From: info at handyheroes dot com
Operating system: Linux with Apache/1.3.34
PHP version: 4.4.2
PHP Bug Type: Session related
Bug description: fopen() drops $_SESSION variables
Description:
------------
When using fopen() to open a url within the same domain all session
variables are ignored. Including POST and GET.
I want to provide a link for users to send thier current page. The current
page is based on their security level and company_id which are stored as
$_SESSION['sess_perms'] and $_SESSION['sess_cid'] after they login.
The link to send the page is provided on each page and when clicked
accesses the function to generate the page and then mail it via mail();
The problem is when using fopen() or hightlight_file() the sessions
variables are missing so the DB query does a full result set.
Reproduce code:
---------------
1) The Link
$link=$_SERVER['PHP_SELF']."?main_page=".$main_page."&PHPSESSID=".$PHPSESSID;
<a href="index.php?mod=send_page&main_page=send_page.php&p=<? echo
rawurlencode($link) ?>">Send Page</a>
2) Function
function page_to_send() {
global $mod,$p,$page,$query;
$p="http://www.molloyllc.com".$p."&mail_ok=ok";;
$fh=fopen("$p", "r");
while(!feof($fh)){
$output =(fgets($fh, 1024));
$page=$page."\r\n".$output;
}
fclose($fh);
return($page);
}
Expected result:
----------------
fopen() opens the supplied URL and then based on users security and
company should return a list of data from a MySQL query based on the
$_SESSION variables. EXAMPLE
if($_SESSION['sess_perms']=="Staff"){
$query="select uid,realname,email,client_id,location_id,phone from
users";
$query.=" where client_id=\"$_SESSION[sess_cid]\" ";
should return a list of employees for that company only.
Actual result:
--------------
Returns all employees from DB. This is the $GLOBALS dump
main_page users.php
mail_ok ok
DOCUMENT_ROOT /usr/local/etc/httpd/htdocs/molloyllccom
HTTP_HOST www.molloyllc.com
PATH /bin:/usr/bin
REMOTE_ADDR 66.219.104.44
REMOTE_PORT 55682
SCRIPT_FILENAME
/usr/local/etc/httpd/htdocs/molloyllccom/CVS/molloyllccom/index.php
SERVER_ADDR 66.219.104.44
SERVER_ADMIN [EMAIL PROTECTED]
SERVER_NAME molloyllc.com
SERVER_PORT 80
SERVER_SIGNATURE
Apache/1.3.34 Server at molloyllc.com Port 80
SERVER_SOFTWARE Apache/1.3.34 (Unix) filter/1.0 PHP/4.4.1
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.0
REQUEST_METHOD GET
QUERY_STRING main_page=users.php&mail_ok=ok
REQUEST_URI /CVS/molloyllccom/index.php?main_page=users.php&mail_ok=ok
SCRIPT_NAME /CVS/molloyllccom/index.php
PATH_TRANSLATED
/usr/local/etc/httpd/htdocs/molloyllccom/CVS/molloyllccom/index.php
PHP_SELF /CVS/molloyllccom/index.php
HTTP_POST_VARS Array
_POST Array
HTTP_GET_VARS Array
_GET Array
HTTP_COOKIE_VARS Array
_COOKIE Array
HTTP_SERVER_VARS Array
_SERVER Array
HTTP_ENV_VARS Array
_ENV Array
HTTP_POST_FILES Array
_FILES Array
_REQUEST Array
HTTP_SESSION_VARS Array
_SESSION Array
db_name molloy_cvs
spaw_dir /CVS/molloyllccom/spaw/
spaw_base_url http://www.molloyllc.com/
spaw_root /usr/local/etc/httpd/htdocs/molloyllccom/CVS/molloyllccom/spaw/
spaw_default_toolbars full
spaw_default_theme default
spaw_default_lang en
spaw_default_css_styles heet /CVS/molloyllccom/spaw/wysiwyg.css
spaw_inline_js
spaw_active_toolbar 1
spaw_dropdown_data Array
spaw_valid_imgs Array
spaw_upload_allowed 1
spaw_img_delete_allowed 1
spaw_imglibs Array
spaw_a_targets Array
spaw_img_popup_url /CVS/molloyllccom/spaw/img_popup.php
spaw_internal_link_script url to your internal link selection script
spaw_disable_style_controls 1
spaw_wysiwyg_instCount 0
user Object
uid
del_uid
query select locationname from locations where lid="44"
client_id
location_id
client_name Terrys Car Care
news
and the regular dump
mod send_page
main_page send_page.php
p
http://www.molloyllc.com/CVS/molloyllccom/index.php?main_page=users.php&mail_ok=ok
