From: Conor McDermottroe <cmcdermottroe@engineyard.com>
Date: Tue, 14 Jan 2014 02:08:13 +0000 (+0000)
Subject: Bug #66481 Segfaults on session_name()
X-Git-Tag: php-5.4.25RC1~15
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5662ffb295c6f9cb10768d8246f2656aae6b8abb;p=php

Bug #66481 Segfaults on session_name()

If the previous value of session.name was NULL then any call to
session_name($string) would result in a segmentation fault.

This changes the behaviour to set the value of session.name to
"PHPSESSID" if a blank value is given in php.ini or via -d on the
command line. There is already protection against setting it to NULL via
session_name() or ini_set().
---

diff --git a/ext/session/session.c b/ext/session/session.c
index 35db50ae64..5ea38475db 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -617,6 +617,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 
 static PHP_INI_MH(OnUpdateName) /* {{{ */
 {
+	/* Don't accept a blank session name from php.ini or -d session.name= */
+	if (!PG(modules_activated) && !new_value_length) {
+		/* Force the default value. */
+		new_value = "PHPSESSID";
+		new_value_length = 9;
+	}
+
 	/* Numeric session.name won't work at all */
 	if (PG(modules_activated) &&
 		(!new_value_length || is_numeric_string(new_value, new_value_length, NULL, NULL, 0))) {
diff --git a/ext/session/tests/bug66481.phpt b/ext/session/tests/bug66481.phpt
new file mode 100644
index 0000000000..0479b5ff4d
--- /dev/null
+++ b/ext/session/tests/bug66481.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #66481: Calls to session_name() segfault when session.name is null.
+--INI--
+session.name=
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+var_dump(session_name("foo"));
+var_dump(session_name("bar"));
+
+--EXPECTF--
+string(9) "PHPSESSID"
+string(3) "foo"
+