From 46c64ac9f2b08b0367b4e05683ed5029d1636ed9 Mon Sep 17 00:00:00 2001
From: Yasuo Ohgaki <yohgaki@php.net>
Date: Fri, 11 Nov 2016 12:18:54 +0900
Subject: [PATCH] Protect class based session save handler

---
 ext/session/mod_user_class.c | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/ext/session/mod_user_class.c b/ext/session/mod_user_class.c
index b132552faf..595338d299 100644
--- a/ext/session/mod_user_class.c
+++ b/ext/session/mod_user_class.c
@@ -53,6 +53,7 @@ PHP_METHOD(SessionHandler, open)
 	}
 
 	PS(mod_user_is_open) = 1;
+	PS(in_save_handler) = 1;
 
 	zend_try {
 		ret = PS(default_mod)->s_open(&PS(mod_data), save_path, session_name);
@@ -61,6 +62,7 @@ PHP_METHOD(SessionHandler, open)
 		zend_bailout();
 	} zend_end_try();
 
+	PS(in_save_handler) = 0;
 	RETVAL_BOOL(SUCCESS == ret);
 }
 /* }}} */
@@ -78,6 +80,7 @@ PHP_METHOD(SessionHandler, close)
 	zend_parse_parameters_none();
 
 	PS(mod_user_is_open) = 0;
+	PS(in_save_handler) = 1;
 
 	zend_try {
 		ret = PS(default_mod)->s_close(&PS(mod_data));
@@ -86,6 +89,7 @@ PHP_METHOD(SessionHandler, close)
 		zend_bailout();
 	} zend_end_try();
 
+	PS(in_save_handler) = 0;
 	RETVAL_BOOL(SUCCESS == ret);
 }
 /* }}} */
@@ -116,6 +120,7 @@ PHP_METHOD(SessionHandler, read)
 PHP_METHOD(SessionHandler, write)
 {
 	zend_string *key, *val;
+	zend_bool ret;
 
 	PS_SANITY_CHECK_IS_OPEN;
 
@@ -123,7 +128,11 @@ PHP_METHOD(SessionHandler, write)
 		return;
 	}
 
-	RETURN_BOOL(SUCCESS == PS(default_mod)->s_write(&PS(mod_data), key, val, PS(gc_maxlifetime)));
+	PS(in_save_handler) = 1;
+	ret = PS(default_mod)->s_write(&PS(mod_data), key, val, PS(gc_maxlifetime));
+	PS(in_save_handler) = 0;
+
+	RETURN_BOOL(SUCCESS == ret);
 }
 /* }}} */
 
@@ -132,6 +141,7 @@ PHP_METHOD(SessionHandler, write)
 PHP_METHOD(SessionHandler, destroy)
 {
 	zend_string *key;
+	zend_bool ret;
 
 	PS_SANITY_CHECK_IS_OPEN;
 
@@ -139,7 +149,11 @@ PHP_METHOD(SessionHandler, destroy)
 		return;
 	}
 
-	RETURN_BOOL(SUCCESS == PS(default_mod)->s_destroy(&PS(mod_data), key));
+	PS(in_save_handler) = 1;
+	ret = PS(default_mod)->s_destroy(&PS(mod_data), key);
+	PS(in_save_handler) = 0;
+
+	RETURN_BOOL(SUCCESS == ret);
 }
 /* }}} */
 
@@ -156,9 +170,12 @@ PHP_METHOD(SessionHandler, gc)
 		return;
 	}
 
+	PS(in_save_handler) = 1;
 	if (PS(default_mod)->s_gc(&PS(mod_data), maxlifetime, &nrdels) == FAILURE) {
+		PS(in_save_handler) = 0;
 		RETURN_FALSE;
 	}
+	PS(in_save_handler) = 0;
 	RETURN_LONG(nrdels);
 }
 /* }}} */
@@ -175,7 +192,9 @@ PHP_METHOD(SessionHandler, create_sid)
 	    return;
 	}
 
+	PS(in_save_handler) = 1;
 	id = PS(default_mod)->s_create_sid(&PS(mod_data));
+	PS(in_save_handler) = 0;
 
 	RETURN_STR(id);
 }
@@ -203,6 +222,7 @@ PHP_METHOD(SessionHandler, validateId)
 PHP_METHOD(SessionHandler, updateTimestamp)
 {
 	zend_string *key, *val;
+	zend_bool ret;
 
 	PS_SANITY_CHECK_IS_OPEN;
 
@@ -210,7 +230,11 @@ PHP_METHOD(SessionHandler, updateTimestamp)
 		return;
 	}
 
+	PS(in_save_handler) = 1;
+	ret = PS(default_mod)->s_write(&PS(mod_data), key, val, PS(gc_maxlifetime));
+	PS(in_save_handler) = 0;
+
 	/* Legacy save handler may not support update_timestamp API. Just write. */
-	RETVAL_BOOL(SUCCESS == PS(default_mod)->s_write(&PS(mod_data), key, val, PS(gc_maxlifetime)));
+	RETVAL_BOOL(SUCCESS == ret);
 }
 /* }}} */
-- 
2.50.1