2 files changed, 64 insertions, 10 deletions
diff --git a/session.c b/session.c
index a3261c9..827c6b7 100644
--- a/session.c
+++ b/session.c
@@ -487,7 +487,6 @@ static php_ps_globals_43_44 *session_globals = NULL;
 #define SESSION_G(v) (session_globals->v)
 #endif
-static ps_module *ps_mod_user = NULL;
 ps_serializer *(*suhosin_find_ps_serializer)(char *name TSRMLS_DC) = NULL;
@@ -1018,14 +1017,14 @@ static void suhosin_hook_session_module(TSRMLS_D)
 static PHP_INI_MH(suhosin_OnUpdateSaveHandler)
 {
    int r;
-    char *tmp;
-    if ((ps_mod_user) && (SUHOSIN_G(s_original_mod) == ps_mod_user) && (strcmp(new_value, "user") == 0)) {
+    if (stage == PHP_INI_STAGE_RUNTIME && SESSION_G(session_status) == php_session_none && SUHOSIN_G(s_original_mod)
+        && strcmp(new_value, "user") == 0 && strcmp(((ps_module*)SUHOSIN_G(s_original_mod))->s_name, "user") == 0) {
        return SUCCESS;
    }
    SESSION_G(mod) = SUHOSIN_G(s_original_mod);
-    
    r = old_OnUpdateSaveHandler(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
    
    suhosin_hook_session_module(TSRMLS_C);
@@ -1095,12 +1094,6 @@ void suhosin_hook_session(TSRMLS_D)
    }
 #endif
 #endif
-    if (ps_mod_user == NULL) {
-        ps_mod_user = DL_FETCH_SYMBOL(module->handle, "ps_mod_user");
-        if (ps_mod_user == NULL) {
-            ps_mod_user = DL_FETCH_SYMBOL(module->handle, "_ps_mod_user");
-        }
-    }
    
    if (old_OnUpdateSaveHandler != NULL) {
        return;
diff --git a/tests/session/session_recursive_crash2.phpt b/tests/session/session_recursive_crash2.phpt
new file mode 100644
index 0000000..e99d924
--- /dev/null
+++ b/tests/session/session_recursive_crash2.phpt
@@ -0,0 +1,61 @@
+--TEST--
+session user handler recursive crash - issue #60
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=On
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+$foo = "";
+class MySessionHandlerA implements SessionHandlerInterface
+{
+        public function close() {}
+        public function destroy($session_id) {}
+        public function gc($maxlifetime) {}
+        public function open($save_path, $name) { global $foo; $foo .= "A\n"; }
+        public function read($session_id ) {}
+        public function write($session_id, $session_data) {}
+}
+session_set_save_handler(new MySessionHandlerA(), true);
+session_start();
+session_destroy();
+//
+class MySessionHandlerB extends MySessionHandlerA
+{
+        public function open($save_path, $name) { global $foo; $foo .= "B\n"; }
+}
+session_set_save_handler(new MySessionHandlerB(), true);
+session_start();
+session_destroy();
+//
+class MySessionHandlerC extends MySessionHandlerA
+{
+        public function open($save_path, $name) { global $foo; $foo .= "C\n"; }
+}
+session_set_save_handler(new MySessionHandlerC(), true);
+session_start();
+session_destroy();
+echo $foo;
+--EXPECTF--
+A
+B
+C

