From: [EMAIL PROTECTED]
Operating system: W2K server SP2 or NT4 SP6 work.
PHP version: 4.3.0
PHP Bug Type: Scripting Engine problem
Bug description: Stack seems compromised when using Sessions
Take the code that follows and save it in a file called test.php.
If you now call the file via a web browser PHP will write a strange
string. This is due to the session registering done in the case 0 of the
switch. It should print "test_variable=".
The strange this happens when you register a variable which has been
assigned with an unset other one.
And the thing happens only the first time the browser hits the page. At a
refresh everything works.
<?php
function MakeHref($hr) {
return($hr);
}
function NormalFunction($parms, $size, $status) {
echo "<HTML>\n";
echo "<BODY>\n";
echo "parms='".$parms."'\n";
echo "</BODY>\n";
echo "</HTML>\n";
}
session_start();
switch ($status) {
case 0:
$f_caller = isset($funcname) ? $funcname:"";
//$f_test_variable = isset($test_variable) ? $test_variable:"";
$f_test_variable = $test_variable; // comment this and uncomment the
line above to make it work
// since $test_variable is not set, it seems that memory gets upset
session_register("f_test_variable");
session_register("f_caller");
NormalFunction("test_variable=$test_variable", 120, 10);
break;
}
?>
This is my php.ini:
[PHP]
; Enable the PHP scripting language engine under Apache.
engine = On
; Allow the <? tag. Otherwise, only <?php and <script> tags are
recognized.
short_open_tag = On
; Allow ASP-style <% %> tags.
asp_tags = Off
; The number of significant digits displayed in floating point numbers.
precision = 14
; Enforce year 2000 compliance (will cause problems with non-compliant
browsers)
y2k_compliance = Off
output_buffering = 4096
output_handler =
zlib.output_compression = Off
implicit_flush = Off
allow_call_time_pass_reference = Off
safe_mode = Off
safe_mode_gid = Off
safe_mode_include_dir =
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions =
highlight.string = #CC0000
highlight.comment = #FF9900
highlight.keyword = #006600
highlight.bg = #FFFFFF
highlight.default = #0000CC
highlight.html = #000000
expose_php = On
max_execution_time = 30 ; Maximum execution time of each script, in
seconds
memory_limit = 8M ; Maximum amount of memory a script may consume
(8MB)
error_reporting = E_ALL & ~E_NOTICE
display_errors = On
display_startup_errors = On
log_errors = On
track_errors = Off
variables_order = "GPCS"
register_globals = On
register_argc_argv = Off
post_max_size = 8M
gpc_order = "GPC"
magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
user_dir =
extension_dir = ./extensions
enable_dl = On
file_uploads = On
upload_max_filesize = 2M
allow_url_fopen = On
extension=php_gd2.dll
extension=php_oracle.dll
[Syslog]
define_syslog_variables = Off
[mail function]
SMTP = localhost
sendmail_from = [EMAIL PROTECTED]
[Java]
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
[mSQL]
msql.allow_persistent = On
msql.max_persistent = -1
msql.max_links = -1
[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
[Sybase]
sybase.allow_persistent = On
sybase.max_persistent = -1
sybase.max_links = -1
sybase.min_error_severity = 10
sybase.min_message_severity = 10
sybase.compatability_mode = Off
[Sybase-CT]
sybct.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
sybct.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no
limit.
sybct.max_links = -1
; Minimum server message severity to display.
sybct.min_server_severity = 10
; Minimum client message severity to display.
sybct.min_client_severity = 10
[bcmath]
; Number of decimal digits for all bcmath functions.
bcmath.scale = 0
[browscap]
;browscap = extra/browscap.ini
[Informix]
; Default host for ifx_connect() (doesn't apply in safe mode).
ifx.default_host =
; Default user for ifx_connect() (doesn't apply in safe mode).
ifx.default_user =
; Default password for ifx_connect() (doesn't apply in safe mode).
ifx.default_password =
; Allow or prevent persistent links.
ifx.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
ifx.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no
limit.
ifx.max_links = -1
; If on, select statements return the contents of a text blob instead of
its id.
ifx.textasvarchar = 0
; If on, select statements return the contents of a byte blob instead of
its id.
ifx.byteasvarchar = 0
; Trailing blanks are stripped from fixed-length char columns. May help
the
; life of Informix SE users.
ifx.charasvarchar = 0
; If on, the contents of text and byte blobs are dumped to a file instead
of
; keeping them in memory.
ifx.blobinfile = 0
; NULL's are returned as empty strings, unless this is set to 1. In that
case,
; NULL's are returned as string 'NULL'.
ifx.nullformat = 0
[Session]
; Handler used to store/retrieve data.
session.save_handler = files
; Argument passed to save_handler. In the case of files, this is the
path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
session.save_path = d:/PHP/sessiondata
; Whether to use cookies.
session.use_cookies = 1
; Name of the session (used as cookie name).
session.name = PHPSESSID
; Initialize session on request startup.
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
; The path for which the cookie is valid.
session.cookie_path = /
; The domain for which the cookie is valid.
session.cookie_domain =
; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php
; Percentual probability that the 'garbage collection' process is started
; on every session initialization.
session.gc_probability = 1
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =
; How many bytes to read from the file.
session.entropy_length = 0
; Specified here to create the session id.
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
; Set to {nocache,private,public} to determine HTTP caching aspects.
session.cache_limiter = nxcache
; Document expires after n minutes.
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
; Allow or prevent persistent links.
mssql.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
mssql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no
limit.
mssql.max_links = -1
; Minimum error severity to display.
mssql.min_error_severity = 10
; Minimum message severity to display.
mssql.min_message_severity = 10
; Compatability mode with old versions of PHP 3.0.
mssql.compatability_mode = Off
; Valid range 0 - 2147483647. Default = 4096.
;mssql.textlimit = 4096
; Valid range 0 - 2147483647. Default = 4096.
;mssql.textsize = 4096
; Limits the number of records in each batch. 0 = all records in one
batch.
;mssql.batchsize = 0
[Assertion]
[Ingres II]
; Allow or prevent persistent links.
ingres.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
ingres.max_persistent = -1
; Maximum number of links, including persistents. -1 means no limit.
ingres.max_links = -1
; Default database (format: [node_id::]dbname[/srv_class]).
ingres.default_database =
; Default user.
ingres.default_user =
; Default password.
ingres.default_password =
[Verisign Payflow Pro]
; Default Payflow Pro server.
pfpro.defaulthost = "test-payflow.verisign.com"
; Default port to connect to.
pfpro.defaultport = 443
; Default timeout in seconds.
pfpro.defaulttimeout = 30
; Default proxy IP address (if required).
;pfpro.proxyaddress =
; Default proxy port.
;pfpro.proxyport =
; Default proxy logon.
;pfpro.proxylogon =
; Default proxy password.
;pfpro.proxypassword =
[Sockets]
; Use the system read() function instead of the php_read() wrapper.
sockets.use_system_read = On
[com]
; path to a file containing GUIDs, IIDs or filenames of files with
TypeLibs
;com.typelib_file =
; allow Distributed-COM calls
com.allow_dcom = true
allow_dcom = true
--
Edit bug report at http://bugs.php.net/?id=21657&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=21657&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=21657&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=21657&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=21657&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=21657&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=21657&r=support
Expected behavior: http://bugs.php.net/fix.php?id=21657&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=21657&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=21657&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=21657&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=21657&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=21657&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=21657&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=21657&r=gnused
