ext/session: Fix GH-18634 (#18653)

Show warning when saving session if a pipe character is used in one of the $_SESSION keys

Fixes #18634

Author: mintopia

UPGRADING

@@ -101,6 +101,10 @@ PHP 8.5 UPGRADE NOTES
   . A ValueError is now thrown when trying to set a cursor name that is too
     long on a PDOStatement resulting from the Firebird driver.
 
+- Session:
+  . Attempting to write session data where $_SESSION has a key containing
+    the pipe character will now emit a warning instead of silently failing.
+
 - SimpleXML:
   . Passing an XPath expression that returns something other than a node set
     to SimpleXMLElement::xpath() will now emit a warning and return false,

ext/session/session.c

@@ -1059,6 +1059,7 @@ PS_SERIALIZER_ENCODE_FUNC(php)
 			PHP_VAR_SERIALIZE_DESTROY(var_hash);
 			smart_str_free(&buf);
 			fail = true;
+			php_error_docref(NULL, E_WARNING, "Failed to write session data. Data contains invalid key \"%s\"", ZSTR_VAL(key));
 			break;
 		}
 		smart_str_appendc(&buf, PS_DELIMITER);

ext/session/tests/gh18634.phpt

@@ -0,0 +1,13 @@
+--TEST--
+GH-18634 (Using pipe character in session variable key causes session data to be removed)
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+session_start();
+$_SESSION['foo|bar'] = 'value';
+?>
+--EXPECT--
+Warning: PHP Request Shutdown: Failed to write session data. Data contains invalid key "foo|bar" in Unknown on line 0

ext/session/tests/gh18634_2.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-18634 (Using pipe character in session variable key causes session data to be removed - explicit session write)
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+session_start();
+$_SESSION['foo|bar'] = 'value';
+session_write_close()
+?>
+--EXPECTF--
+Warning: session_write_close(): Failed to write session data. Data contains invalid key "foo|bar" in %s on line %d