Fixed bug #66827 Session raises E_NOTICE when session name variable is array #725
Conversation
|
I have to work on removing offensive cookie. I'll add this later. |
…as it can. To be perfect, all combinations of possible cookie pattern should be deleted.
|
Cookie spec is broken by design. This is known for years. This patch removes unwanted E_NOTICE error. Therefore, apps will not catch error and die. This patch also try to remove offensive cookie. However, to remove offensive cookie"s" completely, it should try to remove all possible combinations, path (including all parents), domain (including all subdomains), secure flag on/off, httponly flat on/off. It only tries to remove cookie with defined attributes. Failure to remove offensive cookie results in uninitialized session. It may be the time to write a function that delete all cookies. Please note that even if I write the function, DoS with offensive cookie is possible still (with path and domain combinations). I'm not sure if it worthes the effort. |
|
Hmm. Why travis complains COOKIE_SET_COOKIE is undefined? It's defined in the same file and compiles w/o problem locally. It seems travis is trying to compile different file, since I have COOKIE_SET_COOKIE in different lines. |
|
Travis is trying to compile against master. That's the reason why it fails. |
|
because the PR is targeted against master. |
|
Thanks. I have branch that branched from local PHP-5.4 branch. It should be OK with PHP-5.4 branch. I'll commit this directly to the repository later. |
|
you could just create a new pull request with a correct target so we can see the potential test failures before the merge, but I suppose you tested it properly in local. |
|
Since any offensive cookie is not deleted w/o this patch, session module will be confused by the cookie. $_COOKIE['PHPSESSID'] = array() will raise array to string conversion E_NOTICE error. $_COOKIE['PHPSESSID'] = array() has forms of setcookie('PHPSESSID[]', 'whatever'). Session module's session ID cookie never overwrite PHPSESSID[] because session module sends PHPSESSID which is a different cookie. Depending on order of sent cookies, PHPSESSID[] will always overrides PHPSESSID. Therefore, apps that detects errors may results in fatal error always. (I treat any errors and unhandled exceptions as fatal in my apps, for example) Since PHPSESSID may never set, session module cannot initialize session. Therefore, the user may never login apps. It's not a system wide DoS, but a user specific DoS. |
|
I didn't add error logging for this, since there are only a few places that log errors. However, this kind of malformed data is most certainly an attack, so it would be better to log what is happening. I'll add error logging for this. [yohgaki@dev github-php-src]$ grep error_log ext//.c |
|
Oops, there aren't any code that logs error w/o error event. I think this should be discussed on the list. |
|
I liked the patch fine without the "cookie seek & destroy" code; doesn't a new cookie value get sent by the server when it gets rejected? |
|
New cookie is sent regardless of this patch and cookie is set. It's just ignored by precedence unless offensive cookie is removed. |
|
Attack is possible when apps are vulnerable to JavaScript injection. We may simply ignore offensive cookie and document how/why this kind of issue occurs. |
|
https://travis-ci.org/yohgaki/php-src/builds/30296976 This is the patch for master. It includes type mismatch E_NOTICE error removal only. I'll commit this to 5.4 and up later. |
|
https://travis-ci.org/yohgaki/php-src/builds/30296976 |
Fixed possible user specific DoS.
https://bugs.php.net/bug.php?id=66827