File tree Expand file tree Collapse file tree 2 files changed +68
-0
lines changed Expand file tree Collapse file tree 2 files changed +68
-0
lines changed Original file line number Diff line number Diff line change @@ -2198,6 +2198,7 @@ static PHP_FUNCTION(session_create_id)
21982198 /* Detect collision and retry */
21992199 if (PS (mod )-> s_validate_sid (& PS (mod_data ), new_id ) == FAILURE ) {
22002200 zend_string_release (new_id );
2201+ new_id = NULL ;
22012202 continue ;
22022203 }
22032204 break ;
Original file line number Diff line number Diff line change 1+ --TEST--
2+ Bug #79091 (heap use-after-free in session_create_id())
3+ --SKIPIF--
4+ <?php
5+ if (!extension_loaded ('session ' )) die ('skip session extension not available ' );
6+ ?>
7+ --FILE--
8+ <?php
9+ class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface
10+ {
11+ public function close ()
12+ {
13+ return true ;
14+ }
15+
16+ public function destroy ($ session_id
17+ {
18+ return true ;
19+ }
20+
21+ public function gc ($ maxlifetime
22+ {
23+ return true ;
24+ }
25+
26+ public function open ($ save_path$ session_name
27+ {
28+ return true ;
29+ }
30+
31+ public function read ($ session_id
32+ {
33+ return '' ;
34+ }
35+
36+ public function write ($ session_id$ session_data
37+ {
38+ return true ;
39+ }
40+
41+ public function create_sid ()
42+ {
43+ return uniqid ();
44+ }
45+
46+ public function updateTimestamp ($ key$ val
47+ {
48+ return true ;
49+ }
50+
51+ public function validateId ($ key
52+ {
53+ return false ;
54+ }
55+ }
56+
57+ ob_start ();
58+ var_dump (session_set_save_handler (new MySessionHandler ()));
59+ var_dump (session_start ());
60+ ob_flush ();
61+ session_create_id ();
62+ ?>
63+ --EXPECTF--
64+ bool(true)
65+ bool(true)
66+
67+ Warning: session_create_id(): Failed to create new ID in %s on line %d
You can’t perform that action at this time.
0 commit comments