Convert session_name from char to zend_string

Also fixed a bug where nul bytes where not properly checked

Author: Girgias

Zend/Optimizer/zend_func_infos.h

@@ -419,7 +419,6 @@ static const func_info_t func_infos[] = {
 #if defined(HAVE_HISTORY_LIST)
 	F1("readline_list_history", MAY_BE_ARRAY|MAY_BE_ARRAY_KEY_LONG|MAY_BE_ARRAY_OF_STRING),
 #endif
-	F1("session_name", MAY_BE_STRING|MAY_BE_FALSE),
 	F1("session_module_name", MAY_BE_STRING|MAY_BE_FALSE),
 	F1("session_save_path", MAY_BE_STRING|MAY_BE_FALSE),
 	F1("session_create_id", MAY_BE_STRING|MAY_BE_FALSE),

ext/session/php_session.h

@@ -141,7 +141,7 @@ typedef struct _php_session_rfc1867_progress {
 
 typedef struct _php_ps_globals {
 	char *save_path;
-	char *session_name;
+	zend_string *session_name;
 	zend_string *id;
 	zend_string *extern_referer_chk;
 	zend_string *cache_limiter;

ext/session/session.c

@@ -390,7 +390,7 @@ static zend_result php_session_initialize(void) /* {{{ */
 	}
 
 	/* Open session handler first */
-	if (PS(mod)->s_open(&PS(mod_data), PS(save_path), PS(session_name)) == FAILURE
+	if (PS(mod)->s_open(&PS(mod_data), PS(save_path), ZSTR_VAL(PS(session_name))) == FAILURE
 		/* || PS(mod_data) == NULL */ /* FIXME: open must set valid PS(mod_data) with success */
 	) {
 		php_session_abort();
@@ -664,24 +664,41 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
 
-	/* Numeric session.name won't work at all */
-	if ((!ZSTR_LEN(new_value) || is_numeric_string(ZSTR_VAL(new_value), ZSTR_LEN(new_value), NULL, NULL, 0))) {
-		int err_type;
+	int err_type;
 
-		if (stage == ZEND_INI_STAGE_RUNTIME || stage == ZEND_INI_STAGE_ACTIVATE || stage == ZEND_INI_STAGE_STARTUP) {
-			err_type = E_WARNING;
-		} else {
-			err_type = E_ERROR;
-		}
+	if (stage == ZEND_INI_STAGE_RUNTIME || stage == ZEND_INI_STAGE_ACTIVATE || stage == ZEND_INI_STAGE_STARTUP) {
+		err_type = E_WARNING;
+	} else {
+		err_type = E_ERROR;
+	}
 
+	if (ZSTR_LEN(new_value) == 0) {
+		/* Do not output error when restoring ini options. */
+		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
+			php_error_docref(NULL, err_type, "session.name \"%s\" cannot be empty", ZSTR_VAL(new_value));
+		}
+		return FAILURE;
+	}
+	/* Nul bytes are not allowed */
+	if (ZSTR_LEN(new_value) != strlen(ZSTR_VAL(new_value))) {
+		/* Do not output error when restoring ini options. */
+		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
+			php_error_docref(NULL, err_type, "session.name \"%s\" cannot contain nul bytes", ZSTR_VAL(new_value));
+		}
+		return FAILURE;
+	}
+	/* Numeric session.name won't work at all */
+	if (is_numeric_str_function(new_value, NULL, NULL)) {
 		/* Do not output error when restoring ini options. */
 		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
 			php_error_docref(NULL, err_type, "session.name \"%s\" cannot be numeric or empty", ZSTR_VAL(new_value));
 		}
 		return FAILURE;
 	}
 
-	return OnUpdateStringUnempty(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
+	zend_string **p = (zend_string **) ZEND_INI_GET_ADDR();
+    *p = new_value;
+	return SUCCESS;
 }
 /* }}} */
 
@@ -1278,9 +1295,10 @@ static void php_session_remove_cookie(void) {
 	size_t session_cookie_len;
 	size_t len = sizeof("Set-Cookie")-1;
 
-	ZEND_ASSERT(strpbrk(PS(session_name), "=,; \t\r\n\013\014") == NULL);
-	spprintf(&session_cookie, 0, "Set-Cookie: %s=", PS(session_name));
+	ZEND_ASSERT(strpbrk(ZSTR_VAL(PS(session_name)), "=,; \t\r\n\013\014") == NULL);
+	spprintf(&session_cookie, 0, "Set-Cookie: %s=", ZSTR_VAL(PS(session_name)));
 
+	// TODO Manually compute from known information?
 	session_cookie_len = strlen(session_cookie);
 	current = l->head;
 	while (current) {
@@ -1325,8 +1343,9 @@ static zend_result php_session_send_cookie(void) /* {{{ */
 		return FAILURE;
 	}
 
