#include "php.h"
#include <sys/stat.h>
#include <sys/types.h>
#if HAVE_SYS_FILE_H
#include <sys/file.h>
#endif
#if HAVE_DIRENT_H
#include <dirent.h>
#endif
#ifdef PHP_WIN32
#include "win32/readdir.h"
#endif
#include <time.h>
#include <fcntl.h>
#include <errno.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#include "php_session.h"
#include "mod_files.h"
#include "ext/standard/flock_compat.h"
#include "php_open_temporary_file.h"
#define FILE_PREFIX "sess_"
#ifdef PHP_WIN32
# ifndef O_NOFOLLOW
# define O_NOFOLLOW 0
# endif
#endif
typedef struct {
char *lastkey;
char *basedir;
size_t basedir_len;
size_t dirdepth;
size_t st_size;
int filemode;
int fd;
} ps_files;
const ps_module ps_mod_files = {
PS_MOD_UPDATE_TIMESTAMP(files)
};
static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key)
{
size_t key_len;
const char *p;
int i;
size_t n;
key_len = strlen(key);
if (!data || key_len <= data->dirdepth ||
buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) {
return NULL;
}
p = key;
memcpy(buf, data->basedir, data->basedir_len);
n = data->basedir_len;
buf[n++] = PHP_DIR_SEPARATOR;
for (i = 0; i < (int)data->dirdepth; i++) {
buf[n++] = *p++;
buf[n++] = PHP_DIR_SEPARATOR;
}
memcpy(buf + n, FILE_PREFIX, sizeof(FILE_PREFIX) - 1);
n += sizeof(FILE_PREFIX) - 1;
memcpy(buf + n, key, key_len);
n += key_len;
buf[n] = '\0';
return buf;
}
#ifndef O_BINARY
# define O_BINARY 0
#endif
static void ps_files_close(ps_files *data)
{
if (data->fd != -1) {
#ifdef PHP_WIN32
flock(data->fd, LOCK_UN);
#endif
close(data->fd);
data->fd = -1;
}
}
static void ps_files_open(ps_files *data, const char *key)
{
char buf[MAXPATHLEN];
#if !defined(O_NOFOLLOW) || !defined(PHP_WIN32)
struct stat sbuf;
#endif
int ret;
if (data->fd < 0 || !data->lastkey || strcmp(key, data->lastkey)) {
if (data->lastkey) {
efree(data->lastkey);
data->lastkey = NULL;
}
ps_files_close(data);
if (php_session_valid_key(key) == FAILURE) {
php_error_docref(NULL, E_WARNING, "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'");
return;
}
if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
php_error_docref(NULL, E_WARNING, "Failed to create session data file path. Too short session ID, invalid save_path or path lentgth exceeds MAXPATHLEN(%d)", MAXPATHLEN);
return;
}
data->lastkey = estrdup(key);
#ifdef O_NOFOLLOW
data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY | O_NOFOLLOW, data->filemode);
#else
if(PG(open_basedir) && lstat(buf, &sbuf) == 0 && S_ISLNK(sbuf.st_mode) && php_check_open_basedir(buf)) {
return;
}
data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode);
#endif
if (data->fd != -1) {
#ifndef PHP_WIN32
if (zend_fstat(data->fd, &sbuf) || (sbuf.st_uid != 0 && sbuf.st_uid != getuid() && sbuf.st_uid != geteuid() && getuid() != 0)) {
close(data->fd);
data->fd = -1;
php_error_docref(NULL, E_WARNING, "Session data file is not created by your uid");
return;
}
#endif
do {
ret = flock(data->fd, LOCK_EX);
} while (ret == -1 && errno == EINTR);
#ifdef F_SETFD
# ifndef FD_CLOEXEC
# define FD_CLOEXEC 1
# endif
if (fcntl(data->fd, F_SETFD, FD_CLOEXEC)) {
php_error_docref(NULL, E_WARNING, "fcntl(%d, F_SETFD, FD_CLOEXEC) failed: %s (%d)", data->fd, strerror(errno), errno);
}
#endif
} else {
php_error_docref(NULL, E_WARNING, "open(%s, O_RDWR) failed: %s (%d)", buf, strerror(errno), errno);
}
}
}
