Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90928 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92014 invoked from network); 26 Jan 2016 07:02:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jan 2016 07:02:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.180 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.180 mail-yk0-f180.google.com Received: from [209.85.160.180] ([209.85.160.180:34331] helo=mail-yk0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C0/41-10534-E0A17A65 for ; Tue, 26 Jan 2016 02:02:38 -0500 Received: by mail-yk0-f180.google.com with SMTP id a85so189638009ykb.1 for ; Mon, 25 Jan 2016 23:02:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=FHEgT7T6zlkpAyaTFFSo4pfNHs1XXHHkTBNyStp3WBA=; b=QKM1oAp5SYeO/fV2BbBSi1PL59qIdT4cjq1XXyS0xIkIl7m1f2FfD+aWZUtzEIxWM2 A863d1+3O2ww6Vzq0w8wEgJLRp1WlI+uEVDyHZWRCAspGcxnEwwvADSsKzTzi9Awy+zJ dAZOCPJfPzeUJc2wzyoBjcpx1IyQbKn49XSO3sjaj4ZiL4ESIppdD9EyaFjargQqU+qG szCwwuuWTCKcf+Oc5SJ+IzCjxEiQLQCu8gJRlX4E8r4knRkMI0ezHXJwX1RBJA9/g73L cyGmNmpBW9TG3M0dehtHlzq/QntzbfcgX6P2/ORgdZxuC+pQHNIqs8S+WiZ6EVsEhO+Y oGIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=FHEgT7T6zlkpAyaTFFSo4pfNHs1XXHHkTBNyStp3WBA=; b=PmXNe0ZVSqN5Hdpffykzn/FmwhO/iZ+QAHQ4jdC3zhbCxG/xIsmjX9biKfTTsStH/b fye+v04xCpPwcqLvWFr9KL3jps5j5Yq5mTo/Y5P+7LJwTZTkEnQw95WaYYSXa9CZLRrh sNwOi3paOBslsMonazbzA1uItc8rSSbSVZczlgvnM/FmBqgXbMSF6lLIqd1yYJ+rsjjU k7X8dXpNXFzLx0KkcOZIqDI01iPbswzN8mVUHuh+krtyV8KIpAjZTOhMaOpi22C4bCeo xZhMiMPu5JN4IB0NqWyhwVOHsgKkvEMAz2V2lgJyzGNLrFBoTqIpfyIlT4z1Yq7sY9qL /O0Q== X-Gm-Message-State: AG10YOS2GnKJ9Wq4KsefsjLQgbARv0LY6DSCUEz8f5CGb8S4M+iOPKEqqVCy6zzb655g3QCF2yBHKajCw/eOgA== X-Received: by 10.37.28.69 with SMTP id c66mr11239346ybc.159.1453791755359; Mon, 25 Jan 2016 23:02:35 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.88.139 with HTTP; Mon, 25 Jan 2016 23:01:55 -0800 (PST) In-Reply-To: References: Date: Tue, 26 Jan 2016 16:01:55 +0900 X-Google-Sender-Auth: yMyc9eWn-y1MgvBRrpe40X6mxos Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [RFC Discussion] Precise Session Management From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, On Tue, Jan 26, 2016 at 11:22 AM, Yasuo Ohgaki wrote: > On Fri, Jan 22, 2016 at 10:32 AM, Yasuo Ohgaki wrote: >> On Fri, Jan 22, 2016 at 10:19 AM, Yasuo Ohgaki wrote: >>> >>> https://github.com/php/php-src/pull/1734 >>> >>> Few things are missing still, but it's good enough to review basic features. >> >> Please note that if you execute run-tests.php with this patch, >> it causes failures on other branches/versions' session tests. >> >> To remove these test errors, you can do >> >> rm -f /tmp/sess_* >> rm -f /tmp/u_sess* >> >> This issue will be fixed by the time when patch is completed. > > Other than test dependency issue, all issues and proposals are > fixed/implemented. Test dependency will be fixed before merge. > > https://wiki.php.net/rfc/precise_session_management > https://github.com/php/php-src/pull/1734 > > Session will be more reliable and secure with this. > Please review and comment. If there is no issues, I'll start > vote shortly. I didn't pay attention that current session_id() allows any chars for session ID while session module and save handlers explicitly disallow characters for security reasons. e.g. Session module silently removes HTML special chars, files save handler does not allow PATH special chars. Current situation is not good at all. Since this RFC is about preciseness of session management, I would like to change session_id() validates against default allowed chars as follows. (As well as enabling already written session_create_id() function) This patch is against the PR. Currently, the use of "PHPAPI php_session_valid_chars()" is up to save handler, but it should be checked always by session module. Since the function only allows chars used by ID, I would like to add "_" a valid char. "_" should be very safe char. These changes for session ID would be the largest BC of this RFC. Any comments for this change? diff --git a/ext/session/session.c b/ext/session/session.c index 7b3203a..fdc6a91 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -566,7 +566,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */ /* Somewhat arbitrary length limit here, but should be way more than anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ - if (len == 0 || len > 128) { + if (len == 0 || len > PHP_SESSION_KEY_MAX_LEN) { ret = FAILURE; } @@ -2460,31 +2460,35 @@ static PHP_FUNCTION(session_save_path) Return the current session id. If newid is given, the session id is replaced with newid */ static PHP_FUNCTION(session_id) { - zend_string *name = NULL; + zend_string *id = NULL; int argc = ZEND_NUM_ARGS(); - if (zend_parse_parameters(argc, "|S", &name) == FAILURE) { + if (zend_parse_parameters(argc, "|S", &id) == FAILURE) { return; } if (PS(id)) { - /* keep compatibility for "\0" characters ??? - * see: ext/session/tests/session_id_error3.phpt */ - size_t len = strlen(ZSTR_VAL(PS(id))); - if (UNEXPECTED(len != ZSTR_LEN(PS(id)))) { - RETVAL_NEW_STR(zend_string_init(ZSTR_VAL(PS(id)), len, 0)); - } else { - RETVAL_STR_COPY(PS(id)); - } + RETVAL_STR_COPY(PS(id)); } else { RETVAL_EMPTY_STRING(); } - if (name) { + if (id) { if (PS(id)) { zend_string_release(PS(id)); } - PS(id) = zend_string_copy(name); + if (php_session_valid_key(ZSTR_VAL(id)) == FAILURE) { + zend_string *new_id; + /* Set random ID for security reason. */ + php_error_docref(NULL, E_WARNING, + "Session ID cannot exceed session max length %d " + "and/or contain special characters. Only aphanumeric, ',', '-' are allowed " + "Random session ID is set", + PHP_SESSION_KEY_MAX_LEN); + PS(id) = php_session_create_id(NULL); + } else { + PS(id) = zend_string_copy(id); + } } } /* }}} */ @@ -2519,7 +2523,6 @@ static PHP_FUNCTION(session_regenerate_id) /* {{{ proto void session_create_id([string prefix]) Generate new session ID. Intended for user save handlers. */ -#if 0 /* This is not used yet */ static PHP_FUNCTION(session_create_id) { @@ -2531,34 +2534,34 @@ static PHP_FUNCTION(session_create_id) } if (prefix && ZSTR_LEN(prefix)) { - if (php_session_valid_key(ZSTR_VAL(prefix)) == FAILURE) { - /* E_ERROR raised for security reason. */ - php_error_docref(NULL, E_WARNING, "Prefix cannot contain special characters. Only aphanumeric, ',', '-' are allowed"); - RETURN_FALSE; + if (php_session_valid_key(ZSTR_VAL(prefix)) == FAILURE + || ZSTR_LEN(prefix) > PHP_SESSION_KEY_MAX_LEN/2) { + /* Do not use prefix for security reason. */ + php_error_docref(NULL, E_WARNING, + "Prefix cannot exceed session max length %d " + "and/or contain special characters. Only aphanumeric, ',', '-' are allowed", + PHP_SESSION_KEY_MAX_LEN/2); } else { smart_str_append(&id, prefix); } } - if (PS(session_status) == php_session_active) { - new_id = PS(mod)->s_create_sid(&PS(mod_data)); - } else { - new_id = php_session_create_id(NULL); - } + /* Should call the default always to avoid problems with user handler */ + new_id = php_session_create_id(NULL); if (new_id) { smart_str_append(&id, new_id); zend_string_release(new_id); } else { smart_str_free(&id); - php_error_docref(NULL, E_WARNING, "Failed to create new ID"); + /* E_RECOVERBELE_ERROR raised for security reason. */ + php_error_docref(NULL, E_RECOVERABLE_ERROR, "Failed to create new ID"); RETURN_FALSE; } smart_str_0(&id); RETVAL_NEW_STR(id.s); smart_str_free(&id); } -#endif /* }}} */ /* {{{ proto string session_cache_limiter([string new_cache_limiter]) @@ -2901,6 +2904,10 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_session_id, 0, 0, 0) ZEND_ARG_INFO(0, id) ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO_EX(arginfo_session_create_id, 0, 0, 0) + ZEND_ARG_INFO(0, prefix) +ZEND_END_ARG_INFO() + ZEND_BEGIN_ARG_INFO_EX(arginfo_session_regenerate_id, 0, 0, 0) ZEND_ARG_INFO(0, delete_old_session) ZEND_END_ARG_INFO() @@ -2989,6 +2996,7 @@ static const zend_function_entry session_functions[] = { PHP_FE(session_module_name, arginfo_session_module_name) PHP_FE(session_save_path, arginfo_session_save_path) PHP_FE(session_id, arginfo_session_id) + PHP_FE(session_create_id, arginfo_session_create_id) PHP_FE(session_regenerate_id, arginfo_session_regenerate_id) PHP_FE(session_decode, arginfo_session_decode) PHP_FE(session_encode, arginfo_session_void) -- Yasuo Ohgaki yohgaki@ohgaki.net