From 9be1238da0b3f87fe9781a2ca91202061b89c0a1 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Mon, 9 Jun 2014 15:59:35 +0200
Subject: Fixed problem with SessionHandler() class and endless recursion

---
 php_suhosin.h                              |  1 +
 session.c                                  | 11 +++++++++--
 tests/session/session_recursive_crash.phpt | 25 +++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 tests/session/session_recursive_crash.phpt

diff --git a/php_suhosin.h b/php_suhosin.h
index 152fe43..3454f5d 100644
--- a/php_suhosin.h
+++ b/php_suhosin.h
@@ -192,6 +192,7 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
 
 /*	session */
 	void	*s_module;
+	void	*s_original_mod;
 	int 	(*old_s_read)(void **mod_data, const char *key, char **val, int *vallen TSRMLS_DC);
 	int	(*old_s_write)(void **mod_data, const char *key, const char *val, const int vallen TSRMLS_DC);
 	int	(*old_s_destroy)(void **mod_data, const char *key TSRMLS_DC);
diff --git a/session.c b/session.c
index f6cff15..306da60 100644
--- a/session.c
+++ b/session.c
@@ -986,16 +986,20 @@ static int suhosin_hook_s_destroy(void **mod_data, const char *key TSRMLS_DC)
 static void suhosin_hook_session_module(TSRMLS_D)
 {
     ps_module *old_mod = SESSION_G(mod), *mod;
-
+    
     if (old_mod == NULL || SUHOSIN_G(s_module) == old_mod) {
         return;
     }
+
     if (SUHOSIN_G(s_module) == NULL) {
         SUHOSIN_G(s_module) = mod = malloc(sizeof(ps_module));
         if (mod == NULL) {
             return;
         }
     }
+    
+    SUHOSIN_G(s_original_mod) = old_mod;
+    
     mod = SUHOSIN_G(s_module);
     memcpy(mod, old_mod, sizeof(ps_module));
     
@@ -1012,11 +1016,14 @@ static void suhosin_hook_session_module(TSRMLS_D)
 static PHP_INI_MH(suhosin_OnUpdateSaveHandler)
 {
     int r;
+    char *tmp;
 
+    SESSION_G(mod) = SUHOSIN_G(s_original_mod);
+    
     r = old_OnUpdateSaveHandler(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
     
     suhosin_hook_session_module(TSRMLS_C);
-    
+
     return r;
 }
 
diff --git a/tests/session/session_recursive_crash.phpt b/tests/session/session_recursive_crash.phpt
new file mode 100644
index 0000000..62cb9cd
--- /dev/null
+++ b/tests/session/session_recursive_crash.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session SessionHandler() recursive crash
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=On
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+session_set_save_handler(new SessionHandler(), true);
+$_SESSION['a'] = 'b';
+var_dump($_SESSION);
+--EXPECTF--
+array(1) {
+  ["a"]=>
+  string(1) "b"
+}
-- 
cgit v1.3