Created
August 4, 2016 06:42
-
-
Save yohgaki/7160a05a3a8f8d012833499ea32b451b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/UPGRADING b/UPGRADING | |
| index 5400a2e..56221f4 100644 | |
| --- a/UPGRADING | |
| +++ b/UPGRADING | |
| @@ -71,6 +71,25 @@ PHP 7.1 UPGRADE NOTES | |
| - OpenSSL: | |
| . Dropped sslv2 stream. | |
| +- Session: | |
| + . Session ID is generated from CSPNG directly. As a result, Session ID length | |
| + could be any length between 22 and 256. Note: Max size of session ID depends | |
| + on save handler you are using. | |
| + . Following INIs are removed | |
| + . session.hash_function | |
| + . session.hash_bits_per_charactor | |
| + . session.entropy_file | |
| + . session.entropy_length | |
| + . New INIs and defaults | |
| + . session.sid_length (Number of session ID characters - 22 to 256. Default: 32) | |
| + . session.sid_bits_per_character (Bits used per byte. 4 to 6. Default: 4) | |
| + . If you were using session.hash_func=1(SHA1) and session.hash_bits_per_charactor=6 | |
| + Use following INIs to achive the same or better session ID strength. | |
| + . session.sid_length=32 | |
| + . session.sid_bits_per_character=6 | |
| + | |
| + | |
| + | |
| ======================================== | |
| 2. New Features | |
| ======================================== | |
| @@ -238,8 +257,7 @@ PHP 7.1 UPGRADE NOTES | |
| . Custom session handlers that do not return strings for session IDs will | |
| now throw an instance of Error instead of resulting in a fatal error | |
| when a function is called that must generate a session ID. | |
| - . An invalid setting for session.hash_function will throw an instance of | |
| - Error instead of resulting in a fatal error when a session ID is created. | |
| + . Only CSPRNG is used to generate session ID. | |
| - SimpleXML: | |
| . Creating an unnamed or duplicate attribute will throw an instance of Error | |
| diff --git a/ext/session/php_session.h b/ext/session/php_session.h | |
| index 37e66a0..b693fd4 100644 | |
| --- a/ext/session/php_session.h | |
| +++ b/ext/session/php_session.h | |
| @@ -151,9 +151,7 @@ typedef struct _php_ps_globals { | |
| char *session_name; | |
| zend_string *id; | |
| char *extern_referer_chk; | |
| - char *entropy_file; | |
| char *cache_limiter; | |
| - zend_long entropy_length; | |
| zend_long cookie_lifetime; | |
| char *cookie_path; | |
| char *cookie_domain; | |
| @@ -191,11 +189,8 @@ typedef struct _php_ps_globals { | |
| zend_bool use_only_cookies; | |
| zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */ | |
| - zend_long hash_func; | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - php_hash_ops *hash_ops; | |
| -#endif | |
| - zend_long hash_bits_per_character; | |
| + zend_long sid_length; | |
| + zend_long sid_bits_per_character; | |
| int send_cookie; | |
| int define_sid; | |
| diff --git a/ext/session/session.c b/ext/session/session.c | |
| index bbf5b0f..9f7e471 100644 | |
| --- a/ext/session/session.c | |
| +++ b/ext/session/session.c | |
| @@ -40,13 +40,11 @@ | |
| #include "rfc1867.h" | |
| #include "php_variables.h" | |
| #include "php_session.h" | |
| -#include "ext/standard/md5.h" | |
| -#include "ext/standard/sha1.h" | |
| +#include "ext/standard/php_random.h" | |
| #include "ext/standard/php_var.h" | |
| #include "ext/date/php_date.h" | |
| #include "ext/standard/php_lcg.h" | |
| #include "ext/standard/url_scanner_ex.h" | |
| -#include "ext/standard/php_rand.h" /* for RAND_MAX */ | |
| #include "ext/standard/info.h" | |
| #include "zend_smart_str.h" | |
| #include "ext/standard/url.h" | |
| @@ -81,6 +79,8 @@ zend_class_entry *php_session_update_timestamp_class_entry; | |
| /* SessionUpdateTimestampInterface */ | |
| zend_class_entry *php_session_update_timestamp_iface_entry; | |
