From 610760b2e0db497b0c24f5b7874f9fbdb97133f0 Mon Sep 17 00:00:00 2001
From: Jorg Sowa <jorg.sowa@gmail.com>
Date: Sun, 17 May 2026 18:48:20 +0200
Subject: [PATCH] ext/session: reject null bytes in session.cookie_path,
 session.cookie_domain, session.cache_limiter

---
 NEWS                                          |  2 +
 UPGRADING                                     |  5 +++
 ext/session/session.c                         |  7 ++++
 .../tests/session_str_settings_null_byte.phpt | 37 +++++++++++++++++++
 4 files changed, 51 insertions(+)
 create mode 100644 ext/session/tests/session_str_settings_null_byte.phpt

diff --git a/NEWS b/NEWS
index 65b1f85ba378..b3cad43d883f 100644
--- a/NEWS
+++ b/NEWS
@@ -150,6 +150,8 @@ PHP                                                                        NEWS
 - Session:
   . Fixed bug 71162 (updateTimestamp never called when session data is empty).
     (Girgias)
+  . Null bytes in session.cookie_path, session.cookie_domain, and
+    session.cache_limiter are now rejected with a warning. (jorgsowa)
 
 - Soap:
   . Soap::__setCookie() when cookie name is a digit is now not stored and
diff --git a/UPGRADING b/UPGRADING
index de086c600f56..7df2026e9a92 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -70,6 +70,11 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
 
 - Session:
+  . Setting session.cookie_path, session.cookie_domain, or session.cache_limiter
+    to a value containing null bytes now emits a warning and leaves the setting
+    unchanged. Previously, null bytes were silently accepted: for cookie_path and
+    cookie_domain this caused the SAPI to drop the Set-Cookie header; for
+    cache_limiter the value was silently truncated at the null byte.
   . A ValueError is not thrown if $name is a string containing null bytes in
     session_module_name().
   . session_encode() now returns an empty string instead of false for empty
diff --git a/ext/session/session.c b/ext/session/session.c
index 3985925ca2bc..aa6cfb311afa 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -734,6 +734,13 @@ static PHP_INI_MH(OnUpdateSessionStr)
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
 
+	if (new_value && zend_str_has_nul_byte(new_value)) {
+		if (stage != ZEND_INI_STAGE_DEACTIVATE) {
+			php_error_docref(NULL, E_WARNING, "\"%s\" must not contain null bytes", ZSTR_VAL(entry->name));
+		}
+		return FAILURE;
+	}
+
 	return OnUpdateStr(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 }
 
diff --git a/ext/session/tests/session_str_settings_null_byte.phpt b/ext/session/tests/session_str_settings_null_byte.phpt
new file mode 100644
index 000000000000..693ec6971601
--- /dev/null
+++ b/ext/session/tests/session_str_settings_null_byte.phpt
@@ -0,0 +1,37 @@
+--TEST--
+session.cookie_path, session.cookie_domain, and session.cache_limiter must not contain null bytes
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ob_start();
+
+var_dump(ini_set('session.cookie_path', "/path\0evil"));
+var_dump(ini_set('session.cookie_domain', "example\0evil.com"));
+var_dump(ini_set('session.cache_limiter', "nocache\0evil"));
+
+var_dump(session_set_cookie_params(0, "/path\0evil"));
+var_dump(session_set_cookie_params(0, null, "example\0evil.com"));
+
+ob_end_flush();
+echo "Done";
+?>
+--EXPECTF--
+Warning: ini_set(): "session.cookie_path" must not contain null bytes in %s on line %d
+bool(false)
+
+Warning: ini_set(): "session.cookie_domain" must not contain null bytes in %s on line %d
+bool(false)
+
+Warning: ini_set(): "session.cache_limiter" must not contain null bytes in %s on line %d
+bool(false)
+
+Warning: session_set_cookie_params(): "session.cookie_path" must not contain null bytes in %s on line %d
+bool(false)
+
+Warning: session_set_cookie_params(): "session.cookie_domain" must not contain null bytes in %s on line %d
+bool(false)
+Done