static int ps_files_write(ps_files *data, zend_string *key, zend_string *val)
{
size_t n = 0;
ps_files_open(data, ZSTR_VAL(key));
if (data->fd < 0) {
return FAILURE;
}
if (ZSTR_LEN(val) < data->st_size) {
php_ignore_value(ftruncate(data->fd, 0));
}
#if defined(HAVE_PWRITE)
n = pwrite(data->fd, ZSTR_VAL(val), ZSTR_LEN(val), 0);
#else
lseek(data->fd, 0, SEEK_SET);
#ifdef PHP_WIN32
{
unsigned int to_write = ZSTR_LEN(val) > UINT_MAX ? UINT_MAX : (unsigned int)ZSTR_LEN(val);
char *buf = ZSTR_VAL(val);
int wrote;
do {
wrote = _write(data->fd, buf, to_write);
n += wrote;
buf = wrote > -1 ? buf + wrote : 0;
to_write = wrote > -1 ? (ZSTR_LEN(val) - n > UINT_MAX ? UINT_MAX : (unsigned int)(ZSTR_LEN(val) - n)): 0;
} while(wrote > 0);
}
#else
n = write(data->fd, ZSTR_VAL(val), ZSTR_LEN(val));
#endif
#endif
if (n != ZSTR_LEN(val)) {
if (n == (size_t)-1) {
php_error_docref(NULL, E_WARNING, "write failed: %s (%d)", strerror(errno), errno);
} else {
php_error_docref(NULL, E_WARNING, "write wrote less bytes than requested");
}
return FAILURE;
}
return SUCCESS;
}
static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)
{
DIR *dir;
char dentry[sizeof(struct dirent) + MAXPATHLEN];
struct dirent *entry = (struct dirent *) &dentry;
zend_stat_t sbuf;
char buf[MAXPATHLEN];
time_t now;
int nrdels = 0;
size_t dirname_len;
dir = opendir(dirname);
if (!dir) {
php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: opendir(%s) failed: %s (%d)", dirname, strerror(errno), errno);
return (0);
}
time(&now);
dirname_len = strlen(dirname);
if (dirname_len >= MAXPATHLEN) {
php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: dirname(%s) is too long", dirname);
closedir(dir);
return (0);
}
memcpy(buf, dirname, dirname_len);
buf[dirname_len] = PHP_DIR_SEPARATOR;
while (php_readdir_r(dir, (struct dirent *) dentry, &entry) == 0 && entry) {
if (!strncmp(entry->d_name, FILE_PREFIX, sizeof(FILE_PREFIX) - 1)) {
size_t entry_len = strlen(entry->d_name);
if (entry_len + dirname_len + 2 < MAXPATHLEN) {
memcpy(buf + dirname_len + 1, entry->d_name, entry_len);
buf[dirname_len + entry_len + 1] = '\0';
if (VCWD_STAT(buf, &sbuf) == 0 &&
(now - sbuf.st_mtime) > maxlifetime) {
VCWD_UNLINK(buf);
nrdels++;
}
}
}
}
closedir(dir);
return (nrdels);
}
static int ps_files_key_exists(ps_files *data, const char *key)
{
char buf[MAXPATHLEN];
zend_stat_t sbuf;
if (!key || !ps_files_path_create(buf, sizeof(buf), data, key)) {
return FAILURE;
}
if (VCWD_STAT(buf, &sbuf)) {
return FAILURE;
}
return SUCCESS;
}
#define PS_FILES_DATA ps_files *data = PS_GET_MOD_DATA()
PS_OPEN_FUNC(files)
{
ps_files *data;
const char *p, *last;
const char *argv[3];
int argc = 0;
size_t dirdepth = 0;
int filemode = 0600;
if (*save_path == '\0') {
save_path = php_get_temporary_directory();
if (php_check_open_basedir(save_path)) {
return FAILURE;
}
}
last = save_path;
p = strchr(save_path, ';');
while (p) {
argv[argc++] = last;
last = ++p;
p = strchr(p, ';');
if (argc > 1) break;
}
argv[argc++] = last;
if (argc > 1) {
errno = 0;
dirdepth = (size_t) ZEND_STRTOL(argv[0], NULL, 10);
if (errno == ERANGE) {
php_error(E_WARNING, "The first parameter in session.save_path is invalid");
return FAILURE;
}
}
if (argc > 2) {
errno = 0;
filemode = (int)ZEND_STRTOL(argv[1], NULL, 8);
if (errno == ERANGE || filemode < 0 || filemode > 07777) {
php_error(E_WARNING, "The second parameter in session.save_path is invalid");
return FAILURE;
}
}
save_path = argv[argc - 1];
data = ecalloc(1, sizeof(*data));
data->fd = -1;
data->dirdepth = dirdepth;
data->filemode = filemode;
data->basedir_len = strlen(save_path);
data->basedir = estrndup(save_path, data->basedir_len);
if (PS_GET_MOD_DATA()) {
ps_close_files(mod_data);
}
PS_SET_MOD_DATA(data);
return SUCCESS;
}
PS_CLOSE_FUNC(files)
{
PS_FILES_DATA;
ps_files_close(data);
if (data->lastkey) {
efree(data->lastkey);
data->lastkey = NULL;
}
efree(data->basedir);
efree(data);
PS_SET_MOD_DATA(NULL);
return SUCCESS;
}
PS_READ_FUNC(files)
{
zend_long n = 0;
zend_stat_t sbuf;
PS_FILES_DATA;
ps_files_open(data, ZSTR_VAL(key));
if (data->fd < 0) {
return FAILURE;
}
if (zend_fstat(data->fd, &sbuf)) {
return FAILURE;
}
data->st_size = sbuf.st_size;
if (sbuf.st_size == 0) {
*val = ZSTR_EMPTY_ALLOC();
return SUCCESS;
}
*val = zend_string_alloc(sbuf.st_size, 0);
#if defined(HAVE_PREAD)
n = pread(data->fd, ZSTR_VAL(*val), ZSTR_LEN(*val), 0);
#else
lseek(data->fd, 0, SEEK_SET);
#ifdef PHP_WIN32
{
unsigned int to_read = ZSTR_LEN(*val) > UINT_MAX ? UINT_MAX : (unsigned int)ZSTR_LEN(*val);
char *buf = ZSTR_VAL(*val);
int read_in;
do {
read_in = _read(data->fd, buf, to_read);
n += read_in;
buf = read_in > -1 ? buf + read_in : 0;
to_read = read_in > -1 ? (ZSTR_LEN(*val) - n > UINT_MAX ? UINT_MAX : (unsigned int)(ZSTR_LEN(*val) - n)): 0;
} while(read_in > 0);
}
#else
n = read(data->fd, ZSTR_VAL(*val), ZSTR_LEN(*val));
#endif
#endif
if (n != (zend_long)sbuf.st_size) {
if (n == -1) {
php_error_docref(NULL, E_WARNING, "read failed: %s (%d)", strerror(errno), errno);
} else {
php_error_docref(NULL, E_WARNING, "read returned less bytes than requested");
}
zend_string_release_ex(*val, 0);
*val = ZSTR_EMPTY_ALLOC();
return FAILURE;
}
ZSTR_VAL(*val)[ZSTR_LEN(*val)] = '\0';
return SUCCESS;
}
PS_WRITE_FUNC(files)
{
PS_FILES_DATA;
return ps_files_write(data, key, val);
}
PS_UPDATE_TIMESTAMP_FUNC(files)
{
char buf[MAXPATHLEN];
struct utimbuf newtimebuf;
struct utimbuf *newtime = &newtimebuf;
int ret;
PS_FILES_DATA;
if (!ps_files_path_create(buf, sizeof(buf), data, ZSTR_VAL(key))) {
return FAILURE;
}
#ifdef HAVE_UTIME_NULL
newtime = NULL;
#else
newtime->modtime = newtime->actime = time(NULL);
#endif
ret = VCWD_UTIME(buf, newtime);
if (ret == -1) {
return ps_files_write(data, key, val);
}
return SUCCESS;
}
PS_DESTROY_FUNC(files)
{
char buf[MAXPATHLEN];
PS_FILES_DATA;
if (!ps_files_path_create(buf, sizeof(buf), data, ZSTR_VAL(key))) {
return FAILURE;
}
if (data->fd != -1) {
ps_files_close(data);
if (VCWD_UNLINK(buf) == -1) {
if (!VCWD_ACCESS(buf, F_OK)) {
return FAILURE;
}
}
}
return SUCCESS;
}
PS_GC_FUNC(files)
{
PS_FILES_DATA;
if (data->dirdepth == 0) {
*nrdels = ps_files_cleanup_dir(data->basedir, maxlifetime);
} else {
*nrdels = -1; }
return *nrdels;
}
PS_CREATE_SID_FUNC(files)
{
zend_string *sid;
int maxfail = 3;
PS_FILES_DATA;
do {
sid = php_session_create_id((void**)&data);
if (!sid) {
if (--maxfail < 0) {
return NULL;
} else {
continue;
}
}
if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
if (sid) {
zend_string_release_ex(sid, 0);
sid = NULL;
}
if (--maxfail < 0) {
return NULL;
}
}
} while(!sid);
return sid;
}
PS_VALIDATE_SID_FUNC(files)
{
PS_FILES_DATA;
return ps_files_key_exists(data, ZSTR_VAL(key));
}