#25110 [NEW]: $_SESSION can be changed indirectly

Sat, 16 Aug 2003 14:26:21 -0700 

From:             carl at freeideas dot com
Operating system: OSX and WIN2K
PHP version:      4.3.2
PHP Bug Type:     Session related
Bug description:  $_SESSION can be changed indirectly

Description:
------------
When register_globals is on, and after a session has already been started,
$_SESSION values can be changed indirectly.

$_SESSION['userID'] = 'carl';
$userID = $_SESSION['userID'];
$userID = 'HAXOR';
# now $_SESSION['userID'] is 'HAXOR'

To me, this seems like a bad thing.

Happens under Mac OS 10.2, w/ PHP 4.3.2
Happens under Win2K w/ PHP 4.3.2
Doesn't happen under Linux w/ PHP 4.2.3


Reproduce code:
---------------
<?
# Demonstrates that $_SESSION can be changed indirectly.
# the alleged bug activates when register_globals is ON.

# set a userID in the session
session_start();
$_SESSION['userID'] = 'carl';
  
# copy userID into a global variable, $userID
$userID = $_SESSION['userID'];
  
# change only $userID
print "before: ". $_SESSION['userID'] ."<br>\n";
$userID = 'HAXOR';
print "after: ". $_SESSION['userID'] ."<br>\n";
if ( $_SESSION['userID']=='HAXOR' ) { print "bad"; }
  
# seems very wrong that $_SESSION['userID'] was changed
?>

Expected result:
----------------
After I run the script and reload it once, I should not see "bad" because
changing $userID should not change $_SESSION['userID'].


Actual result:
--------------
bad

-- 
Edit bug report at http://bugs.php.net/?id=25110&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=25110&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=25110&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=25110&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=25110&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=25110&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=25110&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=25110&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=25110&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=25110&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=25110&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=25110&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25110&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=25110&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=25110&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=25110&r=gnused

Reply via email to