Fix bug #69952 (Dereferencing issue in session_start())

diff --git a/NEWS b/NEWS
index 71c9b574665193da830e8a7977dd33dbc90c6e9f..248c285a6731e2c92da13c4bc141753f386a3a4d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,13 +16,17 @@ PHP                                                                        NEWS
   . Corrected oci8 hash destructors to prevent segfaults, and a few other fixes.
     (Cameron Porter)
 
+- OpenSSL:
+  . Fixed bug #69882 (OpenSSL error "key values mismatch" after
+    openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
+
 - PCRE:
   . Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the
     string). (cmb)
 
-- OpenSSL:
-  . Fixed bug #69882 (OpenSSL error "key values mismatch" after
-    openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
+- Session:
+  . Fixed bug #69952 (Data integrity issues accessing superglobals by
+    reference). (Bob)
 
 25 Jun 2015, PHP 7.0.0 Alpha 2
 

diff --git a/ext/session/session.c b/ext/session/session.c
index 66b1a8628b53e34a1d06303ff7dd51e802829727..819008c5bb60e427ef75c3e478c94daf0cb688b9 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1436,6 +1436,7 @@ PHPAPI const ps_serializer *_php_find_ps_serializer(char *name) /* {{{ */
 /* }}} */
 
 static void ppid2sid(zval *ppid) {
+       ZVAL_DEREF(ppid);
        if (Z_TYPE_P(ppid) == IS_STRING) {
                PS(id) = zend_string_init(Z_STRVAL_P(ppid), Z_STRLEN_P(ppid), 0);
                PS(send_cookie) = 0;
@@ -1547,28 +1548,26 @@ PHPAPI void php_session_start(void) /* {{{ */
         */
 
        if (!PS(id)) {
-               if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1)) &&
-                               Z_TYPE_P(data) == IS_ARRAY &&
-                               (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))
-               ) {
-                       ppid2sid(ppid);
-                       PS(send_cookie) = 0;
+               if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) {
+                       ZVAL_DEREF(data);
+                       if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+                               ppid2sid(ppid);
+                               PS(send_cookie) = 0;
+                       }
                }
 
-               if (PS(define_sid) && !PS(id) &&
-                               (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1)) &&
-                               Z_TYPE_P(data) == IS_ARRAY &&
-                               (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))
-               ) {
-                       ppid2sid(ppid);
+               if (PS(define_sid) && !PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1))) {
+                       ZVAL_DEREF(data);
+                       if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+                               ppid2sid(ppid);
+                       }
                }
 
-               if (PS(define_sid) && !PS(id) &&
-                               (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1)) &&
-                               Z_TYPE_P(data) == IS_ARRAY &&
-                               (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))
-               ) {
-                       ppid2sid(ppid);
+               if (PS(define_sid) && !PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1))) {
+                       ZVAL_DEREF(data);
+                       if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+                               ppid2sid(ppid);
+                       }
                }
 
                /* Check the REQUEST_URI symbol for a string of the form