Package: php4
Version: 4:4.1.2-7
Severity: normal
Tags: patch woody
Basically, there's a repeatable segfault in session.c in php 4.1.2 It's
documented in PHP4 bug 15168 [1], although they claim it only happens
with the mm session handler, and I triggered it with the file session
handler. (Same segfault as in the bug report.)
Anyway, I've fetched the changes that appeared in the relevant branch of
PHP CVS [2], and integrated them with a couple of fixes that appear in
the Debian/stable latest PHP4 package, and included the patch below.
It appears that this package _has_ an attempt to fix this problem
already, but I'm guessing it didn't work, so I've replaced it.
The below patch applies to ext/session/session.c. Hunk 1 is just because
that's the CVS version it's closes too (end of the line for that branch)
and Hunk 3 is whitespace fixes for consistency in the existing Debian
patch. Hunk 2 depends on the existing Debian patch, and it and Hunk 4
are the important ones.
Anyway, I can't really justify this as a security bug, since it just
causes segfaults in Apache, and short output on the screen, but it's
here in case anyone _can_ build such a case, and for documentation
purposes. As such, I don't mind if it goes +wontfix. ^_^
--- session.c.org Fri Mar 18 22:18:05 2005
+++ session.c Sat Mar 19 00:56:19 2005
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.237.2.8 2002/02/26 19:32:52 derick Exp $ */
+/* $Id: session.c,v 1.237.2.11 2002/03/05 22:07:15 zeev Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -426,20 +426,20 @@
static void php_session_track_init(TSRMLS_D)
{
zval **old_vars = NULL;
- zval *session_vars = NULL;
if (zend_hash_find(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), (void **)&old_vars) == SUCCESS &&
Z_TYPE_PP(old_vars) == IS_ARRAY) {
- PS(http_session_vars) = *old_vars;
- zend_hash_clean(Z_ARRVAL_P(PS(http_session_vars)));
+ PS(http_session_vars) = *old_vars;
+ zend_hash_clean(Z_ARRVAL_P(PS(http_session_vars)));
} else {
- if(old_vars) {
- zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
- }
- MAKE_STD_ZVAL(session_vars);
- array_init(session_vars);
- PS(http_session_vars) = session_vars;
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 1, 0);
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 1, 0);
+ if(old_vars) {
+ zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
+ }
+ MAKE_STD_ZVAL(PS(http_session_vars));
+ array_init(PS(http_session_vars));
+ PS(http_session_vars)->refcount = 2;
+ PS(http_session_vars)->is_ref = 1;
+ zend_hash_update(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), &PS(http_session_vars), sizeof(zval *), NULL);
+ zend_hash_update(&EG(symbol_table), "_SESSION",
sizeof("_SESSION"), &PS(http_session_vars), sizeof(zval *), NULL);
}
}
@@ -1288,17 +1288,17 @@
void session_adapt_uris(const char *src, size_t srclen, char **new, size_t
*newlen TSRMLS_DC)
{
if (PS(define_sid) && (PS(session_status) == php_session_active)) {
- char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
+ char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
*new = url_adapt_ext_ex(src, srclen, PS(session_name),
encoded_id, newlen TSRMLS_CC);
- }
+ }
}
void session_adapt_url(const char *url, size_t urllen, char **new, size_t
*newlen TSRMLS_DC)
{
if (PS(define_sid) && (PS(session_status) == php_session_active)) {
- char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
+ char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
*new = url_adapt_single_url(url, urllen, PS(session_name),
encoded_id, newlen TSRMLS_CC);
- }
+ }
}
void session_adapt_flush(int (*write)(const char *, uint TSRMLS_DC) TSRMLS_DC)
@@ -1343,6 +1343,7 @@
PS(id) = NULL;
PS(session_status) = php_session_none;
PS(mod_data) = NULL;
+ PS(http_session_vars) = NULL;
}
static void php_rshutdown_session_globals(TSRMLS_D)
[1] http://bugs.php.net/bug.php?id=15168 - Ignore the random tag-on bug
on May 14th. >_<
[2] http://cvs.php.net/php-src/ext/session/session.c?r1=1.237.2.8&onb=1.237.2
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux yurika 2.4.26 #1 Mon Aug 9 23:25:59 EST 2004 i686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8
Versions of packages php4 depends on:
ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webse
ii fileutils 4.1-10 GNU file management utilities
ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file
ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an
ii libdb2 2:2.7.7.0-7 The Berkeley database routines (ru
ii libexpat1 1.95.2-6 XML parsing C library - runtime li
ii libmm11 1.1.3-6.2 Shared memory library
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libpcre3 3.4-1.1 Philip Hazel's Perl Compatible Reg
ii mime-support 3.18-1.3 MIME files 'mime.types' & 'mailcap
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
--
Paul "TBBle" Hampson, on an alternate email client.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
