Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:46198
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 74.125.78.27 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=googlemail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        b=CLbWpM3hLqv1BbEIOaDMSSMzg5hhLK/YFawUVaoDpnn5DAEcTc8l0jmU8wbQxxhxLc
         Mo80srZJwZaLQqn8rtRSYZyEQ49Ww0aBZSxQ1aVnH565VHIDtYnGrB4cnu8aCPBDU/kO
         hE8SJV3uWa/DyuhtA17bUyPBSbwBKoHKGssLs=
MIME-Version: 1.0
In-Reply-To: <4B0E8F7E.8060708@daylessday.org>
References: <d4b907690911212116m6c122505qc2bf7a4d56bd25de@mail.gmail.com>
	 <4B0DCF21.7070201@zend.com> <4B0E8F7E.8060708@daylessday.org>
Date: Thu, 26 Nov 2009 17:21:54 +0000
Message-ID: <d4b907690911260921x675aa85ataee061ec6cc80181@mail.gmail.com>
To: Antony Dovgal <tony@daylessday.org>
Cc: Stanislav Malyshev <stas@zend.com>, internals@lists.php.net
Content-Type: multipart/mixed; boundary=001636c5a5186443200479496971
Subject: Re: [PHP-DEV] [PATCH] default session serialization
From: arraypad@googlemail.com (Arpad Ray)

--001636c5a5186443200479496971
Content-Type: multipart/alternative; boundary=001636c5a51864430b047949696f

--001636c5a51864430b047949696f
Content-Type: text/plain; charset=ISO-8859-1

On Thu, Nov 26, 2009 at 2:23 PM, Antony Dovgal <tony@daylessday.org> wrote:

> On 26.11.2009 03:43, Stanislav Malyshev wrote:
> > I think it makes sense. One note: your code allows numeric session keys,
> > previously not allowed. Not sure if it's important.
>
> This might be important for 32bit<->64bit interaction using serialized
> data.
>
>
Although the patch allows numeric keys to be encoded, they're silently
dropped in decoding. Previously they were silently dropped during encoding.
I prefer this way since it saves the overhead of filtering the array first.

If there's an inherent danger in unserializing between 32/64bit int array
keys, this risk is already present in the form of nested arrays (not to say
it's an unimportant consideration). My testing with out of range values on
32bit and 64bit saw nothing unusual, although it revealed a misplaced
zval_add_ref which the attached updated patch fixes.

Incidentally, is there any need (in HEAD) to check EG(symbol_table) in the
decode function, now that register_globals, session_register et al are gone?

Regards,

Arpad

--001636c5a51864430b047949696f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote">On Thu, Nov 26, 2009 at 2:23 PM, Antony Dovgal <=
span dir=3D"ltr">&lt;<a href=3D"mailto:tony@daylessday.org" target=3D"_blan=
k">tony@daylessday.org</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_=
quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt =
0pt 0.8ex; padding-left: 1ex;">

<div>On 26.11.2009 03:43, Stanislav Malyshev wrote:<br>
&gt; I think it makes sense. One note: your code allows numeric session key=
s,<br>
&gt; previously not allowed. Not sure if it&#39;s important.<br>
<br>
</div>This might be important for 32bit&lt;-&gt;64bit interaction using ser=
ialized data.<br>
<font color=3D"#888888"><br>
</font></blockquote></div><br>Although the patch allows numeric keys to be =
encoded, they&#39;re silently dropped in decoding. Previously they were sil=
ently dropped during encoding. I prefer this way since it saves the overhea=
d of filtering the array first.<br>
<br>If there&#39;s an inherent danger in unserializing between 32/64bit int=
 array keys, this risk is already present in the form of nested arrays (not=
 to say it&#39;s an unimportant consideration). My testing with out of rang=
e values on 32bit and 64bit saw nothing unusual, although it revealed a mis=
placed zval_add_ref which the attached updated patch fixes.<br>
<br>Incidentally, is there any need (in HEAD) to check EG(symbol_table) in =
the decode function, now that register_globals, session_register et al are =
gone?<br><br>Regards,<br><br>Arpad<br>