| +#define PS_MAX_SID_LENGTH 256 | |
| + | |
| /* *********** | |
| * Helpers * | |
| *********** */ | |
| @@ -259,17 +259,12 @@ static int php_session_decode(zend_string *data) /* {{{ */ | |
| static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-"; | |
| -enum { | |
| - PS_HASH_FUNC_MD5, | |
| - PS_HASH_FUNC_SHA1, | |
| - PS_HASH_FUNC_OTHER | |
| -}; | |
| - | |
| /* returns a pointer to the byte after the last valid character in out */ | |
| -static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {{{ */ | |
| +static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char nbits) /* {{{ */ | |
| { | |
| unsigned char *p, *q; | |
| unsigned short w; | |
| + size_t len = inlen; | |
| int mask; | |
| int have; | |
| @@ -280,7 +275,7 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* { | |
| have = 0; | |
| mask = (1 << nbits) - 1; | |
| - while (1) { | |
| + while (inlen--) { | |
| if (have < nbits) { | |
| if (p < q) { | |
| w |= *p++ << have; | |
| @@ -300,151 +295,24 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* { | |
| } | |
| *out = '\0'; | |
| - return out; | |
| + return len; | |
| } | |
| /* }}} */ | |
| +#define PS_EXTRA_RAND_BYTES 60 | |
| + | |
| PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ | |
| { | |
| - PHP_MD5_CTX md5_context; | |
| - PHP_SHA1_CTX sha1_context; | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - void *hash_context = NULL; | |
| -#endif | |
| - unsigned char *digest; | |
| - size_t digest_len; | |
| - char *buf; | |
| - struct timeval tv; | |
| - zval *array; | |
| - zval *token; | |
| + unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES]; | |
| zend_string *outid; | |
| - char *remote_addr = NULL; | |
| - | |
| - gettimeofday(&tv, NULL); | |
| - | |
| - if ((array = zend_hash_str_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER") - 1)) && | |
| - Z_TYPE_P(array) == IS_ARRAY && | |
| - (token = zend_hash_str_find(Z_ARRVAL_P(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR") - 1)) && | |
| - Z_TYPE_P(token) == IS_STRING | |
| - ) { | |
| - remote_addr = Z_STRVAL_P(token); | |
| - } | |
| - | |
| - /* maximum 15+19+19+10 bytes */ | |
| - spprintf(&buf, 0, "%.15s%ld" ZEND_LONG_FMT "%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (zend_long)tv.tv_usec, php_combined_lcg() * 10); | |
| - | |
| - switch (PS(hash_func)) { | |
| - case PS_HASH_FUNC_MD5: | |
| - PHP_MD5Init(&md5_context); | |
| - PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf)); | |
| - digest_len = 16; | |
| - break; | |
| - case PS_HASH_FUNC_SHA1: | |
| - PHP_SHA1Init(&sha1_context); | |
| - PHP_SHA1Update(&sha1_context, (unsigned char *) buf, strlen(buf)); | |
| - digest_len = 20; | |
| - break; | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - case PS_HASH_FUNC_OTHER: | |
| - if (!PS(hash_ops)) { | |
| - efree(buf); | |
| - zend_throw_error(NULL, "Invalid session hash function"); | |
| - return NULL; | |
| - } | |
| - | |
| - hash_context = emalloc(PS(hash_ops)->context_size); | |
| - PS(hash_ops)->hash_init(hash_context); | |
| - PS(hash_ops)->hash_update(hash_context, (unsigned char *) buf, strlen(buf)); | |
| - digest_len = PS(hash_ops)->digest_size; | |
| - break; | |
| -#endif /* HAVE_HASH_EXT */ | |
| - default: | |
| - efree(buf); | |
| - zend_throw_error(NULL, "Invalid session hash function"); | |
| - return NULL; | |
| - } | |
| - efree(buf); | |
| - | |
| - if (PS(entropy_length) > 0) { | |
| -#ifdef PHP_WIN32 | |
| - unsigned char rbuf[2048]; | |
| - size_t toread = PS(entropy_length); | |
| - | |
| - if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf))) == SUCCESS){ | |
| - | |
| - switch (PS(hash_func)) { | |
| - case PS_HASH_FUNC_MD5: | |
| - PHP_MD5Update(&md5_context, rbuf, toread); | |
