Last active
January 20, 2020 17:06
-
-
Save cmb69/b455b95646db3e72bd215dc653587e69 to your computer and use it in GitHub Desktop.
PHP bug #79091
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From b7c8f041b0769b0a76356d5aa6c760c558c9c060 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Mon, 20 Jan 2020 18:05:00 +0100 | |
Subject: [PATCH] Fix #79091: heap use-after-free in session_create_id() | |
If the `new_id` is released, we must not use it again. | |
--- | |
ext/session/session.c | 1 + | |
ext/session/tests/bug79091.phpt | 67 +++++++++++++++++++++++++++++++++ | |
2 files changed, 68 insertions(+) | |
create mode 100644 ext/session/tests/bug79091.phpt | |
diff --git a/ext/session/session.c b/ext/session/session.c | |
index 65fb30697c..f470067faf 100644 | |
--- a/ext/session/session.c | |
+++ b/ext/session/session.c | |
@@ -2198,6 +2198,7 @@ static PHP_FUNCTION(session_create_id) | |
/* Detect collision and retry */ | |
if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) { | |
zend_string_release(new_id); | |
+ new_id = NULL; | |
continue; | |
} | |
break; | |
diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt | |
new file mode 100644 | |
index 0000000000..1d14427159 | |
--- /dev/null | |
+++ b/ext/session/tests/bug79091.phpt | |
@@ -0,0 +1,67 @@ | |
+--TEST-- | |
+Bug #79091 (heap use-after-free in session_create_id()) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('session')) die('skip session extension not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface | |
+{ | |
+ public function close() | |
+ { | |
+ return true; | |
+ } | |
+ | |
+ public function destroy($session_id) | |
+ { | |
+ return true; | |
+ } | |
+ | |
+ public function gc($maxlifetime) | |
+ { | |
+ return true; | |
+ } | |
+ | |
+ public function open($save_path, $session_name) | |
+ { | |
+ return true; | |
+ } | |
+ | |
+ public function read($session_id) | |
+ { | |
+ return ''; | |
+ } | |
+ | |
+ public function write($session_id, $session_data) | |
+ { | |
+ return true; | |
+ } | |
+ | |
+ public function create_sid() | |
+ { | |
+ return uniqid(); | |
+ } | |
+ | |
+ public function updateTimestamp($key, $val) | |
+ { | |
+ return true; | |
+ } | |
+ | |
+ public function validateId($key) | |
+ { | |
+ return false; | |
+ } | |
+} | |
+ | |
+ob_start(); | |
+var_dump(session_set_save_handler(new MySessionHandler())); | |
+var_dump(session_start()); | |
+ob_flush(); | |
+session_create_id(); | |
+?> | |
+--EXPECTF-- | |
+bool(true) | |
+bool(true) | |
+ | |
+Warning: session_create_id(): Failed to create new ID in %s on line %d | |
-- | |
2.25.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment