Bug 156380

I found a major bug in php4 versions available in Gentoo (not tested yet with PHP5), difficult to explain as it is really weird so test and check the following code:

8<--------------------------------------------------------------
<?php
// Major bug in php session handling (?)
// Tracked down by Laurent MONIN (gentoo@norz.org)
// 25 novembre 2006
//
// Tested using Gentoo PHP with apache2
// PHP Version 4.4.4-pl8-gentoo
// PHP Version 4.4.4-pl6-gentoo
// PHP Version 4.3.11-pl5-gentoo
// 
// Load and reload this page in any browser 

session_start();

if (!isset($_SESSION['count'])) {
	$_SESSION['count'] = 0;
} else {
	$_SESSION['count']++;
}

echo '<pre>';
print_r($_SESSION);
print 'session_id: '.session_id();
echo '</pre>';

// Expected behavior is a counter incrementation,
// so it should display
// Array
// (
//    [count] => 15
// )
//
// With the following line, behavior is correct
// session file contains eg. 'count|i:5;'
//
//echo '<img alt="uncomment me for normal behavior">';

//With the following line, behavior is incorrect
//  session file contains eg. 'count|i:11;a|i:6;'
// it displays
// Array
// (
//    [count] => 15
//    [a] => 6
// )
// 2 is added to [count] instead of 1 !!
// and [a] is coming from nowhere and incremented instead of [count]
//
echo '<img src="uncomment me for buggy behavior">';

// even worse:
// call page with ?test=%3Cimg+src%3D%22%22%3E
// and uncomment the following line:
// echo $_GET['test'];

?>
8<-------------------------------------------------------------


Note that i made no report yet to php developpers as it may be a gentoo only bug, and because afaik they do not support php4 anymore, so feel free to do so, or mail me so i will do.

I fear that this bug may have some security implications due to its nature (have a look at the $_GET['test'] part).