--001636c5a51864430b047949696f--
--001636c5a5186443200479496971
Content-Type: text/x-diff; charset=US-ASCII; name="php6-session-encode-01.patch"
Content-Disposition: attachment; filename="php6-session-encode-01.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_g2hsa15n0

SW5kZXg6IGV4dC9zZXNzaW9uL3Nlc3Npb24uYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBleHQvc2Vzc2lvbi9z
ZXNzaW9uLmMJKHJldmlzaW9uIDI5MTMyMikKKysrIGV4dC9zZXNzaW9uL3Nlc3Npb24uYwkod29y
a2luZyBjb3B5KQpAQCAtNzgzLDQ1ICs3ODMsMTAgQEAKIHsKIAlzbWFydF9zdHIgYnVmID0gezB9
OwogCXBocF9zZXJpYWxpemVfZGF0YV90IHZhcl9oYXNoOwotCVBTX0VOQ09ERV9WQVJTOwogCiAJ
UEhQX1ZBUl9TRVJJQUxJWkVfSU5JVCh2YXJfaGFzaCk7CisJcGhwX3Zhcl9zZXJpYWxpemUoJmJ1
ZiwgJlBTKGh0dHBfc2Vzc2lvbl92YXJzKSwgJnZhcl9oYXNoIFRTUk1MU19DQyk7CiAKLQlQU19V
RU5DT0RFX0xPT1AoCi0JCWlmICghc3RydWMpIHsKLQkJCXNtYXJ0X3N0cl9hcHBlbmRjKCZidWYs
IFBTX1VOREVGX01BUktFUik7Ci0JCX0KLQotCQlpZiAoa2V5X3R5cGUgPT0gSEFTSF9LRVlfSVNf
U1RSSU5HKSB7Ci0JCQlpZiAobWVtY2hyKGtleS5zLCBQU19ERUxJTUlURVIsIGtleV9sZW5ndGgp
KSB7Ci0JCQkJUEhQX1ZBUl9TRVJJQUxJWkVfREVTVFJPWSh2YXJfaGFzaCk7Ci0JCQkJc21hcnRf
c3RyX2ZyZWUoJmJ1Zik7Ci0JCQkJcmV0dXJuIEZBSUxVUkU7Ci0JCQl9Ci0JCQlzbWFydF9zdHJf
YXBwZW5kbCgmYnVmLCBrZXkucywga2V5X2xlbmd0aCk7Ci0JCX0gZWxzZSB7Ci0JCQkvKiBIQVNI
X0tFWV9JU19VTklDT0RFICovCi0JCQljaGFyICpzdHIgPSBOVUxMOwotCQkJaW50IGxlbjsKLQkJ
CVVFcnJvckNvZGUgc3RhdHVzID0gVV9aRVJPX0VSUk9SOwotCi0JCQl6ZW5kX3VuaWNvZGVfdG9f
c3RyaW5nX2V4KFVHKHV0ZjhfY29udiksICZzdHIsICZsZW4sIGtleS51LCBrZXlfbGVuZ3RoLCAm
c3RhdHVzKTsKLQkJCWlmIChVX0ZBSUxVUkUoc3RhdHVzKSB8fCBtZW1jaHIoc3RyLCBQU19ERUxJ
TUlURVIsIGtleV9sZW5ndGgpKSB7Ci0JCQkJUEhQX1ZBUl9TRVJJQUxJWkVfREVTVFJPWSh2YXJf
aGFzaCk7Ci0JCQkJc21hcnRfc3RyX2ZyZWUoJmJ1Zik7Ci0JCQkJaWYgKHN0cikgeyBlZnJlZShz
dHIpOyB9Ci0JCQkJcmV0dXJuIEZBSUxVUkU7Ci0JCQl9Ci0JCQlzbWFydF9zdHJfYXBwZW5kbCgm
YnVmLCBzdHIsIGxlbik7Ci0JCQllZnJlZShzdHIpOwotCQl9Ci0JCXNtYXJ0X3N0cl9hcHBlbmRj
KCZidWYsIFBTX0RFTElNSVRFUik7Ci0KLQkJaWYgKHN0cnVjKSB7Ci0JCQlwaHBfdmFyX3Nlcmlh
bGl6ZSgmYnVmLCBzdHJ1YywgJnZhcl9oYXNoIFRTUk1MU19DQyk7Ci0JCX0KLQkpOwotCiAJaWYg
KG5ld2xlbikgewogCQkqbmV3bGVuID0gYnVmLmxlbjsKIAl9CkBAIC04MzUsNjEgKzgwMCw1NyBA
QAogCiBQU19TRVJJQUxJWkVSX0RFQ09ERV9GVU5DKHBocCkgLyoge3t7ICovCiB7Ci0JY29uc3Qg
Y2hhciAqcCwgKnE7Ci0JY2hhciAqbmFtZTsKIAljb25zdCBjaGFyICplbmRwdHIgPSB2YWwgKyB2
YWxsZW47Ci0JenZhbCAqY3VycmVudDsKLQlpbnQgbmFtZWxlbjsKLQlpbnQgaGFzX3ZhbHVlOwor
CXp2YWwgKipjdXJyZW50LCAqc3RvcmFnZTsKKwl6c3RyIG5hbWU7CisJdWludCBuYW1lbGVuOwor
CXplbmRfdWNoYXIgdXR5cGU7CisJdWxvbmcgbnVtX2tleTsKIAlwaHBfdW5zZXJpYWxpemVfZGF0
YV90IHZhcl9oYXNoOworCUhhc2hQb3NpdGlvbiBwb3M7CiAKKwlpZiAoIXZhbGxlbikgeworCQly
ZXR1cm4gU1VDQ0VTUzsKKwl9CisKIAlQSFBfVkFSX1VOU0VSSUFMSVpFX0lOSVQodmFyX2hhc2gp
OworCUFMTE9DX0lOSVRfWlZBTChzdG9yYWdlKTsKIAotCXAgPSB2YWw7CisJaWYgKCFwaHBfdmFy
X3Vuc2VyaWFsaXplKCZzdG9yYWdlLCAoY29uc3QgdW5zaWduZWQgY2hhciAqKikmdmFsLCAoY29u
c3QgdW5zaWduZWQgY2hhciAqKWVuZHB0ciwgJnZhcl9oYXNoIFRTUk1MU19DQykgfHwgWl9UWVBF
X1Aoc3RvcmFnZSkgIT0gSVNfQVJSQVkpIHsKKwkJenZhbF9wdHJfZHRvcigmc3RvcmFnZSk7CisJ
CVBIUF9WQVJfVU5TRVJJQUxJWkVfREVTVFJPWSh2YXJfaGFzaCk7CisJCXJldHVybiBGQUlMVVJF
OworCX0KIAotCXdoaWxlIChwIDwgZW5kcHRyKSB7CisJemVuZF9oYXNoX2ludGVybmFsX3BvaW50
ZXJfcmVzZXRfZXgoWl9BUlJWQUxfUChzdG9yYWdlKSwgJnBvcyk7CisJd2hpbGUgKHplbmRfaGFz
aF9nZXRfY3VycmVudF9kYXRhX2V4KFpfQVJSVkFMX1Aoc3RvcmFnZSksICh2b2lkICoqKSZjdXJy
ZW50LCAmcG9zKSA9PSBTVUNDRVNTKSB7CiAJCXp2YWwgKip0bXA7Ci0JCWhhc192YWx1ZSA9IDE7
CiAKLQkJcSA9IHA7Ci0JCXdoaWxlICgqcSAhPSBQU19ERUxJTUlURVIpIHsKLQkJCWlmICgrK3Eg
Pj0gZW5kcHRyKSBnb3RvIGJyZWFrX291dGVyX2xvb3A7CisJCXN3aXRjaCAoemVuZF9oYXNoX2dl
dF9jdXJyZW50X2tleV9leChaX0FSUlZBTF9QKHN0b3JhZ2UpLCAmbmFtZSwgJm5hbWVsZW4sICZu
dW1fa2V5LCAwLCAmcG9zKSkgeworCQkJY2FzZSBIQVNIX0tFWV9JU19TVFJJTkc6CisJCQkJdXR5
