Bug #55444 [Com]: trans-sid enabled; PHPSESSID inserted after end of href on links

freynder at gmail dot com Fri, 14 Dec 2012 01:40:04 -0800

Edit report at https://bugs.php.net/bug.php?id=55444&edit=1


 ID:                 55444
 Comment by:         freynder at gmail dot com
 Reported by:        fatman at crackmonkey dot us
 Summary:            trans-sid enabled; PHPSESSID inserted after end of
                     href on links
 Status:             Feedback
 Type:               Bug
 Package:            Session related
 Operating System:   Ubuntu 10.04.3 LTS
 PHP Version:        Irrelevant
 Block user comment: N
 Private report:     N

 New Comment:

Experienced the same issue in PHP 5.3.10. I have a long list of links and they 
look all correct except for 1. 

Code:
<a href="/admin/field/edit/params/id/<?= $field['field_id'] ?>/client/<?= $id ?
>" class="edit">Edit</a>

Result:
<a href="/admin/field/edit/params/id/632/client/32"?
PHPSESSID=gs0p9jd4er5fm1ojhg7tbq5m75 class="edit">Edit</a>


Previous Comments:
------------------------------------------------------------------------
[2011-11-16 19:49:40] dimitriy at remerov dot ru

Was able to reproduce on different installations on 5.3.6 and 5.3.5.
If I place link before broken one, then this new one becomes broken.

Unfortunately can't test in other versions due to complication installation.


Relevant part HTML (5th link is broken, but there are links before that HTML):

...                                     
<a href="a?PHPSESSID=c5e10c3bb9d776c7b618531d31bb44ae">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="b?PHPSESSID=c5e10c3bb9d776c7b618531d31bb44ae">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="c?PHPSESSID=c5e10c3bb9d776c7b618531d31bb44ae">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="d?PHPSESSID=c5e10c3bb9d776c7b618531d31bb44ae">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="e"?PHPSESSID=c5e10c3bb9d776c7b618531d31bb44ae>

        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="f?PHPSESSID=c5e10c3bb9d776c7b618531d31bb44ae">
        abcdefghijkjlmopqrstuvwxyz
</a>
...
--------------

Relevant code:


// add start
if (strpos($url_item, 'translation') !== false) { // to make it around 17th 
link 
on page
        ?>
<a href="<?= "a" ?>">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="<?= "b" ?>">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="<?= "c" ?>">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="<?= "d" ?>">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="<?= "e" ?>">
        abcdefghijkjlmopqrstuvwxyz
</a>
<a href="<?= "f" ?>">
        abcdefghijkjlmopqrstuvwxyz
</a>
        <?php
}
// add end

----

------------------------------------------------------------------------
[2011-08-22 14:07:31] ka...@php.net

(pressed Enter by accident)

... if the problem persists in 5.3.7 or the upcoming patch level release 5.3.8 
then change the status of the bug back to Open

------------------------------------------------------------------------
[2011-08-22 14:05:31] ka...@php.net

Upgrade PHP first, we don't support 5.3.2 anymore

------------------------------------------------------------------------
[2011-08-17 22:33:42] fatman at crackmonkey dot us

Description:
------------
In more detail, OS:
Linux 2.6.32-32-server x86_64 #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 

PHP 5.3.2-1ubuntu4.9 with Suhosin-Patch (cli) (built: May  3 2011 00:45:52)

This is the standard PHP package from Ubuntu Lucid's "main" repo. I did not 
compile it. I have enabled the trans-
sid option.

When generating a long list of links, occasionally the trans-sid function will 
miss the end of the "href" 
attribute and add "?PHPSESSID=73...07" outside the closing double quote mark. 
eg:

<td><a href="index.php?
area=gallery&page=edit_photo&file=gallery_36.jpg&amp;PHPSESSID=73...07"><img 
src="images/edit.png" />gallery_36.jpg</a></td> 
...
<td><a href="index.php?area=gallery&page=edit_photo&file=gallery_37.jpg"?
PHPSESSID=73...07><img 
src="images/edit.png" />gallery_37.jpg</a></td> 

Note that since it is outside the quote mark, it is generated with a "?" 
instead 
of "&amp;". This reliably 
happens on the "gallery_37.jpg" link, and the "gallery_18.jpg" link, and a few 
others.

Test script:
---------------
The relevant loop:

      while ($row = mysql_fetch_assoc($result)) {
         $file = sanitise_html($row["filename"]);
         $title = sanitise_html($row["title"]);
?>
               <tr>
                  <td><a 
href="index.php?area=gallery&page=edit_photo&file=<?=$file?>"><img 
src="images/edit.png" /><?=$file?></a></td>
                  <td><?=$title?></td>
                  <td><a 
href="index.php?area=gallery&page=delete_photo&file=<?=$file?>"><img 
src="images/delete.png" /></a></td>
               </tr>
<?
      }

Expected result:
----------------
In the example above, I would expect:

&amp;PHPSESSID=73...07

to be added to the end of every link, in the proper place, *inside* the end of 
the 
href attribute.

Actual result:
--------------
On some links, the PHPSESSID appears *outside* the end of the href attribute. 
This 
causes the PHPSESSID not to be included in the link.


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55444&edit=1

Bug #55444 [Com]: trans-sid enabled; PHPSESSID inserted after end of href on links

Reply via email to