Fixed bug #74514 5 session functions incorrectly warn when calling in read-only/getter mode

Author: Yasuo Ohgaki

NEWS

@@ -19,6 +19,10 @@ PHP                                                                        NEWS
 - SPL:
   . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
 
+- Session:
+  . Fixed bug #74514 (5 session functions incorrectly warn when calling in
+    read-only/getter mode). (Yasuo)
+
 - Standard:
   . Add support for extension name as argument to dl().
     (francois at tekwire dot net)

UPGRADING

@@ -86,6 +86,13 @@ PHP 7.2 UPGRADE NOTES
         session_start()
     . Session no longer initialize $_SESSION for invalid and useless session.
         session_start()
+    . When headers are already sent and try to set new INI values, session_name(),
+      session_module_name(), session_save_path(), session_cache_limiter() and
+      session_cache_expire() are no longer works. Older PHPs accepts new values even
+      if new values will not be effective.
+      This new corrected behavior may affect command line mode CLI scripts that manage
+      sessions. Use output buffer just like web applications to resolve problems on
+      CLI scripts.
 
 
 ========================================

ext/session/session.c

@@ -1762,7 +1762,7 @@ static PHP_FUNCTION(session_name)
 		RETURN_FALSE;
 	}
 
-	if (SG(headers_sent)) {
+	if (name && SG(headers_sent)) {
 		php_error_docref(NULL, E_WARNING, "Cannot change session name when headers already sent");
 		RETURN_FALSE;
 	}
@@ -1793,7 +1793,7 @@ static PHP_FUNCTION(session_module_name)
 		RETURN_FALSE;
 	}
 
-	if (SG(headers_sent)) {
+	if (name && SG(headers_sent)) {
 		php_error_docref(NULL, E_WARNING, "Cannot change save handler module when headers already sent");
 		RETURN_FALSE;
 	}
@@ -2004,7 +2004,7 @@ static PHP_FUNCTION(session_save_path)
 		RETURN_FALSE;
 	}
 
-	if (SG(headers_sent)) {
+	if (name && SG(headers_sent)) {
 		php_error_docref(NULL, E_WARNING, "Cannot change save path when headers already sent");
 		RETURN_FALSE;
 	}
@@ -2232,7 +2232,7 @@ static PHP_FUNCTION(session_cache_limiter)
 		RETURN_FALSE;
 	}
 
-	if (SG(headers_sent)) {
+	if (limiter && SG(headers_sent)) {
 		php_error_docref(NULL, E_WARNING, "Cannot change cache limiter when headers already sent");
 		RETURN_FALSE;
 	}
@@ -2263,7 +2263,7 @@ static PHP_FUNCTION(session_cache_expire)
 		RETURN_LONG(PS(cache_expire));
 	}
 
-	if (SG(headers_sent)) {
+	if (expires && SG(headers_sent)) {
 		php_error_docref(NULL, E_WARNING, "Cannot change cache expire when headers already sent");
 		RETURN_FALSE;
 	}

ext/session/tests/bug74514.phpt

@@ -0,0 +1,34 @@
+--TEST--
+Bug #74514 5 session functions incorrectly warn when calling in read-only/getter mode.
+--SKIPIF--
+<?php
+include('skipif.inc');
+?>
+--FILE--
+<?php
+/*
+CLI ignores HTTP headers at all, i.e. does not output any HTTP headers,
+but it still uses SG(headers_sent).
+
+CLI works as Web server, so SG(headers_sent) cannot be ignored nor changed.
+Therefore, once HTTP header is considered as sent, these functions emits
+'headers already sent' errors if they try to set new values.
+
+Older PHPs(<7.2) did not care about this misuse on Web SAPI.
+*/
+var_dump(session_name('foo'));
+var_dump(session_name());
+var_dump(session_module_name());
+var_dump(session_save_path());
+var_dump(session_cache_limiter());
+var_dump(session_cache_expire());
+?>
+===DONE===
+--EXPECT--
+string(9) "PHPSESSID"
+string(3) "foo"
+string(5) "files"
+string(0) ""
+string(7) "nocache"
+int(180)
+===DONE===