From: [EMAIL PROTECTED]
Operating system: Linux i686 2.4.16 SMP
PHP version: 4.1.1
PHP Bug Type: Session related
Bug description: Sessions with null session ID in the cookie crash PHP
First some brief history: last time I developed a session-based app with
PHP 4.0.6, sometimes and without a pattern when deleting a session the
client would end up with a session cookie which said "PHPSESSID=deleted".
The next time he visited the site his session would have the ID "deleted"
and when two users triggered the same bug they would both end up as being
logged in as someone else. So I put in a simple check in my code which
would forcibly kill the session, delete the cookie and set the new session
name to something random.
A version of the code under PHP 4.1.1 crashes PHP and causes "[notice]
child pid 14151 exit signal Segmentation fault (11)" in Apache's error
log.
Here is a sample page which triggers PHP to crash: (if the html gets
messed up email me for a copy)
------------------- snip session-tester.php
<html>
<head><title>test</title>
</head>
<body>
<?php
function tableprint( $array )
{
// this looks better than var_dump()
echo "<table border=1>";
while( list( $n, $v ) = each( $array ) )
{
echo "<tr><td>$n</td><td>$v</td></tr>\n";
}
echo "</table>\n";
}
// if we got called with ?logout=true then the user wants to end
the session.
if (isset($HTTP_GET_VARS["logout"]))
{
session_start(); // it wasnt called yet.
session_unset();
session_destroy();
// REFERENCE #1 (OK)
// setcookie(session_name(), session_id(), 0);
// REFERENCE #2 (NOT OK) - crashes
// setcookie(session_name());
// different ways of doing things after logging out - echoing
'you are logged out' or redirecting back
// into a new session.
// header("Location: /session-tester.php");
echo "Okie, you are logged out... click <a
href=\"$HTTP_SERVER_VARS[SCRIPT_NAME]\">here</a>.</html>";
exit;
}
else // user is not logging out
{
session_start();
session_register("somevar");
$HTTP_SESSION_VARS["somevar"]++;
}
?>
Welcome to the session tester. <br><br>
Click <a
href="<?=$HTTP_SERVER_VARS[SCRIPT_NAME]?>?logout=true">here</a> to log out
(reset session).<br><br>
Your session variable 'somevar' currently has the value
<?=$HTTP_SESSION_VARS["somevar"]?>.<br><br>
Your session cookie has the following parameters:<br><br>
<?php
$p = session_get_cookie_params();
tableprint($p);
echo "<br>Your \$HTTP_COOKIE_VARS contains:<br><br>";
tableprint($HTTP_COOKIE_VARS);
?>
</body>
</html>
------------------- snip session-tester.php
When opening the page, the session is initialized. If the page is
requested with ?logout=true, we enter the critical piece of code. If
'reference #1' line is uncommented, everything works fine and the cookie
is deleted (well, in some browsers, at least) which is the behaviour I
want.
However, line reference #2 (setcookie(session_name());) when uncommented
causes the client to store the session cookie with PHPSESSID="". On
subsequent requests to the page this crashes the server's process. There
is no way that the client with the null session ID cookie can browse this
page without crashing the server process, and there is no way that the
server can delete that cookie. The client has to close the browser to end
the session and destroy the cookie and only then it will work again.
Tested on IE6, Mozilla 0.9.7, Konqueror, etc.
GDB-ing httpd -X gives this:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12935)]
zend_hash_internal_pointer_reset_ex (ht=0x0, pos=0xbfffeea8) at
zend_hash.c:984
984 *pos = ht->pListHead;
(gdb) where
#0 zend_hash_internal_pointer_reset_ex (ht=0x0, pos=0xbfffeea8) at
zend_hash.c:984
#1 0x080903bb in php_session_save_current_state () at session.c:544
#2 0x08092530 in php_session_flush () at session.c:1381
#3 0x08092553 in zm_deactivate_session (type=1, module_number=12) at
session.c:1393
#4 0x080f1011 in module_registry_cleanup (module=0x824a1a8) at
zend_API.c:1165
#5 0x080f296c in zend_hash_apply (ht=0x81efaa0, apply_func=0x80f0fe4
<module_registry_cleanup>) at zend_hash.c:675
#6 0x080ee5b1 in zend_deactivate_modules () at zend.c:585
#7 0x0806e22f in php_request_shutdown (dummy=0x0) at main.c:723
#8 0x080f6ca3 in apache_php_module_main (r=0x8284840,
display_source_mode=0) at sapi_apache.c:96
#9 0x0806c750 in send_php ()
#10 0x0806c79e in send_parsed_php ()
#11 0x0814d83f in ap_invoke_handler ()
#12 0x0815c57f in process_request_internal ()
#13 0x0810f11b in mod_gzip_redir1_handler ()
#14 0x0810e18a in mod_gzip_handler ()
#15 0x0814d83f in ap_invoke_handler ()
#16 0x0815c57f in process_request_internal ()
#17 0x0815c5e2 in ap_process_request ()
#18 0x0815614c in child_main ()
#19 0x081562cb in make_child ()
#20 0x081563dc in startup_children ()
#21 0x081568d9 in standalone_main ()
#22 0x08157004 in main ()
#23 0x4071c306 in __libc_start_main (main=0x8156cf8 <main>, argc=2,
ubp_av=0xbffffcf4, init=0x8069878 <_init>, fini=0x8175b90 <_fini>,
rtld_fini=0x4000d2dc <_dl_fini>, stack_end=0xbffffcec) at
../sysdeps/generic/libc-start.c:129
PHP was compiled with './configure' '--prefix=/usr/local/superuser/php'
'--with-apache=../apache_1.3.22' '--enable-track-vars'
'--with-config-file-path=/usr/local/superuser/conf' '--enable-safe-mode'
'--enable-sigchild' '--with-gd' '--with-jpeg-dir' '--with-zlib'
'--with-oci8=/opt/oracle/8i/u01/app/oracle/product/8.1.5' '--enable-apc'
'--without-mysql'
And apache is 1.3.22 compiled with mod_gzip, mod_php4, mod_ssl,
mod_setenvif, mod_so, mod_usertrack, mod_headers, mod_expires,
mod_cern_meta, mod_proxy, mod_auth_anon, mod_auth, mod_access,
mod_rewrite, mod_alias, mod_speling, mod_actions, mod_imap, mod_cgi,
mod_dir, mod_autoindex, mod_include, mod_info, mod_status,
mod_negotiation, mod_mime, mod_mime_magic, mod_log_referer, mod_log_agent,
mod_log_config, mod_env, http_core.
Since I'm using Oci8, yes, I did link apache with libpthread.
Any other info required -> e-mail me.
Goran.
--
Edit bug report at: http://bugs.php.net/?id=15096&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