| - break; | |
| - case PS_HASH_FUNC_SHA1: | |
| - PHP_SHA1Update(&sha1_context, rbuf, toread); | |
| - break; | |
| -# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - case PS_HASH_FUNC_OTHER: | |
| - PS(hash_ops)->hash_update(hash_context, rbuf, toread); | |
| - break; | |
| -# endif /* HAVE_HASH_EXT */ | |
| - } | |
| - } | |
| -#else | |
| - int fd; | |
| - | |
| - fd = VCWD_OPEN(PS(entropy_file), O_RDONLY); | |
| - if (fd >= 0) { | |
| - unsigned char rbuf[2048]; | |
| - int n; | |
| - int to_read = PS(entropy_length); | |
| - | |
| - while (to_read > 0) { | |
| - n = read(fd, rbuf, MIN(to_read, sizeof(rbuf))); | |
| - if (n <= 0) break; | |
| - | |
| - switch (PS(hash_func)) { | |
| - case PS_HASH_FUNC_MD5: | |
| - PHP_MD5Update(&md5_context, rbuf, n); | |
| - break; | |
| - case PS_HASH_FUNC_SHA1: | |
| - PHP_SHA1Update(&sha1_context, rbuf, n); | |
| - break; | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - case PS_HASH_FUNC_OTHER: | |
| - PS(hash_ops)->hash_update(hash_context, rbuf, n); | |
| - break; | |
| -#endif /* HAVE_HASH_EXT */ | |
| - } | |
| - to_read -= n; | |
| - } | |
| - close(fd); | |
| - } | |
| -#endif | |
| - } | |
| - digest = emalloc(digest_len + 1); | |
| - switch (PS(hash_func)) { | |
| - case PS_HASH_FUNC_MD5: | |
| - PHP_MD5Final(digest, &md5_context); | |
| - break; | |
| - case PS_HASH_FUNC_SHA1: | |
| - PHP_SHA1Final(digest, &sha1_context); | |
| - break; | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - case PS_HASH_FUNC_OTHER: | |
| - PS(hash_ops)->hash_final(digest, hash_context); | |
| - efree(hash_context); | |
| - break; | |
| -#endif /* HAVE_HASH_EXT */ | |
| + /* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ | |
| + if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) { | |
| + return NULL; | |
| } | |
| - if (PS(hash_bits_per_character) < 4 | |
| - || PS(hash_bits_per_character) > 6) { | |
| - PS(hash_bits_per_character) = 4; | |
| - | |
| - php_error_docref(NULL, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); | |
| - } | |
| - | |
| - outid = zend_string_alloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character) + 0.5)), 0); | |
| - ZSTR_LEN(outid) = (size_t)(bin_to_readable((char *)digest, digest_len, ZSTR_VAL(outid), (char)PS(hash_bits_per_character)) - (char *)&ZSTR_VAL(outid)); | |
| - efree(digest); | |
| + outid = zend_string_alloc(PS(sid_length), 0); | |
| + ZSTR_LEN(outid) = bin_to_readable(rbuf, PS(sid_length), ZSTR_VAL(outid), (char)PS(sid_bits_per_character)); | |
| return outid; | |
| } | |
| @@ -476,7 +344,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */ | |
| /* Somewhat arbitrary length limit here, but should be way more than | |
| anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ | |
| - if (len == 0 || len > 128) { | |
| + if (len == 0 || len > PS_MAX_SID_LENGTH) { | |
| ret = FAILURE; | |
| } | |
| @@ -773,55 +641,43 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */ | |
| } | |
| /* }}} */ | |
| -static PHP_INI_MH(OnUpdateHashFunc) /* {{{ */ | |
| +static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ | |
| { | |
| zend_long val; | |
| char *endptr = NULL; | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) | |
| - PS(hash_ops) = NULL; | |
| -#endif | |
| - | |
| val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); | |
| - if (endptr && (*endptr == '\0')) { | |
| + if (endptr && (*endptr == '\0') | |
| + && val >= 22 && val <= PS_MAX_SID_LENGTH) { | |
| /* Numeric value */ | |
| - PS(hash_func) = val ? 1 : 0; | |
| - | |
| + PS(sid_length) = val; | |
| return SUCCESS; | |
| } | |
| - if (ZSTR_LEN(new_value) == (sizeof("md5") - 1) && | |
| - strncasecmp(ZSTR_VAL(new_value), "md5", sizeof("md5") - 1) == 0) { | |
| - PS(hash_func) = PS_HASH_FUNC_MD5; | |
| - | |
