ValueError on null byte in session_name()

ext/session/session.c

@@ -93,7 +93,7 @@ zend_class_entry *php_session_update_timestamp_iface_entry;
 		return FAILURE;													\
 	}
 
-#define SESSION_FORBIDDEN_CHARS "=,;.[ \t\r\n\013\014"
+#define SESSION_FORBIDDEN_CHARS "=,;.[ \t\r\n\013\014\0"
 
 #define APPLY_TRANS_SID (PS(use_trans_sid) && !PS(use_only_cookies))
 
@@ -1335,8 +1335,8 @@ static zend_result php_session_send_cookie(void) /* {{{ */
 	}
 
 	/* Prevent broken Set-Cookie header, because the session_name might be user supplied */
-	if (strpbrk(PS(session_name), SESSION_FORBIDDEN_CHARS) != NULL) {   /* man isspace for \013 and \014 */
-		php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,;.[ \\t\\r\\n\\013\\014'");
+	if (strpbrk(PS(session_name), SESSION_FORBIDDEN_CHARS) != NULL || memchr(PS(session_name), '\0', strlen(PS(session_name))) != NULL) {   /* man isspace for \013 and \014 */
+		php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,;.[ \\t\\r\\n\\013\\014\\0'");
 		return FAILURE;
 	}
 
@@ -1875,13 +1875,13 @@ PHP_FUNCTION(session_get_cookie_params)
 }
 /* }}} */
 
-/* {{{ Return the current session name. If newname is given, the session name is replaced with newname */
+/* {{{ Return the current session name. If new name is given, the session name is replaced with new name */
 PHP_FUNCTION(session_name)
 {
 	zend_string *name = NULL;
 	zend_string *ini_name;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|S!", &name) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "|P!", &name) == FAILURE) {
 		RETURN_THROWS();
 	}
 

ext/session/tests/session_name_variation1.phpt

@@ -15,12 +15,6 @@ ob_start();
 
 echo "*** Testing session_name() : variation ***\n";
 
-var_dump(session_name("\0"));
-var_dump(session_start());
-var_dump(session_name());
-var_dump(session_destroy());
-var_dump(session_name());
-
 var_dump(session_name("\t"));
 var_dump(session_start());
 var_dump(session_name());
@@ -39,11 +33,6 @@ ob_end_flush();
 --EXPECTF--
 *** Testing session_name() : variation ***
 string(9) "PHPSESSID"
-bool(true)
-string(9) "PHPSESSID"
-bool(true)
-string(9) "PHPSESSID"
-string(9) "PHPSESSID"
 
 Warning: session_start(): session.name cannot contain any of the following '=,;.[ \t\r\n\013\014' in %s on line %d
 bool(true)

ext/session/tests/session_name_variation_null_byte.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Test session_name() function : null byte in session name
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ob_start();
+
+var_dump(session_name("AB\0CD"));
+var_dump(session_start());
+
+echo "Done";
+ob_end_flush();
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: session_name(): Argument #1 ($name) must not contain any null bytes in %s:%d
+Stack trace:
+#0 %s(%d): session_name('AB\x00CD')
+#1 {main}
+  thrown in %s on line %d