Skip to content

Commit 3071d85

Browse files
iluuu1994iluuu1994
committed
PS(mod_user_class_name) must not leak into next request
Fixes GH-9584
1 parent bda449a commit 3071d85

File tree

3 files changed

+64
-0
lines changed

3 files changed

+64
-0
lines changed

‎NEWS‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,10 @@ PHP NEWS
1515
- Sockets:
1616
. Fixed socket constants regression as of PHP 8.2.0beta3. (Bruce Dou)
1717

18+
- Session:
19+
. Fixed GH-9584 (Avoid memory corruption when not unregistering custom session
20+
handler). (ilutov)
21+
1822
15 Sep 2022, PHP 8.2.0RC2
1923

2024
- Core:

‎ext/session/session.c‎

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,11 @@ static inline void php_rshutdown_session_globals(void) /* {{{ */
142142
PS(session_vars) = NULL;
143143
}
144144

145+
if (PS(mod_user_class_name)) {
146+
zend_string_release(PS(mod_user_class_name));
147+
PS(mod_user_class_name) = NULL;
148+
}
149+
145150
/* User save handlers may end up directly here by misuse, bugs in user script, etc. */
146151
/* Set session status to prevent error while restoring save handler INI value. */
147152
PS(session_status) = php_session_none;

‎ext/session/tests/gh9584.phpt‎

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
--TEST--
2+
GH-9584: PS(mod_user_class_name) must not leak into next request
3+
--EXTENSIONS--
4+
session
5+
--SKIPIF--
6+
<?php include('skipif.inc'); ?>
7+
--FILE--
8+
<?php
9+
10+
class MySessionHandler extends SessionHandler implements SessionUpdateTimestampHandlerInterface
11+
{
12+
public function open($path, $sessname): bool {
13+
return true;
14+
}
15+
16+
public function close(): bool {
17+
return true;
18+
}
19+
20+
public function read($sessid): string|false {
21+
return 'foo|s:3:"foo";';
22+
}
23+
24+
public function write($sessid, $sessdata): bool {
25+
return false;
26+
}
27+
28+
public function destroy($sessid): bool {
29+
return true;
30+
}
31+
32+
public function gc($maxlifetime): int|false {
33+
return true;
34+
}
35+
36+
public function create_sid(): string {
37+
return sha1(random_bytes(32));
38+
}
39+
40+
public function validateId($sid): bool {
41+
return true;
42+
}
43+
44+
public function updateTimestamp($sessid, $sessdata): bool {
45+
return false;
46+
}
47+
}
48+
49+
$handler = new MySessionHandler();
50+
session_set_save_handler($handler);
51+
52+
?>
53+
===DONE===
54+
--EXPECT--
55+
===DONE===

0 commit comments

Comments
 (0)