Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68368 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56001 invoked from network); 5 Aug 2013 00:16:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2013 00:16:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.83 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.83 smtp83.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.83] ([108.166.43.83:34812] helo=smtp83.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/F7-06453-FBEEEF15 for ; Sun, 04 Aug 2013 20:15:59 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp3.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 3438C50127; Sun, 4 Aug 2013 20:15:56 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp3.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id C02BD50120; Sun, 4 Aug 2013 20:15:55 -0400 (EDT) Message-ID: <51FEEEAF.1070705@sugarcrm.com> Date: Sun, 04 Aug 2013 17:15:43 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Yasuo Ohgaki CC: PHP Internals References: <50364644.1060302@lerdorf.com> <5039D249.30707@sugarcrm.com> <503A968A.4070206@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Session Id Collisions From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > Sorry for the long delay, I've sent pull requests > > https://github.com/php/php-src/pull/368 > https://github.com/php/php-src/pull/367 > https://github.com/php/php-src/pull/366 I'm looking at the pulls, and I see these issues: 1. session_id is still banned in strict mode. Can we not ban it? I think it detracts significantly from usefulness of the patch, as it would break a lot of legit code that takes session IDs not from cookies but from other sources and thus have to use session_id. 2. I got segfault when running it on test session_set_save_handler_class_005. Here's the backtrace: 0x003a4c6d in ps_files_path_create (buf=0xbfffdae4 "", buflen=1024, data=0x0, key=0x286f95c "ba3c966548c65fb9dd0ad4d30972f2fa") at /Users/smalyshev/php-5.5/ext/session/mod_files.c:76 76 if (key_len <= data->dirdepth || (gdb) bt #0 0x003a4c6d in ps_files_path_create (buf=0xbfffdae4 "", buflen=1024, data=0x0, key=0x286f95c "ba3c966548c65fb9dd0ad4d30972f2fa") at /Users/smalyshev/php-5.5/ext/session/mod_files.c:76 #1 0x003a47f9 in ps_files_key_exists (data=0x0, key=0x286f95c "ba3c966548c65fb9dd0ad4d30972f2fa") at /Users/smalyshev/php-5.5/ext/session/mod_files.c:230 #2 0x003a46c8 in ps_create_sid_files (mod_data=0xc9ae94, newlen=0x0) at /Users/smalyshev/php-5.5/ext/session/mod_files.c:468 #3 0x003960ef in zim_SessionHandler_create_sid (ht=0, return_value=0x286f880, return_value_ptr=0xbfffe228, this_ptr=0x2868260, return_value_used=1) at /Users/smalyshev/php-5.5/ext/session/mod_user_class.c:155 Looks like module data is not initialized properly (which is the point of the test) but the checks on ps_create_sid_files do not check it. 3. Also got some other test failures: session_save_path_variation5 session_set_save_handler_class_012 session_set_save_handler_class_016 Didn't look into those yet. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227