cGUgPSBJU19TVFJJTkc7CisJCQkJYnJlYWs7CisJCQljYXNlIEhBU0hfS0VZX0lTX1VOSUNPREU6
CisJCQkJdXR5cGUgPSBJU19VTklDT0RFOworCQkJCWJyZWFrOworCQkJZGVmYXVsdDoKKwkJCQln
b3RvIHNraXA7CiAJCX0KIAotCQlpZiAoKnAgPT0gUFNfVU5ERUZfTUFSS0VSKSB7Ci0JCQlpZiAo
KytwID49IGVuZHB0cikgZ290byBicmVha19vdXRlcl9sb29wOwotCi0JCQloYXNfdmFsdWUgPSAw
OwotCQl9Ci0KLQkJbmFtZWxlbiA9IHEgLSBwOwotCQluYW1lID0gZXN0cm5kdXAocCwgbmFtZWxl
bik7Ci0JCXErKzsKLQotCQlpZiAoemVuZF9oYXNoX2ZpbmQoJkVHKHN5bWJvbF90YWJsZSksIG5h
bWUsIG5hbWVsZW4gKyAxLCAodm9pZCAqKikgJnRtcCkgPT0gU1VDQ0VTUykgeworCQlpZiAoemVu
ZF91X2hhc2hfZmluZCgmRUcoc3ltYm9sX3RhYmxlKSwgdXR5cGUsIG5hbWUsIG5hbWVsZW4sICh2
b2lkICoqKSZ0bXApID09IFNVQ0NFU1MpIHsKIAkJCWlmICgoWl9UWVBFX1BQKHRtcCkgPT0gSVNf
QVJSQVkgJiYgWl9BUlJWQUxfUFAodG1wKSA9PSAmRUcoc3ltYm9sX3RhYmxlKSkgfHwgKnRtcCA9
PSBQUyhodHRwX3Nlc3Npb25fdmFycykpIHsKIAkJCQlnb3RvIHNraXA7CiAJCQl9CiAJCX0KIAot
CQlpZiAoaGFzX3ZhbHVlKSB7Ci0JCQlBTExPQ19JTklUX1pWQUwoY3VycmVudCk7Ci0JCQlpZiAo
cGhwX3Zhcl91bnNlcmlhbGl6ZSgmY3VycmVudCwgKGNvbnN0IHVuc2lnbmVkIGNoYXIgKiopICZx
LCAoY29uc3QgdW5zaWduZWQgY2hhciAqKSBlbmRwdHIsICZ2YXJfaGFzaCBUU1JNTFNfQ0MpKSB7
Ci0JCQkJemVuZF91dGY4X2hhc2hfdXBkYXRlKFpfQVJSVkFMX1AoUFMoaHR0cF9zZXNzaW9uX3Zh
cnMpKSwgbmFtZSwgbmFtZWxlbiArIDEsICZjdXJyZW50LCBzaXplb2YoenZhbCAqKSwgTlVMTCk7
Ci0JCQl9IGVsc2UgewotCQkJCXp2YWxfcHRyX2R0b3IoJmN1cnJlbnQpOwotCQkJfQotCQl9Ci0J
CVBTX0FERF9WQVJMKG5hbWUsIG5hbWVsZW4pOworCQl6dmFsX2FkZF9yZWYoY3VycmVudCk7CisJ
CXplbmRfdV9oYXNoX3VwZGF0ZShaX0FSUlZBTF9QKFBTKGh0dHBfc2Vzc2lvbl92YXJzKSksIHV0
eXBlLCBuYW1lLCBuYW1lbGVuLCBjdXJyZW50LCBzaXplb2YoY3VycmVudCksIE5VTEwpOwogc2tp
cDoKLQkJZWZyZWUobmFtZSk7Ci0KLQkJcCA9IHE7CisJCXplbmRfaGFzaF9tb3ZlX2ZvcndhcmRf
ZXgoWl9BUlJWQUxfUChzdG9yYWdlKSwgJnBvcyk7CiAJfQotYnJlYWtfb3V0ZXJfbG9vcDoKIAor
CXp2YWxfcHRyX2R0b3IoJnN0b3JhZ2UpOwogCVBIUF9WQVJfVU5TRVJJQUxJWkVfREVTVFJPWSh2
YXJfaGFzaCk7Ci0KIAlyZXR1cm4gU1VDQ0VTUzsKIH0KIC8qIH19fSAqLwo=
--001636c5a5186443200479496971--