diff --git a/session.c b/session.c index a3261c9..827c6b7 100644 --- a/session.c +++ b/session.c
@@ -487,7 +487,6 @@ static php_ps_globals_43_44 *session_globals = NULL;
487	#define SESSION_G(v) (session_globals->v)	487	#define SESSION_G(v) (session_globals->v)
488	#endif	488	#endif
489		489
490	static ps_module *ps_mod_user = NULL;
491		490
492	ps_serializer (suhosin_find_ps_serializer)(char *name TSRMLS_DC) = NULL;	491	ps_serializer (suhosin_find_ps_serializer)(char *name TSRMLS_DC) = NULL;
493		492
@@ -1018,14 +1017,14 @@ static void suhosin_hook_session_module(TSRMLS_D)
1018	static PHP_INI_MH(suhosin_OnUpdateSaveHandler)	1017	static PHP_INI_MH(suhosin_OnUpdateSaveHandler)
1019	{	1018	{
1020	int r;	1019	int r;
1021	char *tmp;
1022		1020
1023	if ((ps_mod_user) && (SUHOSIN_G(s_original_mod) == ps_mod_user) && (strcmp(new_value, "user") == 0)) {	1021	if (stage == PHP_INI_STAGE_RUNTIME && SESSION_G(session_status) == php_session_none && SUHOSIN_G(s_original_mod)
		1022	&& strcmp(new_value, "user") == 0 && strcmp(((ps_module*)SUHOSIN_G(s_original_mod))->s_name, "user") == 0) {
1024	return SUCCESS;	1023	return SUCCESS;
1025	}	1024	}
1026		1025
1027	SESSION_G(mod) = SUHOSIN_G(s_original_mod);	1026	SESSION_G(mod) = SUHOSIN_G(s_original_mod);
1028		1027
1029	r = old_OnUpdateSaveHandler(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);	1028	r = old_OnUpdateSaveHandler(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
1030		1029
1031	suhosin_hook_session_module(TSRMLS_C);	1030	suhosin_hook_session_module(TSRMLS_C);
@@ -1095,12 +1094,6 @@ void suhosin_hook_session(TSRMLS_D)
1095	}	1094	}
1096	#endif	1095	#endif
1097	#endif	1096	#endif
1098	if (ps_mod_user == NULL) {
1099	ps_mod_user = DL_FETCH_SYMBOL(module->handle, "ps_mod_user");
1100	if (ps_mod_user == NULL) {
1101	ps_mod_user = DL_FETCH_SYMBOL(module->handle, "_ps_mod_user");
1102	}
1103	}
1104		1097
1105	if (old_OnUpdateSaveHandler != NULL) {	1098	if (old_OnUpdateSaveHandler != NULL) {
1106	return;	1099	return;


diff --git a/tests/session/session_recursive_crash2.phpt b/tests/session/session_recursive_crash2.phpt new file mode 100644 index 0000000..e99d924 --- /dev/null +++ b/tests/session/session_recursive_crash2.phpt
@@ -0,0 +1,61 @@
		1	--TEST--
		2	session user handler recursive crash - issue #60
		3	--SKIPIF--
		4	<?php include "../skipifcli.inc"; ?>
		5	--ENV--
		6	return <<<END
		7	HTTP_USER_AGENT=test
		8	END;
		9	--INI--
		10	suhosin.session.encrypt=On
		11	suhosin.session.cryptkey=D3F4UL7
		12	suhosin.session.cryptua=On
		13	suhosin.session.cryptdocroot=Off
		14	suhosin.session.cryptraddr=0
		15	suhosin.session.checkraddr=0
		16	--FILE--
		17	<?php
		18	$foo = "";
		19
		20	class MySessionHandlerA implements SessionHandlerInterface
		21	{
		22	public function close() {}
		23	public function destroy($session_id) {}
		24	public function gc($maxlifetime) {}
		25	public function open($save_path, $name) { global $foo; $foo .= "A\n"; }
		26	public function read($session_id ) {}
		27	public function write($session_id, $session_data) {}
		28	}
		29
		30	session_set_save_handler(new MySessionHandlerA(), true);
		31	session_start();
		32	session_destroy();
		33
		34	//
		35
		36	class MySessionHandlerB extends MySessionHandlerA
		37	{
		38	public function open($save_path, $name) { global $foo; $foo .= "B\n"; }
		39	}
		40
		41	session_set_save_handler(new MySessionHandlerB(), true);
		42	session_start();
		43	session_destroy();
		44
		45	//
		46
		47	class MySessionHandlerC extends MySessionHandlerA
		48	{
		49	public function open($save_path, $name) { global $foo; $foo .= "C\n"; }
		50	}
		51
		52	session_set_save_handler(new MySessionHandlerC(), true);
		53	session_start();
		54	session_destroy();
		55
		56
		57	echo $foo;
		58	--EXPECTF--
		59	A
		60	B
		61	C