ID: 15096
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Critical
+Status: Assigned
Bug Type: Session related
Operating System: Linux i686 2.4.16 SMP
PHP Version: 4.1.1
-Assigned To:
+Assigned To: yohgaki
New Comment:
I haven't look a this report closely, but the backtrace is similar to
that I've seen. It may be fixed by my patch. Assigned to me for now.
Previous Comments:
------------------------------------------------------------------------
[2002-01-18 10:07:10] [EMAIL PROTECTED]
Marking as critical until this is checked out.
------------------------------------------------------------------------
[2002-01-18 05:03:09] [EMAIL PROTECTED]
First some brief history: last time I developed a session-based app
with PHP 4.0.6, sometimes and without a pattern when deleting a session
the client would end up with a session cookie which said
"PHPSESSID=deleted". The next time he visited the site his session
would have the ID "deleted" and when two users triggered the same bug
they would both end up as being logged in as someone else. So I put in
a simple check in my code which would forcibly kill the session, delete
the cookie and set the new session name to something random.
A version of the code under PHP 4.1.1 crashes PHP and causes "[notice]
child pid 14151 exit signal Segmentation fault (11)" in Apache's error
log.
Here is a sample page which triggers PHP to crash: (if the html gets
messed up email me for a copy)
------------------- snip session-tester.php
<html>
<head><title>test</title>
</head>
<body>
<?php
function tableprint( $array )
{
// this looks better than var_dump()
echo "<table border=1>";
while( list( $n, $v ) = each( $array ) )
{
echo "<tr><td>$n</td><td>$v</td></tr>\n";
}
echo "</table>\n";
}
// if we got called with ?logout=true then the user wants to
end the session.
if (isset($HTTP_GET_VARS["logout"]))
{
session_start(); // it wasnt called yet.
session_unset();
session_destroy();
// REFERENCE #1 (OK)
// setcookie(session_name(), session_id(), 0);
// REFERENCE #2 (NOT OK) - crashes
// setcookie(session_name());
// different ways of doing things after logging out -
echoing 'you are logged out' or redirecting back
// into a new session.
// header("Location: /session-tester.php");
echo "Okie, you are logged out... click <a
href=\"$HTTP_SERVER_VARS[SCRIPT_NAME]\">here</a>.</html>";
exit;
}
else // user is not logging out
{
session_start();
session_register("somevar");
$HTTP_SESSION_VARS["somevar"]++;
}
?>
Welcome to the session tester. <br><br>
Click <a
href="<?=$HTTP_SERVER_VARS[SCRIPT_NAME]?>?logout=true">here</a> to log
out (reset session).<br><br>
Your session variable 'somevar' currently has the value
<?=$HTTP_SESSION_VARS["somevar"]?>.<br><br>
Your session cookie has the following parameters:<br><br>
<?php
$p = session_get_cookie_params();
tableprint($p);
echo "<br>Your \$HTTP_COOKIE_VARS contains:<br><br>";
tableprint($HTTP_COOKIE_VARS);
?>
</body>
</html>
------------------- snip session-tester.php
When opening the page, the session is initialized. If the page is
requested with ?logout=true, we enter the critical piece of code. If
'reference #1' line is uncommented, everything works fine and the
cookie is deleted (well, in some browsers, at least) which is the
behaviour I want.
However, line reference #2 (setcookie(session_name());) when
uncommented causes the client to store the session cookie with
PHPSESSID="". On subsequent requests to the page this crashes the
server's process. There is no way that the client with the null session
ID cookie can browse this page without crashing the server process, and
there is no way that the server can delete that cookie. The client has
to close the browser to end the session and destroy the cookie and only
then it will work again. Tested on IE6, Mozilla 0.9.7, Konqueror, etc.
GDB-ing httpd -X gives this:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12935)]
zend_hash_internal_pointer_reset_ex (ht=0x0, pos=0xbfffeea8) at
zend_hash.c:984
984 *pos = ht->pListHead;
(gdb) where
#0 zend_hash_internal_pointer_reset_ex (ht=0x0, pos=0xbfffeea8) at
zend_hash.c:984
#1 0x080903bb in php_session_save_current_state () at session.c:544
#2 0x08092530 in php_session_flush () at session.c:1381
#3 0x08092553 in zm_deactivate_session (type=1, module_number=12) at
session.c:1393
#4 0x080f1011 in module_registry_cleanup (module=0x824a1a8) at
zend_API.c:1165
#5 0x080f296c in zend_hash_apply (ht=0x81efaa0, apply_func=0x80f0fe4
<module_registry_cleanup>) at zend_hash.c:675
#6 0x080ee5b1 in zend_deactivate_modules () at zend.c:585
#7 0x0806e22f in php_request_shutdown (dummy=0x0) at main.c:723
#8 0x080f6ca3 in apache_php_module_main (r=0x8284840,
display_source_mode=0) at sapi_apache.c:96
#9 0x0806c750 in send_php ()
#10 0x0806c79e in send_parsed_php ()
#11 0x0814d83f in ap_invoke_handler ()
#12 0x0815c57f in process_request_internal ()
#13 0x0810f11b in mod_gzip_redir1_handler ()
#14 0x0810e18a in mod_gzip_handler ()
#15 0x0814d83f in ap_invoke_handler ()
#16 0x0815c57f in process_request_internal ()
#17 0x0815c5e2 in ap_process_request ()
#18 0x0815614c in child_main ()
#19 0x081562cb in make_child ()
#20 0x081563dc in startup_children ()
#21 0x081568d9 in standalone_main ()
#22 0x08157004 in main ()
#23 0x4071c306 in __libc_start_main (main=0x8156cf8 <main>, argc=2,
ubp_av=0xbffffcf4, init=0x8069878 <_init>, fini=0x8175b90 <_fini>,
rtld_fini=0x4000d2dc <_dl_fini>, stack_end=0xbffffcec) at
../sysdeps/generic/libc-start.c:129
PHP was compiled with './configure'
'--prefix=/usr/local/superuser/php' '--with-apache=../apache_1.3.22'
'--enable-track-vars'
'--with-config-file-path=/usr/local/superuser/conf'
'--enable-safe-mode' '--enable-sigchild' '--with-gd' '--with-jpeg-dir'
'--with-zlib' '--with-oci8=/opt/oracle/8i/u01/app/oracle/product/8.1.5'
'--enable-apc' '--without-mysql'
And apache is 1.3.22 compiled with mod_gzip, mod_php4, mod_ssl,
mod_setenvif, mod_so, mod_usertrack, mod_headers, mod_expires,
mod_cern_meta, mod_proxy, mod_auth_anon, mod_auth, mod_access,
mod_rewrite, mod_alias, mod_speling, mod_actions, mod_imap, mod_cgi,
mod_dir, mod_autoindex, mod_include, mod_info, mod_status,
mod_negotiation, mod_mime, mod_mime_magic, mod_log_referer,
mod_log_agent, mod_log_config, mod_env, http_core.
Since I'm using Oci8, yes, I did link apache with libpthread.
Any other info required -> e-mail me.
Goran.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15096&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
