Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90637 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30620 invoked from network); 14 Jan 2016 10:59:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Jan 2016 10:59:16 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.179 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.179 mail-qk0-f179.google.com Received: from [209.85.220.179] ([209.85.220.179:33795] helo=mail-qk0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1F/32-06862-28F77965 for ; Thu, 14 Jan 2016 05:59:15 -0500 Received: by mail-qk0-f179.google.com with SMTP id x1so10713218qkc.1 for ; Thu, 14 Jan 2016 02:59:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=/nW12lGFxVvTvFJt5Dbm/ge+oPT11pQM3GATRUm0ftI=; b=HE5MhjZZ3dTOQombS2fpkFB3gj5xoj4BwSkFWLXRDHDeDN9zoEk8GXg8bQufup8MgY 02gKRW7QrXZEnQ1viCVClr+dlB35dbW7X5s7Q6M1kvHfAum3hWn+SmhNICxHXXB90poZ Do0/Wg33/Kj6cuYAfvErhQLytWnvKearzdlC1+3/Io5a/d/K6HXWe4icH56DbFclO5bW NG8NZkVbXc+WWPTw/aKMe/0yiQXuxCZcrTJltcO6R2ntFwi6yzwbx9ERx2MzCvShttyb TufYqc1mI2o+IRKBURXiY/UJgfxsj39Xjd/LJQLuC77p/9m7bI/fvzzXhpxjLZiZ8n1T Ytxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=/nW12lGFxVvTvFJt5Dbm/ge+oPT11pQM3GATRUm0ftI=; b=F8Qpxr1NvjMHG0odbNTd+Uzt8bp8jvWDP6pJh9Zn7l8mj4ud8d02+UxPEn4Fpkg1na HzuQ4jHl5ax3LaBZRv8cEJ3wwrqRwLnX0VMm/2stj2DrddOkVUj7UVKI17jy+daXVCUq eykzzJkROq4rhe6wDQVBGxNiG0lFbTUsq5UkqlZDYYt7K3AeEurZs/b0V6WdOI0AyAkX +cHhOe14BkFJRDTUaYaIpzDmHbX0k9skZFNOHa5liWtovxTRTbo6NpXDTIok9AtHpxYk OwxQ4llhnC5WSghp/XzjJ17wnYHkJPvOomCWqFFJG5xij+A2daomlmqJrjLCFIOyOB38 nI2g== X-Gm-Message-State: AG10YOS1OqgpBAG/qtzW4qGf7BAPPzNKANrvgURlpq8I0YAvhl74thw56Li/J8rvHH03C1sivwZiYMHTZ7FI8Q== X-Received: by 10.129.73.80 with SMTP id w77mr165784ywa.346.1452769151566; Thu, 14 Jan 2016 02:59:11 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.88.139 with HTTP; Thu, 14 Jan 2016 02:58:32 -0800 (PST) In-Reply-To: References: <56958637.5080807@gmail.com> Date: Thu, 14 Jan 2016 19:58:32 +0900 X-Google-Sender-Auth: rdDpLxfeOhvIC8VckJ0KCVbopVk Message-ID: To: Julien Pauli Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Fixing bug #68063 From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Julien, On Thu, Jan 14, 2016 at 7:21 PM, Julien Pauli wrote: > On Wed, Jan 13, 2016 at 12:03 AM, Stanislav Malyshev > wrote: >> Hi! >> >>> I've disallowed empty session ID, but it wasn't a >>> appropriate fix. >>> >>> https://bugs.php.net/bug.php?id=68063 >> >> Could you explain a bit more about the part where there are empty IDs >> generated? You say it "is browser's cookie handling" - could you explain >> more about it? >> >>> I made appropriate patch for this issue. It should be >>> applied from PHP 5.5 to master. I attached patch to >>> the bug report. Could you apply it from PHP 5.5? Or >>> shall I commit it from 5.6? then cherry pick? >> >> Is that a security issue? If so, please explain how. If not, it should >> be 5.6+. > > IMO, this is not security related. Strictly speaking, it's not. IMO. However, previous my fix (Raise warning and return false) was wrong fix. Therefore, I would like to correct (Provide new session ID and continue) it in 5.5 also. Does this make sense? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net