PHPSESSID 5b9f2384e5047292f982ad2ea3a00cd9
DOCUMENT_ROOT /usr/local/etc/httpd/htdocs/molloyllccom
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, */*
HTTP_ACCEPT_ENCODING gzip, deflate
HTTP_ACCEPT_LANGUAGE en-us
HTTP_CONNECTION Keep-Alive
HTTP_COOKIE PHPSESSID=5b9f2384e5047292f982ad2ea3a00cd9
HTTP_HOST molloyllc.com
HTTP_REFERER
http://molloyllc.com/CVS/molloyllccom/index.php?main_page=users.php
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322)
PATH /bin:/usr/bin
REMOTE_ADDR 70.125.85.128
REMOTE_PORT 2068
SCRIPT_FILENAME
/usr/local/etc/httpd/htdocs/molloyllccom/CVS/molloyllccom/index.php
SERVER_ADDR 66.219.104.44
SERVER_ADMIN [EMAIL PROTECTED]
SERVER_NAME molloyllc.com
SERVER_PORT 80
SERVER_SIGNATURE
Apache/1.3.34 Server at molloyllc.com Port 80
SERVER_SOFTWARE Apache/1.3.34 (Unix) filter/1.0 PHP/4.4.1
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.1
REQUEST_METHOD GET
QUERY_STRING
mod=send_page&main_page=send_page.php&p=%2FCVS%2Fmolloyllccom%2Findex.php?main_page=users.php
REQUEST_URI
/CVS/molloyllccom/index.php?mod=send_page&main_page=send_page.php&p=%2FCVS%2Fmolloyllccom%2Findex.php?main_page=users.php
SCRIPT_NAME /CVS/molloyllccom/index.php
PATH_TRANSLATED
/usr/local/etc/httpd/htdocs/molloyllccom/CVS/molloyllccom/index.php
PHP_SELF /CVS/molloyllccom/index.php
HTTP_POST_VARS Array
_POST Array
HTTP_GET_VARS Array
_GET Array
HTTP_COOKIE_VARS Array
_COOKIE Array
HTTP_SERVER_VARS Array
_SERVER Array
HTTP_ENV_VARS Array
_ENV Array
HTTP_POST_FILES Array
_FILES Array
_REQUEST Array
HTTP_SESSION_VARS Array
_SESSION Array
sess_uid 56
sess_realname Nick Reale
sess_lid 34
sess_cid 23
sess_perms Admin
sess_client Jordanas Goodyear
sess_version full
db_name molloy_cvs
spaw_dir /CVS/molloyllccom/spaw/
spaw_base_url http://www.molloyllc.com/
spaw_root /usr/local/etc/httpd/htdocs/molloyllccom/CVS/molloyllccom/spaw/
spaw_default_toolbars full
spaw_default_theme default
spaw_default_lang en
spaw_default_css_stylesheet /CVS/molloyllccom/spaw/wysiwyg.css
spaw_inline_js
spaw_active_toolbar 1
spaw_dropdown_data Array
spaw_valid_imgs Array
spaw_upload_allowed 1
spaw_img_delete_allowed 1
spaw_imglibs Array
spaw_a_targets Array
spaw_img_popup_url /CVS/molloyllccom/spaw/img_popup.php
spaw_internal_link_script url to your internal link selection script
spaw_disable_style_controls 1
spaw_wysiwyg_instCount 0
common Object
client_id
locationname
address
location_id
query select uid,realname,location_id from users order by realname
uid
user
page
--
Edit bug report at http://bugs.php.net/?id=37261&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=37261&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=37261&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=37261&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=37261&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=37261&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=37261&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=37261&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=37261&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=37261&r=support
Expected behavior: http://bugs.php.net/fix.php?id=37261&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=37261&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=37261&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=37261&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37261&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=37261&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=37261&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=37261&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=37261&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=37261&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=37261&r=mysqlcfg
