3d9d68e1ca
zend_compile: Deprecate backticks as an alias for shell_exec() ( #19443 )
...
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_backticks_as_an_alias_for_shell_exec
2025-08-12 12:02:13 +02:00
d8577d9bfb
Deprecate returning non-string values from a user output handler ( #18932 )
...
https://wiki.php.net/rfc/deprecations_php_8_4
2025-07-07 14:31:13 -07:00
7f80d4dc7d
ext/session: Remove bool type coercions in tests
2025-06-23 14:57:13 +02:00
042a975238
ext/session: Fix GH-18634 ( #18653 )
...
Show warning when saving session if a pipe character is used in one of the $_SESSION keys
Fixes #18634
2025-05-26 11:17:25 +01:00
3930b6f378
Merge branch 'PHP-8.4'
...
* PHP-8.4:
ext/session: Fix GH-17541 (ext/session NULL pointer dereferencement during ID reset)
2025-01-24 14:10:12 +00:00
d35904adf2
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
ext/session: Fix GH-17541 (ext/session NULL pointer dereferencement during ID reset)
2025-01-24 14:10:00 +00:00
a85666c17b
ext/session: Fix GH-17541 (ext/session NULL pointer dereferencement during ID reset)
...
Closes GH-17541
Closes GH-17546
2025-01-24 14:04:58 +00:00
6d4598eba8
Merge branch 'PHP-8.4'
...
* PHP-8.4:
Fix type confusion with session SID constant
2025-01-23 19:03:45 +01:00
b448d540c2
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix type confusion with session SID constant
2025-01-23 19:03:35 +01:00
2a2cc2ccce
Fix type confusion with session SID constant
...
Closes GH-17548.
2025-01-23 19:03:04 +01:00
a091e52316
ext/session: session_start() options arguments type checks.
...
close GH-17388
2025-01-07 23:52:39 +00:00
173bdb2c06
Merge branch 'PHP-8.4'
...
* PHP-8.4:
Fix GH-16590: UAF in session_encode()
Fix various memory leaks on error conditions in openssl_x509_parse()
2024-11-04 20:05:42 +01:00
cc39bc21e3
Fix GH-16590: UAF in session_encode()
...
The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.
Closes GH-16640.
2024-11-04 20:05:32 +01:00
84d6cb8cf0
Unify headers already sent/session already started error handler ( #16451 )
...
* Unify headers already sent errors
Now whenever we need to check where headers were already sent in
ext/session, we call a single location that prints where, keeping it
consistent output wise.
* Unify session aready started errors
Similar to the one for headers.
* Also change session active checks too
This usually go hand in hand with the headers already sent checks, but
is in a separate commit because of the amount of tests it changes.
2024-10-17 13:13:56 -03:00
edf351ce6d
Mention where headers were already sent if session_start fails ( #16378 )
...
We had previously improved where sessions were already started, and
where headers were already sent when setting headers, but not where a
header has been sent if we try to set the header cookie.
Fixes GH-16372
2024-10-14 21:13:43 -03:00
4d008e300b
Merge branch 'PHP-8.3' into PHP-8.4
2024-10-13 14:19:45 +01:00
f31232e218
Merge branch 'PHP-8.2' into PHP-8.3
2024-10-13 14:19:33 +01:00
84a8fea251
Fix GH-16290: session cookie_lifetime ini value overflow.
...
close GH-16295
2024-10-13 14:19:18 +01:00
45f7f87b75
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-16385: Unexpected null returned by session_set_cookie_params
2024-10-12 13:09:24 +02:00
a1f7ce5617
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-16385: Unexpected null returned by session_set_cookie_params
2024-10-12 13:09:06 +02:00
7cdd1302c3
Fix GH-16385: Unexpected null returned by session_set_cookie_params
...
Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while this
function can only return booleans. An exception seems not acceptable
in stable versions, but a warning may do.
Closes GH-16386.
2024-10-12 13:08:37 +02:00
217ea732fc
Use php_error_docref() instead of zend_error() in session.c (GH-15505)
...
Using `php_error_docref()` is preferable since it outputs additional
details (which function has been called and whether it is a startup or
shutdown error), uses HTML markup, and also provides a link to the
documentation, if configured.
Since these deprecation warnings have been introduced recently[1][2],
i.e. for PHP 8.4, there are no BC concerns.
[1] <https://github.com/php/php-src/commit/e8ff7c70f9669f1a54c47c018ccc0f80bc0c929b >
[2] <https://github.com/php/php-src/commit/b36eac94d26bdced150d9d2178f6209893d9961f >
Co-authored-by: Máté Kocsis <kocsismate90@gmail.com >
2024-09-04 16:00:28 +02:00
c5bce0d8a2
Deprecate disabling use_only_cookies ( #13578 )
2024-08-24 16:33:45 +02:00
ff69f334f1
ext/session: Warn when providing invalid values for session.gc_probability and session.gc_divisor
2024-08-22 01:29:40 +01:00
3ed5eee5d3
[skip ci] Fix bug71162.phpt xfail message (GH-15506)
...
The test failure is unlikely to be caused by `SessionHandlerInterface`
not being available.