| - return SUCCESS; | |
| - } | |
| - | |
| - if (ZSTR_LEN(new_value) == (sizeof("sha1") - 1) && | |
| - strncasecmp(ZSTR_VAL(new_value), "sha1", sizeof("sha1") - 1) == 0) { | |
| - PS(hash_func) = PS_HASH_FUNC_SHA1; | |
| - | |
| - return SUCCESS; | |
| - } | |
| + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must be between 22 and 256."); | |
| + return FAILURE; | |
| +} | |
| +/* }}} */ | |
| -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) /* {{{ */ | |
| +static PHP_INI_MH(OnUpdateSidBits) /* {{{ */ | |
| { | |
| - php_hash_ops *ops = (php_hash_ops*)php_hash_fetch_ops(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); | |
| - | |
| - if (ops) { | |
| - PS(hash_func) = PS_HASH_FUNC_OTHER; | |
| - PS(hash_ops) = ops; | |
| + zend_long val; | |
| + char *endptr = NULL; | |
| + val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); | |
| + if (endptr && (*endptr == '\0') | |
| + && val >= 4 && val <=6) { | |
| + /* Numeric value */ | |
| + PS(sid_bits_per_character) = val; | |
| return SUCCESS; | |
| } | |
| -} | |
| -#endif /* HAVE_HASH_EXT }}} */ | |
| - php_error_docref(NULL, E_WARNING, "session.configuration 'session.hash_function' must be existing hash function. %s does not exist.", ZSTR_VAL(new_value)); | |
| + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must be between 4 and 6."); | |
| return FAILURE; | |
| } | |
| /* }}} */ | |
| + | |
| static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */ | |
| { | |
| int tmp; | |
| @@ -862,21 +718,11 @@ PHP_INI_BEGIN() | |
| STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) | |
| STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) | |
| STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) | |
| -#if HAVE_DEV_URANDOM | |
| - STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) | |
| - STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) | |
| -#elif HAVE_DEV_ARANDOM | |
| - STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) | |
| - STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) | |
| -#else | |
| - STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) | |
| - STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) | |
| -#endif | |
| STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) | |
| STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) | |
| PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) | |
| - PHP_INI_ENTRY("session.hash_function", "0", PHP_INI_ALL, OnUpdateHashFunc) | |
| - STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4", PHP_INI_ALL, OnUpdateLong, hash_bits_per_character, php_ps_globals, ps_globals) | |
| + PHP_INI_ENTRY("session.sid_length", "32", PHP_INI_ALL, OnUpdateSidLength) | |
| + PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits) | |
| STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateBool, lazy_write, php_ps_globals, ps_globals) | |
| /* Upload progress */ | |
| diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt | |
| index ec3a70d..d21a877 100644 | |
| --- a/ext/session/tests/bug68063.phpt | |
| +++ b/ext/session/tests/bug68063.phpt | |
| @@ -4,8 +4,8 @@ Bug #68063 (Empty session IDs do still start sessions) | |
| <?php include('skipif.inc'); ?> | |
| --INI-- | |
| session.use_strict_mode=0 | |
| -session.hash_function=1 | |
| -session.hash_bits_per_character=4 | |
| +session.sid_length=40 | |
| +session.sid_bits_per_character=4 | |
| --FILE-- | |
| <?php | |
| // Empty session ID may happen by browser bugs | |
| diff --git a/ext/session/tests/bug71186.phpt b/ext/session/tests/bug71186.phpt | |
| deleted file mode 100644 | |
| index 5eeba60..0000000 | |
| --- a/ext/session/tests/bug71186.phpt | |
| +++ /dev/null | |
| @@ -1,32 +0,0 @@ | |
| ---TEST-- | |
| -Bug #71186 session.hash_function - algorithm changes | |
| ---SKIPIF-- | |
| -<?php include('skipif.inc'); ?> | |
| ---INI-- | |
| -session.hash_function=sha512 | |
| -session.save_handler=files | |
| ---FILE-- | |
| -<?php | |
| -ob_start(); | |
| -ini_set('session.use_strict_mode', 1); | |
| - | |
| -session_start(); | |
| -$orig = session_id(); | |
| -session_regenerate_id(); | |
| -$new = session_id(); | |
| -var_dump(strlen($orig),strlen($new)); | |
| -session_commit(); | |
| - | |
| -ini_set('session.hash_function','sha1'); | |
| -session_id('invalid'); | |
| -session_start(); | |
| -$orig = session_id(); | |
| -session_regenerate_id(); | |
| -$new = session_id(); | |
| -var_dump(strlen($orig),strlen($new)); | |
| -?> | |
| ---EXPECT-- | |
| -int(128) | |
| -int(128) | |
| -int(40) | |
| -int(40) | |
| diff --git a/ext/session/tests/rfc1867_sid_invalid.phpt b/ext/session/tests/rfc1867_sid_invalid.phpt | |
| index a9114e3..7ff8f6b 100644 | |
| --- a/ext/session/tests/rfc1867_sid_invalid.phpt | |
| +++ b/ext/session/tests/rfc1867_sid_invalid.phpt | |
| @@ -9,6 +9,7 @@ session.save_path= | |
| session.name=PHPSESSID | |
| session.use_cookies=1 | |
| session.use_only_cookies=0 | |
| +session.use_strict_mode=0 | |
| session.auto_start=0 | |
| session.upload_progress.enabled=1 | |
| session.upload_progress.cleanup=0 | |
| diff --git a/ext/session/tests/session_hash_function_basic.phpt b/ext/session/tests/session_hash_function_basic.phpt | |
| deleted file mode 100644 | |
| index a9c9215..0000000 | |
| --- a/ext/session/tests/session_hash_function_basic.phpt | |
| +++ /dev/null | |
| @@ -1,52 +0,0 @@ | |
| ---TEST-- | |
| -Test session.hash_function ini setting : basic functionality | |
| ---SKIPIF-- | |
| -<?php include('skipif.inc'); ?> | |
| ---INI-- | |
| -session.hash_bits_per_character=4 | |
| ---FILE-- | |
| -<?php | |
| - | |
| -ob_start(); | |
| - | |
| -echo "*** Testing session.hash_function : basic functionality ***\n"; | |
| - | |
| -var_dump(ini_set('session.hash_function', 'md5')); | |
| -var_dump(session_start()); | |
| -var_dump(!empty(session_id()), session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| -var_dump(ini_set('session.hash_function', 'sha1')); | |
| -var_dump(session_start()); | |
| -var_dump(!empty(session_id()), session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| -var_dump(ini_set('session.hash_function', 'none')); // Should fail | |
| -var_dump(session_start()); | |
| -var_dump(!empty(session_id()), session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| - | |
| -echo "Done"; | |
| -ob_end_flush(); | |
| -?> | |
| ---EXPECTF-- | |
| -*** Testing session.hash_function : basic functionality *** | |
| -string(1) "0" | |
| -bool(true) | |
| -bool(true) | |
| -string(32) "%s" | |
| -bool(true) | |
| -string(3) "md5" | |
| -bool(true) | |
| -bool(true) | |
| -string(40) "%s" | |
| -bool(true) | |
| - | |
| -Warning: ini_set(): session.configuration 'session.hash_function' must be existing hash function. none does not exist. in %s%esession_hash_function_basic.php on line 17 | |
| -bool(false) | |
| -bool(true) | |
| -bool(true) | |
| -string(40) "%s" | |
| -bool(true) | |
| -Done | |
| diff --git a/ext/session/tests/session_id_basic2.phpt b/ext/session/tests/session_id_basic2.phpt | |
| new file mode 100644 | |
| index 0000000..4421a53 | |
| --- /dev/null | |
| +++ b/ext/session/tests/session_id_basic2.phpt | |
| @@ -0,0 +1,38 @@ | |
| +--TEST-- | |
| +Test session_id() function : basic functionality | |
| +--SKIPIF-- | |
| +<?php include('skipif.inc'); ?> | |
| +--FILE-- | |
| +<?php | |
| + | |
| +ob_start(); | |
| + | |
| +/* | |
| + * Prototype : string session_id([string $id]) | |
| + * Description : Get and/or set the current session id | |
| + * Source code : ext/session/session.c | |