+	// TODO need to Check for nul byte?
 	/* Prevent broken Set-Cookie header, because the session_name might be user supplied */
-	if (strpbrk(PS(session_name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
+	if (strpbrk(ZSTR_VAL(PS(session_name)), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
 		php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,; \\t\\r\\n\\013\\014'");
 		return FAILURE;
 	}
@@ -1335,7 +1354,7 @@ static zend_result php_session_send_cookie(void) /* {{{ */
 	e_id = php_url_encode(ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)));
 
 	smart_str_appendl(&ncookie, "Set-Cookie: ", sizeof("Set-Cookie: ")-1);
-	smart_str_appendl(&ncookie, PS(session_name), strlen(PS(session_name)));
+	smart_str_append(&ncookie, PS(session_name));
 	smart_str_appendc(&ncookie, '=');
 	smart_str_appendl(&ncookie, ZSTR_VAL(e_id), ZSTR_LEN(e_id));
 
@@ -1461,7 +1480,7 @@ PHPAPI zend_result php_session_reset_id(void) /* {{{ */
 	if (PS(define_sid)) {
 		smart_str var = {0};
 
-		smart_str_appends(&var, PS(session_name));
+		smart_str_append(&var, PS(session_name));
 		smart_str_appendc(&var, '=');
 		smart_str_appends(&var, ZSTR_VAL(PS(id)));
 		smart_str_0(&var);
@@ -1489,18 +1508,15 @@ PHPAPI zend_result php_session_reset_id(void) /* {{{ */
 			(data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) {
 			ZVAL_DEREF(data);
 			if (Z_TYPE_P(data) == IS_ARRAY &&
-				(ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), strlen(PS(session_name))))) {
+				(ppid = zend_hash_find(Z_ARRVAL_P(data), PS(session_name)))) {
 				ZVAL_DEREF(ppid);
 				apply_trans_sid = 0;
 			}
 		}
 	}
 	if (apply_trans_sid) {
-		zend_string *sname;
-		sname = zend_string_init(PS(session_name), strlen(PS(session_name)), 0);
-		php_url_scanner_reset_session_var(sname, 1); /* This may fail when session name has changed */
-		zend_string_release_ex(sname, 0);
-		php_url_scanner_add_session_var(PS(session_name), strlen(PS(session_name)), ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 1);
+		php_url_scanner_reset_session_var(PS(session_name), 1); /* This may fail when session name has changed */
+		php_url_scanner_add_session_var(ZSTR_VAL(PS(session_name)), ZSTR_LEN(PS(session_name)), ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id)), 1);
 	}
 	return SUCCESS;
 }
@@ -1512,7 +1528,6 @@ PHPAPI zend_result php_session_start(void) /* {{{ */
 	zval *ppid;
 	zval *data;
 	char *p, *value;
-	size_t lensess;
 
 	switch (PS(session_status)) {
 		case php_session_active:
@@ -1547,8 +1562,6 @@ PHPAPI zend_result php_session_start(void) /* {{{ */
 			PS(send_cookie) = PS(use_cookies) || PS(use_only_cookies);
 	}
 
-	lensess = strlen(PS(session_name));
-
 	/*
 	 * Cookies are preferred, because initially cookie and get
 	 * variables will be available.
@@ -1560,7 +1573,7 @@ PHPAPI zend_result php_session_start(void) /* {{{ */
 	if (!PS(id)) {
 		if (PS(use_cookies) && (data = zend_hash_str_find(&EG(symbol_table), "_COOKIE", sizeof("_COOKIE") - 1))) {
 			ZVAL_DEREF(data);
-			if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+			if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_find(Z_ARRVAL_P(data), PS(session_name)))) {
 				ppid2sid(ppid);
 				PS(send_cookie) = 0;
 				PS(define_sid) = 0;
@@ -1570,13 +1583,13 @@ PHPAPI zend_result php_session_start(void) /* {{{ */
 		if (!PS(use_only_cookies)) {
 			if (!PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1))) {
 				ZVAL_DEREF(data);
-				if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+				if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_find(Z_ARRVAL_P(data), PS(session_name)))) {
 					ppid2sid(ppid);
 				}
 			}
 			if (!PS(id) && (data = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1))) {
 				ZVAL_DEREF(data);
-				if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_str_find(Z_ARRVAL_P(data), PS(session_name), lensess))) {
+				if (Z_TYPE_P(data) == IS_ARRAY && (ppid = zend_hash_find(Z_ARRVAL_P(data), PS(session_name)))) {
 					ppid2sid(ppid);
 				}
 			}
@@ -1586,11 +1599,11 @@ PHPAPI zend_result php_session_start(void) /* {{{ */
 			if (!PS(id) && zend_is_auto_global(ZSTR_KNOWN(ZEND_STR_AUTOGLOBAL_SERVER)) == SUCCESS &&
 				(data = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), "REQUEST_URI", sizeof("REQUEST_URI") - 1)) &&
 				Z_TYPE_P(data) == IS_STRING &&
-				(p = strstr(Z_STRVAL_P(data), PS(session_name))) &&
-				p[lensess] == '='
+				(p = strstr(Z_STRVAL_P(data), ZSTR_VAL(PS(session_name)))) &&
+				p[ZSTR_LEN(PS(session_name))] == '='
 				) {
 				char *q;
-				p += lensess + 1;
+				p += ZSTR_LEN(PS(session_name));
 				if ((q = strpbrk(p, "/?\\"))) {
 					PS(id) = zend_string_init(p, q - p, 0);
 				}
@@ -1671,7 +1684,7 @@ static zend_result php_session_reset(void) /* {{{ */
 PHPAPI void session_adapt_url(const char *url, size_t url_len, char **new_url, size_t *new_len) /* {{{ */
 {
 	if (APPLY_TRANS_SID && (PS(session_status) == php_session_active)) {
-		*new_url = php_url_scanner_adapt_single_url(url, url_len, PS(session_name), ZSTR_VAL(PS(id)), new_len, 1);
+		*new_url = php_url_scanner_adapt_single_url(url, url_len, ZSTR_VAL(PS(session_name)), ZSTR_VAL(PS(id)), new_len, 1);
 	}
 }
 /* }}} */
@@ -1892,7 +1905,8 @@ PHP_FUNCTION(session_name)
 		RETURN_FALSE;
 	}
 
