[pull] master from php:master

NEWS

@@ -156,6 +156,8 @@ PHP                                                                        NEWS
     (Girgias)
   . Null bytes in session.cookie_path, session.cookie_domain, and
     session.cache_limiter are now rejected with a warning. (jorgsowa)
+  . Changed defaults of session.use_strict_mode (now 1), session.cookie_httponly
+    (now 1) and session.cookie_samesite (now "Lax"). (jorgsowa)
 
 - Soap:
   . Soap::__setCookie() when cookie name is a digit is now not stored and

UPGRADING

@@ -94,6 +94,24 @@ PHP 8.6 UPGRADE NOTES
     comparison. Custom session handlers that rely on write() being called
     with empty data (e.g. to destroy the session) should implement the same
     logic in their updateTimestamp() method.
+  . The defaults of three session INI settings have changed to provide secure
+    behavior out of the box:
+      - session.use_strict_mode is now 1 (was 0). Strict mode rejects
+        uninitialized session IDs, mitigating session fixation. Custom session
+        handlers that previously relied on accepting externally supplied IDs
+        without a corresponding storage entry must either implement
+        validateId() / create_sid() or explicitly set this to 0.
+      - session.cookie_httponly is now 1 (was 0). Session cookies are no
+        longer accessible to JavaScript via document.cookie. Applications
+        that read the session cookie from JavaScript must explicitly set
+        this to 0.
+      - session.cookie_samesite is now "Lax" (was unset). Session cookies
+        are no longer sent on cross-site requests other than top-level
+        navigations using safe HTTP methods. Applications that depend on
+        session cookies being sent on cross-site POST submissions must
+        explicitly set this to "None" (and also set session.cookie_secure
+        to 1).
+    RFC: https://wiki.php.net/rfc/session_security_defaults
 
 - SPL:
   . SplObjectStorage::getHash() implementations may no longer mutate any

Zend/zend_objects.c

@@ -193,14 +193,14 @@ ZEND_API zend_object* ZEND_FASTCALL zend_objects_new(zend_class_entry *ce)
 	return object;
 }
 
-ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object, zend_object *old_object)
+ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object, const zend_object *old_object)
 {
 	bool has_clone_method = old_object->ce->clone != NULL;
 
 	if (old_object->ce->default_properties_count) {
-		zval *src = old_object->properties_table;
+		const zval *src = old_object->properties_table;
 		zval *dst = new_object->properties_table;
-		zval *end = src + old_object->ce->default_properties_count;
+		const zval *end = src + old_object->ce->default_properties_count;
 
 		do {
 			i_zval_ptr_dtor(dst);

Zend/zend_objects.h

@@ -24,7 +24,7 @@
 BEGIN_EXTERN_C()
 ZEND_API void ZEND_FASTCALL zend_object_std_init(zend_object *object, zend_class_entry *ce);
 ZEND_API zend_object* ZEND_FASTCALL zend_objects_new(zend_class_entry *ce);
-ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object, zend_object *old_object);
+ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object, const zend_object *old_object);
 
 ZEND_API void zend_object_std_dtor(zend_object *object);
 ZEND_API void zend_objects_destroy_object(zend_object *object);

ext/date/php_date.c

@@ -1831,7 +1831,7 @@ static zend_object *date_object_new_date(zend_class_entry *class_type) /* {{{ */
 
 static zend_object *date_object_clone_date(zend_object *this_ptr) /* {{{ */
 {
-	php_date_obj *old_obj = php_date_obj_from_obj(this_ptr);
+	const php_date_obj *old_obj = php_date_obj_from_obj(this_ptr);
 	php_date_obj *new_obj = php_date_obj_from_obj(date_object_new_date(old_obj->std.ce));
 
 	zend_objects_clone_members(&new_obj->std, &old_obj->std);
@@ -1988,7 +1988,7 @@ static zend_object *date_object_new_timezone(zend_class_entry *class_type) /* {{
 
 static zend_object *date_object_clone_timezone(zend_object *this_ptr) /* {{{ */
 {
-	php_timezone_obj *old_obj = php_timezone_obj_from_obj(this_ptr);
+	const php_timezone_obj *old_obj = php_timezone_obj_from_obj(this_ptr);
 	php_timezone_obj *new_obj = php_timezone_obj_from_obj(date_object_new_timezone(old_obj->std.ce));
 
 	zend_objects_clone_members(&new_obj->std, &old_obj->std);
@@ -2131,7 +2131,7 @@ static zend_object *date_object_new_interval(zend_class_entry *class_type) /* {{
 
 static zend_object *date_object_clone_interval(zend_object *this_ptr) /* {{{ */
 {
-	php_interval_obj *old_obj = php_interval_obj_from_obj(this_ptr);
+	const php_interval_obj *old_obj = php_interval_obj_from_obj(this_ptr);
 	php_interval_obj *new_obj = php_interval_obj_from_obj(date_object_new_interval(old_obj->std.ce));
 
 	zend_objects_clone_members(&new_obj->std, &old_obj->std);
@@ -2222,7 +2222,7 @@ static zend_object *date_object_new_period(zend_class_entry *class_type) /* {{{
 
 static zend_object *date_object_clone_period(zend_object *this_ptr) /* {{{ */
 {
-	php_period_obj *old_obj = php_period_obj_from_obj(this_ptr);
+	const php_period_obj *old_obj = php_period_obj_from_obj(this_ptr);
 	php_period_obj *new_obj = php_period_obj_from_obj(date_object_new_period(old_obj->std.ce));
 
 	zend_objects_clone_members(&new_obj->std, &old_obj->std);

ext/gmp/gmp.c

@@ -283,7 +283,7 @@ static HashTable *gmp_get_debug_info(zend_object *obj, int *is_temp) /* {{{ */
 
 static zend_object *gmp_clone_obj(zend_object *obj) /* {{{ */
 {
-	gmp_object *old_object = GET_GMP_OBJECT_FROM_OBJ(obj);
+	const gmp_object *old_object = GET_GMP_OBJECT_FROM_OBJ(obj);
 	gmp_object *new_object = GET_GMP_OBJECT_FROM_OBJ(gmp_create_object(obj->ce));
 
 	zend_objects_clone_members( &new_object->std, &old_object->std);

ext/hash/hash.c

@@ -1397,7 +1397,7 @@ static void php_hashcontext_free(zend_object *obj) {
 
 /* {{{ php_hashcontext_clone */
 static zend_object *php_hashcontext_clone(zend_object *zobj) {
-	php_hashcontext_object *oldobj = php_hashcontext_from_object(zobj);
+	const php_hashcontext_object *oldobj = php_hashcontext_from_object(zobj);
 	zend_object *znew = php_hashcontext_create(zobj->ce);
 	php_hashcontext_object *newobj = php_hashcontext_from_object(znew);
 

ext/intl/breakiterator/breakiterator_class.cpp

@@ -96,7 +96,7 @@ static int BreakIterator_compare_objects(zval *object1,
 /* {{{ clone handler for BreakIterator */
 static zend_object *BreakIterator_clone_obj(zend_object *object)
 {
-	BreakIterator_object *bio_orig = php_intl_breakiterator_fetch_object(object);
+	const BreakIterator_object *bio_orig = php_intl_breakiterator_fetch_object(object);
 	zend_object *ret_val           = BreakIterator_ce_ptr->create_object(object->ce);
 	BreakIterator_object *bio_new  = php_intl_breakiterator_fetch_object(ret_val);
 

ext/intl/calendar/calendar_class.cpp

@@ -77,7 +77,7 @@ U_CFUNC void calendar_object_construct(zval *object,
 /* {{{ clone handler for Calendar */
 static zend_object *Calendar_clone_obj(zend_object *object)
 {
-	Calendar_object *co_orig = php_intl_calendar_fetch_object(object);
+	const Calendar_object *co_orig = php_intl_calendar_fetch_object(object);
 	zend_object     *ret_val = Calendar_ce_ptr->create_object(object->ce);
 	Calendar_object  *co_new = php_intl_calendar_fetch_object(ret_val);
 

ext/intl/converter/converter.cpp

@@ -934,7 +934,8 @@ static zend_object *php_converter_create_object(zend_class_entry *ce) {
 }
 
 static zend_object *php_converter_clone_object(zend_object *object) {
-	php_converter_object *objval, *oldobj = php_converter_fetch_object(object);
+	const php_converter_object *oldobj = php_converter_fetch_object(object);
+	php_converter_object *objval;
 	zend_object *retval = php_converter_object_ctor(object->ce, &objval);
 	UErrorCode error = U_ZERO_ERROR;
 

ext/intl/dateformat/dateformat_class.cpp

@@ -66,7 +66,7 @@ zend_object *IntlDateFormatter_object_create(zend_class_entry *ce)
 /* {{{ IntlDateFormatter_object_clone */
 zend_object *IntlDateFormatter_object_clone(zend_object *object)
 {
-	IntlDateFormatter_object     *dfo = php_intl_dateformatter_fetch_object(object);
+	const IntlDateFormatter_object     *dfo = php_intl_dateformatter_fetch_object(object);
 	zend_object              *new_obj = IntlDateFormatter_ce_ptr->create_object(object->ce);
 	IntlDateFormatter_object *new_dfo = php_intl_dateformatter_fetch_object(new_obj);
 

ext/intl/dateformat/datepatterngenerator_class.cpp

@@ -36,7 +36,7 @@ zend_object_handlers IntlDatePatternGenerator_handlers;
 
 static zend_object *IntlDatePatternGenerator_object_clone(zend_object *object)
 {
-	IntlDatePatternGenerator_object *dtpgo_orig = php_intl_datepatterngenerator_fetch_object(object);
+	const IntlDatePatternGenerator_object *dtpgo_orig = php_intl_datepatterngenerator_fetch_object(object);
 	zend_object                        *ret_val = IntlDatePatternGenerator_ce_ptr->create_object(object->ce);
 	IntlDatePatternGenerator_object  *dtpgo_new = php_intl_datepatterngenerator_fetch_object(ret_val);
 

ext/intl/formatter/formatter_class.cpp

@@ -62,7 +62,7 @@ U_CFUNC zend_object *NumberFormatter_object_create(zend_class_entry *ce)
 /* {{{ NumberFormatter_object_clone */
 U_CFUNC zend_object *NumberFormatter_object_clone(zend_object *object)
 {
-	NumberFormatter_object     *nfo = php_intl_number_format_fetch_object(object);
+	const NumberFormatter_object     *nfo = php_intl_number_format_fetch_object(object);
 	zend_object            *new_obj = NumberFormatter_ce_ptr->create_object(object->ce);
 	NumberFormatter_object *new_nfo = php_intl_number_format_fetch_object(new_obj);
 

ext/intl/msgformat/msgformat_class.cpp

@@ -58,7 +58,7 @@ U_CFUNC zend_object *MessageFormatter_object_create(zend_class_entry *ce)
 /* {{{ MessageFormatter_object_clone */
 U_CFUNC zend_object *MessageFormatter_object_clone(zend_object *object)
 {
-	MessageFormatter_object     *mfo = php_intl_messageformatter_fetch_object(object);
+	const MessageFormatter_object     *mfo = php_intl_messageformatter_fetch_object(object);
 	zend_object             *new_obj = MessageFormatter_ce_ptr->create_object(object->ce);
 	MessageFormatter_object *new_mfo = php_intl_messageformatter_fetch_object(new_obj);
 

ext/intl/spoofchecker/spoofchecker_class.cpp

@@ -63,7 +63,7 @@ U_CFUNC zend_object *Spoofchecker_object_create(zend_class_entry *ce)
 
 static zend_object *spoofchecker_clone_obj(zend_object *object) /* {{{ */
 {
-	Spoofchecker_object *spoofchecker_orig = php_intl_spoofchecker_fetch_object(object);
+	const Spoofchecker_object *spoofchecker_orig = php_intl_spoofchecker_fetch_object(object);
 	zend_object *new_obj_val               = Spoofchecker_ce_ptr->create_object(object->ce);
 	Spoofchecker_object *spoofchecker_new  = php_intl_spoofchecker_fetch_object(new_obj_val);
 

ext/intl/timezone/timezone_class.cpp

@@ -207,7 +207,7 @@ U_CFUNC TimeZone *timezone_process_timezone_argument(
 /* {{{ clone handler for TimeZone */
 static zend_object *TimeZone_clone_obj(zend_object *object)
 {
-	TimeZone_object *to_orig = php_intl_timezone_fetch_object(object);
+	const TimeZone_object *to_orig = php_intl_timezone_fetch_object(object);
 	zend_object     *ret_val = TimeZone_ce_ptr->create_object(object->ce);
 	TimeZone_object  *to_new = php_intl_timezone_fetch_object(ret_val);
 

ext/intl/transliterator/transliterator_class.cpp

@@ -130,7 +130,7 @@ static zend_object *Transliterator_object_create( zend_class_entry *ce )
 /* {{{ clone handler for Transliterator */
 static zend_object *Transliterator_clone_obj( zend_object *object )
 {
-	Transliterator_object *to_orig = php_intl_transliterator_fetch_object(object);
+	const Transliterator_object *to_orig = php_intl_transliterator_fetch_object(object);
 	zend_object           *ret_val = Transliterator_ce_ptr->create_object(object->ce);
 	Transliterator_object  *to_new = php_intl_transliterator_fetch_object(ret_val);
 

ext/random/random.c

@@ -273,7 +273,7 @@ PHPAPI void php_random_engine_common_free_object(zend_object *object)
 
 PHPAPI zend_object *php_random_engine_common_clone_object(zend_object *object)
 {
-	php_random_engine *old_engine = php_random_engine_from_obj(object);
+	const php_random_engine *old_engine = php_random_engine_from_obj(object);
 	php_random_engine *new_engine = php_random_engine_from_obj(old_engine->std.ce->create_object(old_engine->std.ce));
 
 	new_engine->engine.algo = old_engine->engine.algo;

ext/session/session.c

@@ -928,11 +928,11 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.cookie_domain",        "",          PHP_INI_ALL,    OnUpdateSessionStr,           cookie_domain,      php_ps_globals, ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",      "0",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_secure,      php_ps_globals, ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_partitioned", "0",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_partitioned, php_ps_globals, ps_globals)
-	STD_PHP_INI_BOOLEAN("session.cookie_httponly",    "0",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_httponly,    php_ps_globals, ps_globals)
-	STD_PHP_INI_ENTRY("session.cookie_samesite",      "",          PHP_INI_ALL,    OnUpdateSessionSameSite,      cookie_samesite,    php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_httponly",    "1",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_httponly,    php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.cookie_samesite",      "Lax",       PHP_INI_ALL,    OnUpdateSessionSameSite,      cookie_samesite,    php_ps_globals, ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",        "1",         PHP_INI_ALL,    OnUpdateSessionBool,          use_cookies,        php_ps_globals, ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_only_cookies",   "1",         PHP_INI_ALL,    OnUpdateUseOnlyCookies,       use_only_cookies,   php_ps_globals, ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_strict_mode",    "0",         PHP_INI_ALL,    OnUpdateSessionBool,          use_strict_mode,    php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_strict_mode",    "1",         PHP_INI_ALL,    OnUpdateSessionBool,          use_strict_mode,    php_ps_globals, ps_globals)
 	STD_PHP_INI_ENTRY("session.referer_check",        "",          PHP_INI_ALL,    OnUpdateRefererCheck,         extern_referer_chk, php_ps_globals, ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_limiter",        "nocache",   PHP_INI_ALL,    OnUpdateSessionStr,           cache_limiter,      php_ps_globals, ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_expire",         "180",       PHP_INI_ALL,    OnUpdateSessionLong,          cache_expire,       php_ps_globals, ps_globals)

ext/session/tests/bug74892.phpt

@@ -4,6 +4,7 @@ Bug #74892 Url Rewriting (trans_sid) not working on urls that start with #
 session.use_cookies=0
 session.use_only_cookies=0
 session.use_trans_sid=1
+session.use_strict_mode=0
 --EXTENSIONS--
 session
 --SKIPIF--

ext/session/tests/bug80774.phpt

@@ -2,12 +2,14 @@
 Bug #80774 (session_name() problem with backslash)
 --EXTENSIONS--
 session
+--INI--
+session.use_strict_mode=0
 --FILE--
 <?php
 session_name("foo\\bar");
 session_id('12345');
 session_start();
 ?>
 --EXPECTHEADERS--
-Set-Cookie: foo\bar=12345; path=/
+Set-Cookie: foo\bar=12345; path=/; HttpOnly; SameSite=Lax
 --EXPECT--

ext/session/tests/gh9200.phpt

@@ -2,6 +2,7 @@
 GH-9200: setcookie has an obsolete expires date format
 --INI--
 session.cookie_lifetime=3600
+session.use_strict_mode=0
 --EXTENSIONS--
 session
 --CGI--
@@ -12,7 +13,7 @@ session_id('bar');
 session_start();
 
 foreach (headers_list() as $header) {
-	if (preg_match('/^Set-Cookie: foo=bar; expires=(Mon|Tue|Wed|Thu|Fri|Sat|Sun), [0-9][0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) 2[0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] GMT; Max-Age=3600; path=\\/$/', $header)) {
+	if (preg_match('/^Set-Cookie: foo=bar; expires=(Mon|Tue|Wed|Thu|Fri|Sat|Sun), [0-9][0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) 2[0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] GMT; Max-Age=3600; path=\/; HttpOnly; SameSite=Lax$/', $header)) {
 		echo "Success", PHP_EOL;
 		exit;
 	}

ext/session/tests/mod_files/gc_dirdepth2.phpt

@@ -7,6 +7,7 @@ session
 --INI--
 session.gc_probability=0
 session.gc_maxlifetime=10
+session.use_strict_mode=0
 --FILE--
 <?php
 $base = __DIR__ . '/gc_dirdepth2_test';

ext/session/tests/mod_files/gc_dirdepth_disabled.phpt

@@ -7,6 +7,7 @@ session
 --INI--
 session.gc_probability=0
 session.gc_maxlifetime=1
+session.use_strict_mode=0
 --FILE--
 <?php
 

ext/session/tests/mod_files/gc_dirdepth_multi_subdir_count.phpt

@@ -7,6 +7,7 @@ session
 --INI--
 session.gc_probability=0
 session.gc_maxlifetime=10
+session.use_strict_mode=0
 --FILE--
 <?php
 $base = __DIR__ . '/gc_multi_subdir_test';

ext/session/tests/mod_files/gc_dirdepth_selective.phpt

@@ -7,6 +7,7 @@ session
 --INI--
 session.gc_probability=0
 session.gc_maxlifetime=10
+session.use_strict_mode=0
 --FILE--
 <?php
 $base = __DIR__ . '/gc_selective_test';

ext/session/tests/session_regenerate_id_cookie.phpt

@@ -67,14 +67,14 @@ string(%d) "X-Powered-By: PHP/%d.%d.%s
 Expires: %s
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
-Set-Cookie: PHPSESSID=%s; path=/
+Set-Cookie: PHPSESSID=%s; path=/; HttpOnly; SameSite=Lax
 Content-type: text/html; charset=UTF-8
 
 bool(true)
-Set-Cookie: PHPSESSID=%s; path=/
+Set-Cookie: PHPSESSID=%s; path=/; HttpOnly; SameSite=Lax
 bool(true)
 bool(true)
-Set-Cookie: PHPSESSID=%s; path=/
+Set-Cookie: PHPSESSID=%s; path=/; HttpOnly; SameSite=Lax
 bool(true)
 bool(true)
 string(32) "%s"

ext/session/tests/session_set_cookie_params_invalid_ini.phpt

@@ -18,5 +18,5 @@ ob_end_flush();
 ?>
 --EXPECTF--
 Warning: PHP Startup: session.cookie_samesite must be "Strict", "Lax", "None", or "" in Unknown on line 0
-string(0) ""
+string(3) "Lax"
 Done

ext/session/tests/session_start_partitioned_headers.phpt

@@ -2,12 +2,14 @@
 session_start() with partitioned cookies - header test
 --EXTENSIONS--
 session
+--INI--
+session.use_strict_mode=0
 --FILE--
 <?php
 session_id('12345');
 session_set_cookie_params(["secure" => true, "partitioned" => true]);
 session_start();
 ?>
 --EXPECTHEADERS--
-Set-Cookie: PHPSESSID=12345; path=/; secure; Partitioned
+Set-Cookie: PHPSESSID=12345; path=/; secure; Partitioned; HttpOnly; SameSite=Lax
 --EXPECT--

ext/uri/php_uri.c

@@ -1034,7 +1034,7 @@ PHPAPI void php_uri_object_handler_free(zend_object *object)
 
 PHPAPI zend_object *php_uri_object_handler_clone(zend_object *object)
 {
-	php_uri_object *uri_object = php_uri_object_from_obj(object);
+	const php_uri_object *uri_object = php_uri_object_from_obj(object);
 
 	ZEND_ASSERT(uri_object->uri != NULL);
 

php.ini-development

@@ -1305,10 +1305,9 @@ session.save_handler = files
 ; Strict session mode does not accept an uninitialized session ID, and
 ; regenerates the session ID if the browser sends an uninitialized session ID.
 ; Strict mode protects applications from session fixation via a session adoption
-; vulnerability. It is disabled by default for maximum compatibility, but
-; enabling it is encouraged.
+; vulnerability.
 ; https://wiki.php.net/rfc/strict_sessions
-session.use_strict_mode = 0
+session.use_strict_mode = 1
 
 ; Whether to use cookies.
 ; https://php.net/session.use-cookies
@@ -1350,13 +1349,13 @@ session.cookie_domain =
 ; Whether or not to add the httpOnly flag to the cookie, which makes it
 ; inaccessible to browser scripting languages such as JavaScript.
 ; https://php.net/session.cookie-httponly
-session.cookie_httponly =
+session.cookie_httponly = 1
 
 ; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
 ; Current valid values are "Strict", "Lax" or "None". When using "None",
 ; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
 ; https://tools.ietf.org/html/draft-west-first-party-cookies-07
-session.cookie_samesite =
+session.cookie_samesite = "Lax"
 
 ; Handler used to serialize data. php is the standard serializer of PHP.
 ; https://php.net/session.serialize-handler