| + */ | |
| + | |
| +echo "*** Testing session_id() : basic functionality ***\n"; | |
| + | |
| +ini_set('session.sid_bits_per_chracter', 6); | |
| +ini_set('session.sid_length', 240); | |
| +session_start(); | |
| +var_dump(session_id()); | |
| +session_commit(); | |
| + | |
| +ini_set('session.sid_bits_per_chracter', 4); | |
| +ini_set('session.sid_length', 22); | |
| +session_start(); | |
| +session_regenerate_id(); | |
| +var_dump(session_id()); | |
| +session_commit(); | |
| + | |
| +echo "Done"; | |
| +?> | |
| +--EXPECTF-- | |
| +*** Testing session_id() : basic functionality *** | |
| +string(240) "%s" | |
| +string(22) "%s" | |
| +Done | |
| + | |
| diff --git a/ext/session/tests/session_id_error4.phpt b/ext/session/tests/session_id_error4.phpt | |
| deleted file mode 100644 | |
| index 6c1fdbc..0000000 | |
| --- a/ext/session/tests/session_id_error4.phpt | |
| +++ /dev/null | |
| @@ -1,37 +0,0 @@ | |
| ---TEST-- | |
| -Test session_id() function : error functionality | |
| ---SKIPIF-- | |
| -<?php include('skipif.inc'); ?> | |
| ---INI-- | |
| -session.hash_function=0 | |
| -session.hash_bits_per_character=4 | |
| ---FILE-- | |
| -<?php | |
| - | |
| -ob_start(); | |
| - | |
| -/* | |
| - * Prototype : string session_id([string $id]) | |
| - * Description : Get and/or set the current session id | |
| - * Source code : ext/session/session.c | |
| - */ | |
| - | |
| -echo "*** Testing session_id() : error functionality ***\n"; | |
| - | |
| -var_dump(ini_set("session.hash_function", -1)); | |
| -var_dump(session_id()); | |
| -var_dump(session_start()); | |
| -var_dump(session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| -echo "Done"; | |
| -ob_end_flush(); | |
| -?> | |
| ---EXPECTF-- | |
| -*** Testing session_id() : error functionality *** | |
| -string(1) "0" | |
| -string(0) "" | |
| -bool(true) | |
| -string(40) "%s" | |
| -bool(true) | |
| -Done | |
| diff --git a/ext/session/tests/session_id_variation1.phpt b/ext/session/tests/session_id_variation1.phpt | |
| deleted file mode 100644 | |
| index 983ca29..0000000 | |
| --- a/ext/session/tests/session_id_variation1.phpt | |
| +++ /dev/null | |
| @@ -1,48 +0,0 @@ | |
| ---TEST-- | |
| -Test session_id() function : variation | |
| ---SKIPIF-- | |
| -<?php include('skipif.inc'); ?> | |
| ---INI-- | |
| -session.hash_function=0 | |
| ---FILE-- | |
| -<?php | |
| - | |
| -ob_start(); | |
| - | |
| -/* | |
| - * Prototype : string session_id([string $id]) | |
| - * Description : Get and/or set the current session id | |
| - * Source code : ext/session/session.c | |
| - */ | |
| - | |
| -echo "*** Testing session_id() : variation ***\n"; | |
| - | |
| -var_dump(ini_set("session.hash_function", 0)); | |
| -var_dump(session_id()); | |
| -var_dump(session_start()); | |
| -var_dump(session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| -var_dump(ini_set("session.hash_function", 1)); | |
| -var_dump(session_id()); | |
| -var_dump(session_start()); | |
| -var_dump(session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| -echo "Done"; | |
| -ob_end_flush(); | |
| -?> | |
| ---EXPECTF-- | |
| -*** Testing session_id() : variation *** | |
| -string(1) "0" | |
| -string(0) "" | |
| -bool(true) | |
| -string(%d) "%s" | |
| -bool(true) | |
| -string(1) "0" | |
| -string(0) "" | |
| -bool(true) | |
| -string(%d) "%s" | |
| -bool(true) | |
| -Done | |
| - | |
| diff --git a/ext/session/tests/session_id_variation2.phpt b/ext/session/tests/session_id_variation2.phpt | |
| deleted file mode 100644 | |
| index f69aa44..0000000 | |
| --- a/ext/session/tests/session_id_variation2.phpt | |
| +++ /dev/null | |
| @@ -1,61 +0,0 @@ | |
| ---TEST-- | |
| -Test session_id() function : variation | |
| ---SKIPIF-- | |
| -<?php include('skipif.inc'); ?> | |
