Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Zend/zend_alloc.c
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ typedef zend_mm_bitset zend_mm_page_map[ZEND_MM_PAGE_MAP_LEN]; /* 64B */
#define ZEND_MM_SRUN_BIN_NUM_MASK 0x0000001f
#define ZEND_MM_SRUN_BIN_NUM_OFFSET 0

#define ZEND_MM_SRUN_FREE_COUNTER_MASK 0x01ff0000
#define ZEND_MM_SRUN_FREE_COUNTER_MASK 0x03ff0000
#define ZEND_MM_SRUN_FREE_COUNTER_OFFSET 16

#define ZEND_MM_NRUN_OFFSET_MASK 0x01ff0000
Expand Down
18 changes: 14 additions & 4 deletions ext/session/session.c
Original file line number Diff line number Diff line change
Expand Up @@ -647,12 +647,15 @@ static PHP_INI_MH(OnUpdateSaveDir)
SESSION_CHECK_ACTIVE_STATE;
SESSION_CHECK_OUTPUT_STATE;

/* Only do the open_basedir check at runtime */
if (stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) {
if (zend_str_has_nul_byte(new_value)) {
return FAILURE;
if (zend_str_has_nul_byte(new_value)) {
if (stage != ZEND_INI_STAGE_DEACTIVATE) {
php_error_docref(NULL, E_WARNING, "\"%s\" must not contain null bytes", ZSTR_VAL(entry->name));
}
return FAILURE;
}

/* Only do the open_basedir check at runtime */
if (stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) {
/* we do not use zend_memrchr() since path can contain ; itself */
const char *p = strchr(ZSTR_VAL(new_value), ';');
if (p) {
Expand Down Expand Up @@ -919,6 +922,13 @@ static PHP_INI_MH(OnUpdateRefererCheck)
SESSION_CHECK_ACTIVE_STATE;
SESSION_CHECK_OUTPUT_STATE;

if (zend_str_has_nul_byte(new_value)) {
if (stage != ZEND_INI_STAGE_DEACTIVATE) {
php_error_docref(NULL, E_WARNING, "\"%s\" must not contain null bytes", ZSTR_VAL(entry->name));
}
return FAILURE;
}

if (ZSTR_LEN(new_value) != 0) {
php_error_docref("session.configuration", E_DEPRECATED, "Usage of session.referer_check INI setting is deprecated");
}
Expand Down
24 changes: 24 additions & 0 deletions ext/session/tests/session_save_path_referer_check_null_byte.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
--TEST--
session.save_path and session.referer_check must not contain null bytes
--EXTENSIONS--
session
--SKIPIF--
<?php include('skipif.inc'); ?>
--FILE--
<?php

ob_start();

var_dump(ini_set('session.save_path', "/tmp\0evil"));
var_dump(ini_set('session.referer_check', "example.com\0evil"));

ob_end_flush();
echo "Done";
?>
--EXPECTF--
Warning: ini_set(): "session.save_path" must not contain null bytes in %s on line %d
bool(false)

Warning: ini_set(): "session.referer_check" must not contain null bytes in %s on line %d
bool(false)
Done