Skip to content

Actually fix GH-9583 #9638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Actually fix GH-9583 #9638

wants to merge 2 commits into from
+69 −14

Conversation

Girgias
Copy link
Member

@Girgias Girgias commented Sep 29, 2022

The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set Add another regression test to ensure current working behaviour is not broken (which was by the previous incorrect fix)

@Girgias Girgias requested a review from cmb69 September 29, 2022 12:34
cmb69
cmb69 reviewed Sep 29, 2022
View reviewed changes
Copy link
Member

@cmb69 cmb69 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That actually looks correct. While I don't like to refer to mod_user_names in session.c, that ship has obviously sailed long ago. However, the implementation of session_regenerate_id() might also need that hack:

php-src/ext/session/session.c

Lines 2250 to 2270 in 8e1cef4

PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
if (!PS(id)) {
PS(session_status) = php_session_none;
if (!EG(exception)) {
zend_throw_error(NULL, "Failed to create new session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
}
RETURN_THROWS();
}
if (PS(use_strict_mode) && PS(mod)->s_validate_sid &&
PS(mod)->s_validate_sid(&PS(mod_data), PS(id)) == SUCCESS) {
zend_string_release_ex(PS(id), 0);
PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
if (!PS(id)) {
PS(mod)->s_close(&PS(mod_data));
PS(session_status) = php_session_none;
if (!EG(exception)) {
zend_throw_error(NULL, "Failed to create session ID by collision: %s (path: %s)", PS(mod)->s_name, PS(save_path));
}
RETURN_THROWS();
}
}

Otherwise we would always create the session ID twice for mod_user.

@cmb69
Copy link
Member

cmb69 commented Sep 29, 2022

Oh, and please delete the comment /* This is not used yet */ just above the definition of PHP_FUNCTION(session_create_id) – obviously it is used now.

@Girgias
Actually fix phpGH-9583

Verified

This commit was signed with the committer’s verified signature.
iluuu1994 Ilija Tovilo
GPG key ID: A4F5D403F118200A
Verified
Learn about vigilant mode
1f81a3b 
The issue is that PS(mod)->s_validate_sid is always defined for user modules, thus we need to check that the actual callable is set
Add another regression test to ensure current working behaviour is not broken (which was by the previous incorrect fix)
@Girgias
Also amend session_regenerate_id()

Verified

This commit was signed with the committer’s verified signature.
iluuu1994 Ilija Tovilo
GPG key ID: A4F5D403F118200A
Verified
Learn about vigilant mode
0c07c55
@Girgias Girgias force-pushed the sessionhandler-tests branch from 39e7219 to 0c07c55 Compare September 30, 2022 11:23
@Girgias
Copy link
Member Author

Girgias commented Sep 30, 2022

That actually looks correct. While I don't like to refer to mod_user_names in session.c, that ship has obviously sailed long ago. However, the implementation of session_regenerate_id() might also need that hack:

php-src/ext/session/session.c

Lines 2250 to 2270 in 8e1cef4

PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
if (!PS(id)) {
PS(session_status) = php_session_none;
if (!EG(exception)) {
zend_throw_error(NULL, "Failed to create new session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
}
RETURN_THROWS();
}
if (PS(use_strict_mode) && PS(mod)->s_validate_sid &&
PS(mod)->s_validate_sid(&PS(mod_data), PS(id)) == SUCCESS) {
zend_string_release_ex(PS(id), 0);
PS(id) = PS(mod)->s_create_sid(&PS(mod_data));
if (!PS(id)) {
PS(mod)->s_close(&PS(mod_data));
PS(session_status) = php_session_none;
if (!EG(exception)) {
zend_throw_error(NULL, "Failed to create session ID by collision: %s (path: %s)", PS(mod)->s_name, PS(save_path));
}
RETURN_THROWS();
}
}

Otherwise we would always create the session ID twice for mod_user.

I'm very confused by the whole check here... at it seems to be kinda weirdly implemented? I tried to fix it let me know what you think.

cmb69
cmb69 approved these changes Oct 6, 2022
View reviewed changes
Copy link
Member

@cmb69 cmb69 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, looks good to me. Thank you!

@cmb69 cmb69 mentioned this pull request Oct 6, 2022
Closed
@Girgias Girgias closed this in 499fbcd Oct 6, 2022
@Girgias Girgias deleted the sessionhandler-tests branch October 6, 2022 16:03
@nicolas-grekas nicolas-grekas mentioned this pull request Oct 12, 2022
Merged
nicolas-grekas added a commit to symfony/symfony that referenced this pull request Oct 12, 2022
@nicolas-grekas
minor #47843 [HttpFoundation] Fix session tests (nicolas-grekas)
c52b0ed 
This PR was merged into the 4.4 branch.

Discussion
----------

[HttpFoundation] Fix session tests

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | -

Spotted after php/php-src#9638

The `validateId()` method of session handlers should return true only when the session-id maps to actual data in the storage.
This behavior was not correctly mocked in our function tests.

Commits
-------

c594f5d [HttpFoundation] Fix session tests
@Girgias Girgias mentioned this pull request Jan 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmb69 cmb69

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Girgias @cmb69