tony2001 Sun Jan 9 12:42:03 2005 EDT
Modified files:
/php-src/ext/session session.c
Log:
fix bug #31454 (session_set_save_handler crashes PHP when supplied
non-existent object ref)
http://cvs.php.net/diff.php/php-src/ext/session/session.c?r1=1.403&r2=1.404&ty=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.403 php-src/ext/session/session.c:1.404
--- php-src/ext/session/session.c:1.403 Thu Dec 9 12:15:52 2004
+++ php-src/ext/session/session.c Sun Jan 9 12:42:02 2005
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.403 2004/12/09 17:15:52 tony2001 Exp $ */
+/* $Id: session.c,v 1.404 2005/01/09 17:42:02 tony2001 Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -1361,6 +1361,7 @@
zval **args[6];
int i;
ps_user *mdata;
+ char *name;
if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) ==
FAILURE)
WRONG_PARAM_COUNT;
@@ -1368,6 +1369,14 @@
if (PS(session_status) != php_session_none)
RETURN_FALSE;
+ for (i = 0; i < 6; i++) {
+ if (!zend_is_callable(*args[i], 0, &name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument
%d is not a valid callback", i+1);
+ efree(name);
+ RETURN_FALSE;
+ }
+ }
+
zend_alter_ini_entry("session.save_handler",
sizeof("session.save_handler"), "user", sizeof("user")-1, PHP_INI_USER,
PHP_INI_STAGE_RUNTIME);
mdata = emalloc(sizeof(*mdata));
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
