Bug #66481 Segfaults on session_name()

If the previous value of session.name was NULL then any call to
session_name($string) would result in a segmentation fault.

This changes the behaviour to set the value of session.name to
"PHPSESSID" if a blank value is given in php.ini or via -d on the
command line. There is already protection against setting it to NULL via
session_name() or ini_set().

diff --git a/ext/session/session.c b/ext/session/session.c
index 35db50ae647c48d333aaf2342ed28244e7de04ce..5ea38475db3243dc8a4e6f3bbd1af9057dae9c39 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -617,6 +617,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 
 static PHP_INI_MH(OnUpdateName) /* {{{ */
 {
+       /* Don't accept a blank session name from php.ini or -d session.name= */
+       if (!PG(modules_activated) && !new_value_length) {
+               /* Force the default value. */
+               new_value = "PHPSESSID";
+               new_value_length = 9;
+       }
+
        /* Numeric session.name won't work at all */
        if (PG(modules_activated) &&
                (!new_value_length || is_numeric_string(new_value, new_value_length, NULL, NULL, 0))) {

diff --git a/ext/session/tests/bug66481.phpt b/ext/session/tests/bug66481.phpt
new file mode 100644 (file)
index 0000000..0479b5f
--- /dev/null
+++ b/ext/session/tests/bug66481.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #66481: Calls to session_name() segfault when session.name is null.
+--INI--
+session.name=
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+var_dump(session_name("foo"));
+var_dump(session_name("bar"));
+
+--EXPECTF--
+string(9) "PHPSESSID"
+string(3) "foo"
+