| ---INI-- | |
| -session.hash_function=0 | |
| -session.entropy_file= | |
| -session.entropy_length=0 | |
| ---FILE-- | |
| -<?php | |
| - | |
| -ob_start(); | |
| - | |
| -/* | |
| - * Prototype : string session_id([string $id]) | |
| - * Description : Get and/or set the current session id | |
| - * Source code : ext/session/session.c | |
| - */ | |
| - | |
| -echo "*** Testing session_id() : variation ***\n"; | |
| - | |
| -$directory = dirname(__FILE__); | |
| -$filename = ($directory."/entropy.txt"); | |
| -var_dump(ini_set("session.entropy_file", $filename)); | |
| -var_dump(file_put_contents($filename, "Hello World!")); | |
| -var_dump(ini_set("session.entropy_length", filesize($filename))); | |
| - | |
| -var_dump(ini_set("session.hash_function", 0)); | |
| -var_dump(session_id()); | |
| -var_dump(session_start()); | |
| -var_dump(session_id()); | |
| -var_dump(session_destroy()); | |
| - | |
| -var_dump(ini_set("session.hash_function", 1)); | |
| -var_dump(session_id()); | |
| -var_dump(session_start()); | |
| -var_dump(session_id()); | |
| -var_dump(session_destroy()); | |
| -var_dump(unlink($filename)); | |
| - | |
| -echo "Done"; | |
| -ob_end_flush(); | |
| -?> | |
| ---EXPECTF-- | |
| -*** Testing session_id() : variation *** | |
| -string(0) "" | |
| -int(12) | |
| -string(1) "0" | |
| -string(1) "0" | |
| -string(0) "" | |
| -bool(true) | |
| -string(%d) "%s" | |
| -bool(true) | |
| -string(1) "0" | |
| -string(0) "" | |
| -bool(true) | |
| -string(%d) "%s" | |
| -bool(true) | |
| -bool(true) | |
| -Done | |
| - | |
| diff --git a/ext/session/tests/session_set_save_handler_variation6.phpt b/ext/session/tests/session_set_save_handler_variation6.phpt | |
| index 8d53637..357e606 100644 | |
| --- a/ext/session/tests/session_set_save_handler_variation6.phpt | |
| +++ b/ext/session/tests/session_set_save_handler_variation6.phpt | |
| @@ -1,6 +1,7 @@ | |
| --TEST-- | |
| Test session_set_save_handler() function : test lazy_write | |
| --INI-- | |
| +session.use_strict_mode=0 | |
| session.lazy_write=1 | |
| session.save_path= | |
| session.name=PHPSESSID | |
| diff --git a/php.ini-development b/php.ini-development | |
| index b39689f..d0a1c5a 100644 | |
| --- a/php.ini-development | |
| +++ b/php.ini-development | |
| @@ -143,7 +143,7 @@ | |
| ; Development Value: 1000 | |
| ; Production Value: 1000 | |
| -; session.hash_bits_per_character | |
| +; session.sid_bits_per_character | |
| ; Default Value: 4 | |
| ; Development Value: 5 | |
| ; Production Value: 5 | |
| @@ -1403,19 +1403,6 @@ session.gc_maxlifetime = 1440 | |
| ; http://php.net/session.referer-check | |
| session.referer_check = | |
| -; How many bytes to read from the file. | |
| -; http://php.net/session.entropy-length | |
| -;session.entropy_length = 32 | |
| - | |
| -; Specified here to create the session id. | |
| -; http://php.net/session.entropy-file | |
| -; Defaults to /dev/urandom | |
| -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom | |
| -; If neither are found at compile time, the default is no entropy file. | |
| -; On windows, setting the entropy_length setting will activate the | |
| -; Windows random source (using the CryptoAPI) | |
| -;session.entropy_file = /dev/urandom | |
| - | |
| ; Set to {nocache,private,public,} to determine HTTP caching aspects | |
| ; or leave this empty to avoid sending anti-caching headers. | |
| ; http://php.net/session.cache-limiter | |
| @@ -1437,15 +1424,11 @@ session.cache_expire = 180 | |
| ; http://php.net/session.use-trans-sid | |
| session.use_trans_sid = 0 | |
| -; Select a hash function for use in generating session ids. | |
| -; Possible Values | |
| -; 0 (MD5 128 bits) | |
| -; 1 (SHA-1 160 bits) | |
| -; This option may also be set to the name of any hash function supported by | |
| -; the hash extension. A list of available hashes is returned by the hash_algos() | |
| -; function. | |
| -; http://php.net/session.hash-function | |
| -session.hash_function = 0 | |
| +; Set session ID charactor length. This value could be between 22 to 256. | |
| +; Shorter length than default is supported only for compatibility reason. | |
| +; Users must use 32 or more chars. | |
| +; http://php.net/session.sid_length | |
| +;session.sid_length = 32 | |
| ; Define how many bits are stored in each character when converting | |
| ; the binary hash data to something readable. | |
| @@ -1457,7 +1440,7 @@ session.hash_function = 0 | |
| ; Development Value: 5 | |
| ; Production Value: 5 | |
| ; http://php.net/session.hash-bits-per-character | |
| -session.hash_bits_per_character = 5 | |
| +session.sid_bits_per_character = 5 | |
| ; The URL rewriter will look for URLs in a defined set of HTML tags. | |
| ; form/fieldset are special; if you include them here, the rewriter will | |
| diff --git a/php.ini-production b/php.ini-production | |
| index 3c07f75..10218d5 100644 | |
| --- a/php.ini-production | |
| +++ b/php.ini-production | |
| @@ -143,7 +143,7 @@ | |
| ; Development Value: 1000 | |
| ; Production Value: 1000 | |
| -; session.hash_bits_per_character | |
| +; session.sid_bits_per_character | |
| ; Default Value: 4 | |
| ; Development Value: 5 | |
| ; Production Value: 5 | |
| @@ -1403,19 +1403,6 @@ session.gc_maxlifetime = 1440 | |
| ; http://php.net/session.referer-check | |
| session.referer_check = | |
| -; How many bytes to read from the file. | |
| -; http://php.net/session.entropy-length | |
| -;session.entropy_length = 32 | |
| - | |
| -; Specified here to create the session id. | |
| -; http://php.net/session.entropy-file | |
| -; Defaults to /dev/urandom | |
| -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom | |
| -; If neither are found at compile time, the default is no entropy file. | |
| -; On windows, setting the entropy_length setting will activate the | |
| -; Windows random source (using the CryptoAPI) | |
| -;session.entropy_file = /dev/urandom | |
| - | |
| ; Set to {nocache,private,public,} to determine HTTP caching aspects | |
| ; or leave this empty to avoid sending anti-caching headers. | |
| ; http://php.net/session.cache-limiter | |
| @@ -1437,15 +1424,11 @@ session.cache_expire = 180 | |
| ; http://php.net/session.use-trans-sid | |
| session.use_trans_sid = 0 | |
| -; Select a hash function for use in generating session ids. | |
| -; Possible Values | |
| -; 0 (MD5 128 bits) | |
| -; 1 (SHA-1 160 bits) | |
| -; This option may also be set to the name of any hash function supported by | |
| -; the hash extension. A list of available hashes is returned by the hash_algos() | |
| -; function. | |
| -; http://php.net/session.hash-function | |
| -session.hash_function = 0 | |
| +; Set session ID charactor length. This value could be between 22 to 256. | |
| +; Shorter length than default is supported only for compatibility reason. | |
| +; Users must use 32 or more chars. | |
| +; http://php.net/session.sid_length | |
| +;session.sid_length = 32 | |
| ; Define how many bits are stored in each character when converting | |
| ; the binary hash data to something readable. | |
| @@ -1457,7 +1440,7 @@ session.hash_function = 0 | |
| ; Development Value: 5 | |
| ; Production Value: 5 | |
| ; http://php.net/session.hash-bits-per-character | |
| -session.hash_bits_per_character = 5 | |
| +session.sid_bits_per_character = 5 | |
| ; The URL rewriter will look for URLs in a defined set of HTML tags. | |
| ; form/fieldset are special; if you include them here, the rewriter will |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment