php · TysonAndre · Dec 4, 2021
@@ -20,7 +20,8 @@
 #include "ext/standard/php_var.h"
 #include "ext/hash/php_hash.h"
 
-#define PHP_SESSION_API 20161017
+/* Used externally by PECLs to write portable code. */
+#define PHP_SESSION_API 20211204
 
 #include "php_version.h"
 #define PHP_SESSION_VERSION PHP_VERSION
@@ -113,6 +114,14 @@ typedef struct ps_module_struct {
 	 ps_delete_##x, ps_gc_##x, ps_create_sid_##x, \
 	 ps_validate_sid_##x, ps_update_timestamp_##x
 
+/*
+ * http_session_vars is now passed in as &PS(http_session_vars) to allow extensions to register themselves as serializers/unserializers
+ * without depending on a symbol from session shared library.
+ */
+#define PS_SERIALIZER_ENCODE_ARGS zval *http_session_vars
+#define PS_SERIALIZER_DECODE_ARGS const char *val, size_t vallen, zval *http_session_vars
+
+typedef int(*php_session_register_serializer_func_t)(const char *name, zend_string *(*encode)(PS_SERIALIZER_ENCODE_ARGS), int (*decode)(PS_SERIALIZER_DECODE_ARGS));
 
 typedef enum {
 	php_session_disabled,
@@ -201,6 +210,7 @@ typedef struct _php_ps_globals {
 	bool in_save_handler; /* state if session is in save handler or not */
 	bool set_handler;     /* state if session module i setting handler or not */
 	zend_string *session_vars; /* serialized original session data */
+	php_session_register_serializer_func_t register_serializer; /* Allows registering a serializer without directly depending on the C symbol php_session_register_serializer. */
 } php_ps_globals;
 
 typedef php_ps_globals zend_ps_globals;
@@ -217,9 +227,6 @@ ZEND_TSRMLS_CACHE_EXTERN()
 #define PS(v) (ps_globals.v)
 #endif
 
-#define PS_SERIALIZER_ENCODE_ARGS void
-#define PS_SERIALIZER_DECODE_ARGS const char *val, size_t vallen
-
 typedef struct ps_serializer_struct {
 	const char *name;
 	zend_string *(*encode)(PS_SERIALIZER_ENCODE_ARGS);

@@ -232,7 +232,7 @@ static zend_string *php_session_encode(void) /* {{{ */
 			php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to encode session object");
 			return NULL;
 		}
-		return PS(serializer)->encode();
+		return PS(serializer)->encode(&PS(http_session_vars));
 	} else {
 		php_error_docref(NULL, E_WARNING, "Cannot encode non-existent session");
 	}
@@ -246,7 +246,7 @@ static int php_session_decode(zend_string *data) /* {{{ */
 		php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
 		return FAILURE;
 	}
-	if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) {
+	if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data), &PS(http_session_vars)) == FAILURE) {
 		php_session_destroy();
 		php_session_track_init();
 		php_error_docref(NULL, E_WARNING, "Failed to decode session object. Session has been destroyed");
@@ -841,7 +841,7 @@ PS_SERIALIZER_ENCODE_FUNC(php_serialize) /* {{{ */
 
 	IF_SESSION_VARS() {
 		PHP_VAR_SERIALIZE_INIT(var_hash);
-		php_var_serialize(&buf, Z_REFVAL(PS(http_session_vars)), &var_hash);
+		php_var_serialize(&buf, Z_REFVAL_P(http_session_vars), &var_hash);
 		PHP_VAR_SERIALIZE_DESTROY(var_hash);
 	}
 	return buf.s;
@@ -866,15 +866,15 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */
 		ZVAL_NULL(&session_vars);
 	}
 
-	if (!Z_ISUNDEF(PS(http_session_vars))) {
-		zval_ptr_dtor(&PS(http_session_vars));
+	if (!Z_ISUNDEF_P(http_session_vars)) {
+		zval_ptr_dtor(http_session_vars);
 	}
 	if (Z_TYPE(session_vars) == IS_NULL) {
 		array_init(&session_vars);
 	}
-	ZVAL_NEW_REF(&PS(http_session_vars), &session_vars);
-	Z_ADDREF_P(&PS(http_session_vars));
-	zend_hash_update_ind(&EG(symbol_table), var_name, &PS(http_session_vars));
+	ZVAL_NEW_REF(http_session_vars, &session_vars);
+	Z_ADDREF_P(http_session_vars);
+	zend_hash_update_ind(&EG(symbol_table), var_name, http_session_vars);
 	zend_string_release_ex(var_name, 0);
 	return result || !vallen ? SUCCESS : FAILURE;
 }
@@ -1541,7 +1541,7 @@ PHPAPI int php_session_start(void) /* {{{ */
 	 * Cookies are preferred, because initially cookie and get
 	 * variables will be available.
 	 * URL/POST session ID may be used when use_only_cookies=Off.
-	 * session.use_strice_mode=On prevents session adoption.
+	 * session.use_strict_mode=On prevents session adoption.
 	 * Session based file upload progress uses non-cookie ID.
 	 */
 
@@ -2815,6 +2815,10 @@ static PHP_MINIT_FUNCTION(session) /* {{{ */
 	REGISTER_LONG_CONSTANT("PHP_SESSION_NONE", php_session_none, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("PHP_SESSION_ACTIVE", php_session_active, CONST_CS | CONST_PERSISTENT);
 
+	/* Make this available by looking up this module and its globals in HashTable *module_registry for shared libraries.
+	 * Directly referencing the symbol would fail if session was compiled as a shared library and not loaded yet. */
+	PS(register_serializer) = php_session_register_serializer;
+
 	return SUCCESS;
 }
 /* }}} */

@@ -10,7 +10,6 @@ include('skipif.inc');
 require __DIR__.'/../../../sapi/cgi/tests/include.inc';
 
 get_cgi_path() or die('skip no cgi');
-
 ?>
 --FILE--
 <?php
@@ -25,6 +24,9 @@ reset_env_vars();
 $file = __DIR__."/session_regenerate_id_cookie.test.php";
 
 file_put_contents($file, '<?php
+// Workaround for compiling session as a shared extension, will not work in ZTS builds.
+// Note that you will need to run "make install" for this to be available.
+if (!extension_loaded("session")) { dl("session"); }
 ob_start();
 
 function find_cookie_header() {