Merge branch 'PHP-8.0' into PHP-8.1

Girgias · Girgias · commit 72cb47338e5a · 2022-09-27T15:54:37.000+01:00
* PHP-8.0: Fix GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method
diff --git a/NEWS b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
 - Opcache:
   . Added indirect call reduction for jit on x86 architectures. (wxue1)
 
+- Session:
+  . Fixed bug GH-9583 (session_create_id() fails with user defined save handler
+    that doesn't have a validateId() method). (Girgias)
+
 29 Sep 2022, PHP 8.1.11
 
 - Core:
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -1082,8 +1082,9 @@ PHPAPI int php_session_register_module(const ps_module *ptr) /* {{{ */
 /* }}} */
 
 /* Dummy PS module function */
+/* We consider any ID valid, so we return FAILURE to indicate that a session doesn't exist */
 PHPAPI int php_session_validate_sid(PS_VALIDATE_SID_ARGS) {
-	return SUCCESS;
+	return FAILURE;
 }
 
 /* Dummy PS module function */
diff --git a/ext/session/tests/gh9583.phpt b/ext/session/tests/gh9583.phpt
@@ -0,0 +1,45 @@
+--TEST--
+GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+class SessionHandlerTester implements \SessionHandlerInterface
+{
+
+    public function close(): bool { return true; }
+
+    public function destroy($id): bool { return true; }
+
+    public function gc($max_lifetime): int|false { return 1; }
+
+    public function open($path, $name): bool { return true; }
+
+    public function read($id): string { return ''; }
+
+    public function write($id, $data): bool { return true; }
+
+    //public function create_sid() { return uniqid(); }
+
+    //public function validateId($key) { return true; }
+}
+
+$obj = new SessionHandlerTester();
+ini_set('session.use_strict_mode','1');
+session_set_save_handler($obj);
+session_start();
+
+echo "\nvalidateId() ".(method_exists($obj,'validateId')?('returns '.($obj->validateId(1)?'true':'false')):'is commented out');
+echo "\n";
+$sessionId = session_create_id();
+echo "\nSession ID:".$sessionId;
+echo "\n";
+
+?>
+--EXPECTF--
+validateId() is commented out
+
+Session ID:%s

Original file line number	Diff line number	Diff line change
`@@ -1082,8 +1082,9 @@ PHPAPI int php_session_register_module(const ps_module ptr) / {{{ */`
`1082`	`1082`	`/* }}} */`
`1083`	`1083`
`1084`	`1084`	`/* Dummy PS module function */`
	`1085`	`+/* We consider any ID valid, so we return FAILURE to indicate that a session doesn't exist */`
`1085`	`1086`	`PHPAPI int php_session_validate_sid(PS_VALIDATE_SID_ARGS) {`
`1086`		`- return SUCCESS;`
	`1087`	`+ return FAILURE;`
`1087`	`1088`	`}`
`1088`	`1089`
`1089`	`1090`	`/* Dummy PS module function */`