-	RETVAL_STRING(PS(session_name));
+	// TODO Prevent duplication???
+	RETVAL_STR(zend_string_dup(PS(session_name), false));
 
 	if (name) {
 		ini_name = zend_string_init("session.name", sizeof("session.name") - 1, 0);
@@ -2267,7 +2281,7 @@ PHP_FUNCTION(session_regenerate_id)
 	zend_string_release_ex(PS(id), 0);
 	PS(id) = NULL;
 
-	if (PS(mod)->s_open(&PS(mod_data), PS(save_path), PS(session_name)) == FAILURE) {
+	if (PS(mod)->s_open(&PS(mod_data), PS(save_path), ZSTR_VAL(PS(session_name))) == FAILURE) {
 		PS(session_status) = php_session_none;
 		if (!EG(exception)) {
 			zend_throw_error(NULL, "Failed to open session: %s (path: %s)", PS(mod)->s_name, PS(save_path));
@@ -2935,7 +2949,7 @@ static bool early_find_sid_in(zval *dest, int where, php_session_rfc1867_progres
 		return 0;
 	}
 
-	if ((ppid = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[where]), PS(session_name), progress->sname_len))
+	if ((ppid = zend_hash_find(Z_ARRVAL(PG(http_globals)[where]), PS(session_name)))
 			&& Z_TYPE_P(ppid) == IS_STRING) {
 		zval_ptr_dtor(dest);
 		ZVAL_COPY_DEREF(dest, ppid);
@@ -3043,7 +3057,8 @@ static zend_result php_session_rfc1867_callback(unsigned int event, void *event_
 			multipart_event_start *data = (multipart_event_start *) event_data;
 			progress = ecalloc(1, sizeof(php_session_rfc1867_progress));
 			progress->content_length = data->content_length;
-			progress->sname_len  = strlen(PS(session_name));
+			// TODO Remove field?
+			progress->sname_len  = ZSTR_LEN(PS(session_name));
 			PS(rfc1867_progress) = progress;
 		}
 		break;
@@ -3065,7 +3080,7 @@ static zend_result php_session_rfc1867_callback(unsigned int event, void *event_
 			if (data->name && data->value && value_len) {
 				size_t name_len = strlen(data->name);
 
-				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
+				if (name_len == progress->sname_len && memcmp(data->name, ZSTR_VAL(PS(session_name)), name_len) == 0) {
 					zval_ptr_dtor(&progress->sid);
 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
 				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {

ext/session/tests/bug66481.phpt

@@ -15,6 +15,6 @@ var_dump(session_name("foo"));
 var_dump(session_name("bar"));
 ?>
 --EXPECT--
-Warning: PHP Startup: session.name "" cannot be numeric or empty in Unknown on line 0
+Warning: PHP Startup: session.name "" cannot be empty in Unknown on line 0
 string(9) "PHPSESSID"
 string(3) "foo"

ext/session/tests/rfc1867_sid_post.phpt

@@ -47,7 +47,7 @@ var_dump($_SESSION["upload_progress_" . basename(__FILE__)]);
 session_destroy();
 ?>
 --EXPECTF--
-string(%d) "rfc1867-sid-post"
+string(16) "rfc1867-sid-post"
 bool(true)
 array(2) {
   ["file1"]=>

ext/session/tests/session_name_variation1.phpt

@@ -38,6 +38,8 @@ ob_end_flush();
 ?>
 --EXPECTF--
 *** Testing session_name() : variation ***
+
+Warning: session_name(): session.name "" cannot contain nul bytes in %s on line %d
 string(9) "PHPSESSID"
 bool(true)
 string(9) "PHPSESSID"
@@ -51,7 +53,7 @@ string(1) "	"
 bool(true)
 string(1) "	"
 
-Warning: session_name(): session.name "" cannot be numeric or empty in %s on line %d
+Warning: session_name(): session.name "" cannot be empty in %s on line %d
 string(1) "	"
 
 Warning: session_start(): session.name cannot contain any of the following '=,; \t\r\n\013\014' in %s on line %d