fix: prevent creation of fixed sid

jorgsowa · jorgsowa · commit 164e5fbd6d01 · 2026-05-21T22:44:33.000+02:00
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -1661,8 +1661,8 @@ PHPAPI zend_result php_session_start(void) /* {{{ */
 	 * Cookies are preferred, because initially cookie and get
 	 * variables will be available.
 	 * URL/POST session ID may be used when use_only_cookies=Off.
-	 * session.use_strice_mode=On prevents session adoption.
-	 * Session based file upload progress uses non-cookie ID.
+	 * session.use_strict_mode=On prevents session adoption.
+	 * Session based file upload progress respects use_only_cookies.
 	 */
 
 	if (!PS(id)) {
@@ -3223,7 +3223,7 @@ static zend_result php_session_rfc1867_callback(unsigned int event, void *event_
 			multipart_event_start *data = (multipart_event_start *) event_data;
 			progress = ecalloc(1, sizeof(php_session_rfc1867_progress));
 			progress->content_length = data->content_length;
-			progress->sname_len  = strlen(PS(session_name));
+			progress->sname_len = strlen(PS(session_name));
 			PS(rfc1867_progress) = progress;
 		}
 		break;
@@ -3245,7 +3245,7 @@ static zend_result php_session_rfc1867_callback(unsigned int event, void *event_
 			if (data->name && data->value && value_len) {
 				size_t name_len = strlen(data->name);
 
-				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
+				if (!PS(use_only_cookies) && name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
 					zval_ptr_dtor(&progress->sid);
 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
 				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
diff --git a/ext/session/tests/rfc1867_sid_post_use_only_cookies.phpt b/ext/session/tests/rfc1867_sid_post_use_only_cookies.phpt
@@ -0,0 +1,44 @@
+--TEST--
+session rfc1867 upload progress does not use form SID when use_only_cookies=1
+--INI--
+file_uploads=1
+upload_max_filesize=1024
+session.save_path=
+session.name=PHPSESSID
+session.use_strict_mode=0
+session.use_cookies=1
+session.use_only_cookies=1
+session.upload_progress.enabled=1
+session.upload_progress.cleanup=0
+session.upload_progress.prefix=upload_progress_
+session.upload_progress.name=PHP_SESSION_UPLOAD_PROGRESS
+session.upload_progress.freq=0
+session.save_handler=files
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="PHPSESSID"
+
+rfc1867-sid-post-use-only-cookies
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
+
+rfc1867_sid_post_use_only_cookies.php
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file1"; filename="file1.txt"
+
+1
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+session_id("rfc1867-sid-post-use-only-cookies");
+session_start();
+var_dump(isset($_SESSION["upload_progress_" . basename(__FILE__)]));
+session_destroy();
+?>
+--EXPECT--
+bool(false)