2024-08-20 14:48:52 +02:00
21fa5e15f9
ext/session: session_create_id() now throws a ValueError for large prefix ( #15338 )
2024-08-15 11:10:18 +01:00
c4eccf33e9
ext/session: session.save_handler - add tests fortwo uncovered cases ( #15337 )
2024-08-11 15:39:56 +01:00
6bf7b7220d
ValueError on null byte in session_name() ( #15286 )
2024-08-11 13:26:54 +01:00
e8ff7c70f9
session: Deprecate session.sid_length and session.sid_bits_per_character ( #15213 )
...
RFC: https://wiki.php.net/rfc/deprecations_php_8_4
2024-08-04 18:25:31 +02:00
8e1561cdbe
Check session_create_id() input for null byte ( #14728 )
2024-07-06 21:18:35 +01:00
a58c3a7eb1
Merge branch 'PHP-8.3'
...
* PHP-8.3:
Fix reading zlib ini settings in ext-soap
Fix memory leak if calling SoapServer::setClass() twice
Fix memory leak if calling SoapServer::setObject() twice
Fix missing error restore code in ext-soap (#14379 )
Fix GH-14368: Test failure in ext/session/tests/gh13856.phpt (#14378 )
2024-05-31 18:27:22 +02:00
2b1097a87d
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix reading zlib ini settings in ext-soap
Fix memory leak if calling SoapServer::setClass() twice
Fix memory leak if calling SoapServer::setObject() twice
Fix missing error restore code in ext-soap (#14379 )
Fix GH-14368: Test failure in ext/session/tests/gh13856.phpt (#14378 )
2024-05-31 18:26:22 +02:00
d7aa0be3a8
Fix GH-14368: Test failure in ext/session/tests/gh13856.phpt ( #14378 )
...
If the runner overrides session.save_path, the test fails.
Manually set it to a value known to trigger the issue.
2024-05-31 18:18:40 +02:00
c1d71cfeea
Remove forgotten obsolete session INI directives ( #14238 )
...
The session.hash_function and session.hash_bits_per_character INI
directives have been removed in PHP 7.1:
3467526a65
2024-05-15 17:01:15 +02:00
4829b8f2cb
ext/session: Add test for session_start with read_and_close option ( #13799 )
2024-04-14 13:22:43 +01:00
cf313321c2
Merge branch 'PHP-8.3'
...
* PHP-8.3:
[ci skip] NEWS
Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts (#13892 )
2024-04-06 13:45:10 +02:00
eb244fcb49
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
[ci skip] NEWS
Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts (#13892 )
2024-04-06 13:45:00 +02:00
5ce9687cb2
Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts ( #13892 )
...
The hash tables used are allocated via the persistent allocator.
When using ini_set, the allocation happens via the non-persistent
allocator. When the table is then freed in GSHUTDOWN, we get a crash
because the allocators are mismatched.
As a side note, it is strange that this is designed this way, because it
means that ini_sets persist between requests...
Co-authored-by: Kamil Tekiela <tekiela246@gmail.com >
2024-04-06 13:43:26 +02:00
0dc599853a
Merge branch 'PHP-8.3'
...
* PHP-8.3:
Fix GH-13856: Member access within null pointer of type 'ps_files' in ext/session/mod_files.c
2024-04-01 14:16:28 +02:00
3f598a3073
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-13856: Member access within null pointer of type 'ps_files' in ext/session/mod_files.c
2024-04-01 14:16:23 +02:00
46f45a51b4
Fix GH-13856: Member access within null pointer of type 'ps_files' in ext/session/mod_files.c
...
We should not mark the session as opened when there was a failure in
open.
Closes GH-13858.
2024-04-01 14:15:51 +02:00
f69d540541
Removed impossible paths from session_decode and session_encode ( #13796 )
2024-03-24 20:20:42 +01:00
8793f9938b
Merge branch 'PHP-8.3'
...
* PHP-8.3:
Fix GH-13680: Segfault with session_decode and compilation error
2024-03-13 17:59:43 +01:00
b58dc6fd1a
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-13680: Segfault with session_decode and compilation error
2024-03-13 17:49:31 +01:00
6985aff7c3
Fix GH-13680: Segfault with session_decode and compilation error
...
It's illegal to return from a bailout because that doesn't restore the
original bailout data. Return outside of it.
Test by YuanchengJiang
Closes GH-13689.
2024-03-13 17:47:25 +01:00
2c4534a5b9
Merge branch 'PHP-8.3'
...
* PHP-8.3:
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader
2024-01-22 22:04:20 +01:00
d50393e242
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader
2024-01-22 22:02:28 +01:00
7f7031eb72
Fix GH-12504: Corrupted session written when there's a fatal error in autoloader
...
For details and reasoning, see [1] and following.
[1] https://github.com/php/php-src/issues/12504#issuecomment-1790870399
Closes GH-13207.
2024-01-22 21:59:11 +01:00
b36eac94d2
Deprecate calling session_set_save_handler() with more than 2 arguments
2023-12-04 22:35:30 +01:00
f39b5c4c25
Close PHP tags in tests
...
Closes GH-12422
2023-10-18 17:34:10 +02:00
Tim Düsterhus