Skip to content

ext/session: reject non-numeric session.upload_progress.freq#22579

Open
jorgsowa wants to merge 3 commits into
php:masterfrom
jorgsowa:fix/session-upload-progress-freq-parsing
Open

ext/session: reject non-numeric session.upload_progress.freq#22579
jorgsowa wants to merge 3 commits into
php:masterfrom
jorgsowa:fix/session-upload-progress-freq-parsing

Conversation

@jorgsowa

@jorgsowa jorgsowa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

OnUpdateRfc1867Freq silently truncates trailing characters (e.g. "5 apples" becomes 5), the same parsing bug recently fixed for session.cookie_lifetime. Switch to is_numeric_string_ex() to validate the numeric portion strictly, still allowing the optional trailing "%" for percentage mode.

Input Old binary output New binary output
5 "5" "5"
5% "5%" "5%"
5% " 5%" (raw, kept spaces) "5%" (normalized)
5% "5% " (raw) "5%" (normalized)
5 % "5 %" accepted silently Rejected, warning shown
5 apples "5 apples" accepted silently Rejected, warning shown
5 apples% "5 apples%" accepted silently Rejected, warning shown
" " accepted silently Rejected, warning shown
200% Rejected (same warning) Rejected (same warning)
-1 Rejected (same warning) Rejected (same warning)

Comment thread ext/session/session.c
int new_freq = ZEND_ATOL(ZSTR_VAL(new_value));
const char *str = ZSTR_VAL(new_value);
size_t len = ZSTR_LEN(new_value);
bool is_percentage = len > 0 && str[len - 1] == '%';

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens with trailing spaces? Not sure how our INI parser deals with those.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's good input. Is there any ini helper for such values? I added a comparison table to the PR description and test cases to the branch for my suggested solution for trailing whitespaces.

jorgsowa added 3 commits July 4, 2026 21:38
OnUpdateRfc1867Freq used ZEND_ATOL(), which silently truncates
trailing garbage (e.g. "5 apples" becomes 5), the same parsing bug
recently fixed for session.cookie_lifetime. Switch to
is_numeric_string_ex() to validate the numeric portion strictly,
still allowing the optional trailing "%" for percentage mode.
Covers the "%"-suffixed form of session.upload_progress.freq, alongside
the plain-integer case added in rfc1867_invalid_settings_3.phpt.
….freq

Whitespace surrounding the whole value (leading, or trailing after an
optional "%") is tolerated, but whitespace between the number and the
"%" suffix (e.g. "5 %") is rejected rather than silently accepted.
The stored ini value is also normalized to a whitespace-free canonical
form so ini_get() no longer echoes back stray whitespace.
@jorgsowa jorgsowa force-pushed the fix/session-upload-progress-freq-parsing branch from 3e7229e to 3f78a89 Compare July 4, 2026 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants