Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Php 5.5 strict session collision detection #368

Closed

Conversation

@yohgaki
Copy link
Contributor

commented Jun 25, 2013

This patch implements

https://wiki.php.net/rfc/strict_sessions
CVE-2011-4718

Yasuo Ohgaki added 2 commits Jun 25, 2013
@yohgaki

This comment has been minimized.

Copy link
Contributor Author

commented Jun 25, 2013

This can be cherry-picked for master.

@weltling

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2013

These tests fail for me on windows x64, obvously test bugs

ext\session\tests\016.phpt
========DIFF========
001+ Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path
is correct (123;:/really\completely:::/invalid;;,23123;213) in C:\php-sdk\php55\vc11\x64\yohgaki\ext\session\tests\016.php on line 6
001- Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path
is correct (123;:/really\completely:::/invalid;;,23123;213) in %s on line %d
========DONE========

ext\session\tests\session_save_path_variation2.phpt]
========DIFF========
004+ Warning: session_start(): open(/blah\sess_a2d2824f8a0fd3fc9a468101743bb4cc, O_RDWR) failed: No such file or directory (2) in C:\php-sdk\php55\vc11\x64\yohgaki\ext\session\tests\session_save_path_variation2.php on line 15
004- Warning: session_start(): open(/blah/%s, O_RDWR) failed: No such file or directory (2) in %s on line %d
========DONE========

@yohgaki

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2013

Thank you for testing with Windows!
I guess these 2 tests are skipped test because Windows only tests.

The test scripts are needed to be adjusted. I'll have a look.

@yohgaki

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2013

@weltling

ext\session\tests\session_save_path_variation2.phpt

This error is simply path separator char issue. I changed '/blah/' to '/blah'.

ext\session\tests\016.phpt

I don't know why this one produces diff. It says 1st line of output differs.

001+ Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path
is correct (123;:/really\completely:::/invalid;;,23123;213) in C:\php-sdk\php55\vc11\x64\yohgaki\ext\session\tests\016.php on line 6
001- Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path
is correct (123;:/really\completely:::/invalid;;,23123;213) in %s on line %

Could you paste contents of ext\session\tests\016.log?

@weltling

This comment has been minimized.

Copy link
Contributor

commented Jun 28, 2013

@yohgaki that's the original file http://belski.net/phpz/pulls/yohgaki/ext/session/tests/016.log . Looks like github swallowed some chars.

@yohgaki

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2013

Thank you for uploading log. Now I see additional "/".
I don't know where did it came from, but I'll dig into it.

Anyway, it seems the patch is fine for Windows also.

@smalyshev

This comment has been minimized.

Copy link
Contributor

commented Aug 5, 2013

replaced by #401

@php-pulls

This comment has been minimized.

Copy link

commented Aug 5, 2013

Comment on behalf of stas at php.net:

merged

@php-pulls php-pulls closed this Aug 5, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.