156380 – Major corruption of _SESSION variables in php4 session handling, when printing <img src=""> in document

Bug 156380 - Major corruption of _SESSION variables in php4 session handling, when printing <img src=""> in document

Summary: Major corruption of _SESSION variables in php4 session handling, when printin...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Development (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-11-27 00:24 UTC by Laurent MONIN
Modified:	2007-01-06 17:15 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Php code that triggers the submitted bug. (test.php,1.20 KB, application/octet-stream) 2006-11-27 00:25 UTC, Laurent MONIN	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Laurent MONIN 2006-11-27 00:24:25 UTC

I found a major bug in php4 versions available in Gentoo (not tested yet with PHP5), difficult to explain as it is really weird so test and check the following code:

8<--------------------------------------------------------------
<?php
// Major bug in php session handling (?)
// Tracked down by Laurent MONIN (gentoo@norz.org)
// 25 novembre 2006
//
// Tested using Gentoo PHP with apache2
// PHP Version 4.4.4-pl8-gentoo
// PHP Version 4.4.4-pl6-gentoo
// PHP Version 4.3.11-pl5-gentoo
// 
// Load and reload this page in any browser 

session_start();

if (!isset($_SESSION['count'])) {
	$_SESSION['count'] = 0;
} else {
	$_SESSION['count']++;
}

echo '<pre>';
print_r($_SESSION);
print 'session_id: '.session_id();
echo '</pre>';

// Expected behavior is a counter incrementation,
// so it should display
// Array
// (
//    [count] => 15
// )
//
// With the following line, behavior is correct
// session file contains eg. 'count|i:5;'
//
//echo '<img alt="uncomment me for normal behavior">';

//With the following line, behavior is incorrect
//  session file contains eg. 'count|i:11;a|i:6;'
// it displays
// Array
// (
//    [count] => 15
//    [a] => 6
// )
// 2 is added to [count] instead of 1 !!
// and [a] is coming from nowhere and incremented instead of [count]
//
echo '<img src="uncomment me for buggy behavior">';

// even worse:
// call page with ?test=%3Cimg+src%3D%22%22%3E
// and uncomment the following line:
// echo $_GET['test'];

?>
8<-------------------------------------------------------------


Note that i made no report yet to php developpers as it may be a gentoo only bug, and because afaik they do not support php4 anymore, so feel free to do so, or mail me so i will do.

I fear that this bug may have some security implications due to its nature (have a look at the $_GET['test'] part).

Comment 1 Laurent MONIN 2006-11-27 00:25:46 UTC

Created attachment 102826 [details]
Php code that triggers the submitted bug.

Comment 2 Laurent MONIN 2006-11-27 01:09:51 UTC

Same buggy behavior with PHP Version 5.1.6-pl6-gentoo

Comment 3 Laurent MONIN 2006-11-27 06:05:14 UTC

Hmmm, my investigation finally leads me to an apache2 mod_rewrite + php issue, so stay tuned...

Comment 4 Laurent MONIN 2006-11-27 06:48:52 UTC

This is not a bug in php nor in apache but in a group of rewrite conditions, redirecting missing image url to a page having session handling...

Sorry for the inconvenience, but that's an happy end afterall ;)