSION['hi'] = 'user'; and this explains the creation of my $t variable <?php
ob_end_clean();
$i256 = str_replace(',', '', '115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936');
error_reporting((int) $i256);
$t = true;
ob_start();
session_name('a[b]');
session_start();
ob_end_clean();
if(isset($_SESSION['hi'])) {
$t = false;
}
$text = ini_get('session.save_path') . '/sess_' . $_COOKIE['a']['b'];
function get_include_contents($filename) {
//if (is_file($filename)) {
ob_start();
include $filename;
$var = ob_get_contents();
ob_end_clean();
return $var;
//}
return false;
}
$string = get_include_contents($text);
$_SESSION['hi'] = 'user2';
var_dump($string);
?>Expected and actual result: in this example $t is true means $_SESSION not retrieved but written to the file @Sjord although php automatically creates the array of $_COOKIE['a'] (eg $_COOKIE['a']['b']) my example adapted to the code proposed above session_start(['name' => 'a[b']) and $_COOKIE['a_b'] retrieves the value directly from the file |
* master: (274 commits) Cache UTF-8-validity status of strings in GC flags Escape the role attribute of namespaced classes (php#9952) Fix phpGH-9932: Discards further characters for session name. Fix phpGH-9890: OpenSSL legacy providers not available on Windows Fix regression test for phpGH-9535 on PHP-8.2+ Fix memory leak Introduce TEST_FPM_EXTENSION_DIR for FPM tests with shared extensions [ci skip] NEWS Fix phpGH-9535 (unintended behavior change for mb_strcut in PHP 8.1) [ci skip] NEWS [ci skip] NEWS Fix phpGH-9298: remove all registered signal handlers in pcntl RSHUTDOWN Fix phpGH-9923: Add the `SIGINFO` constant in pcntl for system supporting it. Skip tests if extension or SAPI is not included. (php#9939) Remove unused PHP 8.1 BC layer in JIT (php#9937) [skip ci] Skip function JIT in nightly for ASAN [skip ci] Backport XFAIL of failing test Disable opcache file_cache for observer preloading test No more need to cater to mime_magic extension [ci skip] Fix phpGH-9918: License information for xxHash is not included in README.REDIST.BINS file ...
Description
The following code:
Resulted in no output, and $_SESSION variables are not stored.
But I expected this output instead:
Session simply reads $_COOKIE, and space
.and opening square bracket[are replaced by underscores. So setting a session name ofa.bwrites and reads a cookie calleda.b, but$_COOKIEactually containsa_b. This makes session storage silently fail.In a perfect world, session names could contain these characters, but I think a quick and easy fix is to add
.and[to the list of disallowed characters in session names, here:The documentation already says it should contain only alphanumeric characters.
PHP Version
PHP 8.2 RC 6
Operating System
Debian 11.5
The text was updated successfully, but these errors were encountered: