ID: 25307
Updated by: [email]sniper@php.net[/email]
Reported By: cristea at pntcd dot ro
-Status: Verified
+Status: Closed
Bug Type: Session related
Operating System: any
PHP Version: 4CVS-2003-08-29 (stable)
New Comment:

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at [url]http://snaps.php.net/[/url].

In case this was a documentation problem, the fix will show up soon at
[url]http://www.php.net/manual/[/url].

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.

Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2003-08-29 06:32:02] cristea at pntcd dot ro

I'm using php binary on win32. I cannot use this patch. Could this be
included on [url]http://snaps.php.net[/url] ?

------------------------------------------------------------------------

[2003-08-29 06:18:56] [email]sniper@php.net[/email]

This patch _seems_ to fix this bug:
[url]http://www.php.net/~jani/patches/bug25307.patch[/url]

(doesn't crash for me anymore)


------------------------------------------------------------------------

[2003-08-29 06:06:02] cristea at pntcd dot ro

In this case is a bug. If the serializer is set to 'php' everything is
OK.

------------------------------------------------------------------------

[2003-08-29 05:40:25] [email]sniper@php.net[/email]

Happens only when wddx is the serializer and
register_globals is 'On'.

Backtrace as follows:

0x40567dfa in var_replace (var_hashx=0x0, ozval=0x8244114,
nzval=0x8236ef0) at var_unserializer.re:40
40 var_unserializer.re: No such file or directory.
(gdb) bt
#0 0x40567dfa in var_replace (var_hashx=0x0, ozval=0x8244114,
nzval=0x8236ef0) at var_unserializer.re:40
#1 0x404e727b in php_set_session_var (name=0x824429c "a", namelen=1,
state_val=0x8244114, var_hash=0x0)
at /usr/src/web/php/php4_3/ext/session/session.c:307
#2 0x405720e2 in ps_srlzr_decode_wddx (
val=0x824724c "<wddxPacket
version='1.0'><header/><data><struct><var
name='a'><string>test</string></var></struct></data></wddxPacket>",
vallen=119) at /usr/src/web/php/php4_3/ext/wddx/wddx.c:292
#3 0x404e7e5c in php_session_decode (
val=0x824724c "<wddxPacket
version='1.0'><header/><data><struct><var
name='a'><string>test</string></var></struct></data></wddxPacket>",
vallen=119) at /usr/src/web/php/php4_3/ext/session/session.c:523
#4 0x404e8254 in php_session_initialize () at
/usr/src/web/php/php4_3/ext/session/session.c:608
#5 0x404e9764 in php_session_start () at
/usr/src/web/php/php4_3/ext/session/session.c:1036
#6 0x404eb41b in zif_session_start (ht=0, return_value=0x8246ff4,
this_ptr=0x0, return_value_used=0)
at /usr/src/web/php/php4_3/ext/session/session.c:1475


------------------------------------------------------------------------

[2003-08-29 04:35:26] cristea at pntcd dot ro

Description:
------------
Apache will crash session.serialize_handler is set to wddx and when a
$_SESSION var have the same name as a $_POST (or $_GET) var.

Try this code:
File w1.php
-----------
<?php
ini_set('session.serialize_handler', 'wddx');
session_start();
$_SESSION['a'] = 'test';
echo <<< EOS
<form action="w2.php" method="post">
<input type="text" name="a" value="">
<input type="submit">
</form>
EOS;
?>

File w2.php
-----------
<?php
ini_set('session.serialize_handler', 'wddx');
session_start();
print_r($_SESSION);
echo "<hr>";
print_r($_POST);
?>



------------------------------------------------------------------------


--
Edit this bug report at [url]http://bugs.php.net/?id=25307&edit=1[/url]