ZF-2077: Zend_Session_Namespace allows invalid namespaces


Zend_Session_Namespace allows invalid namespace names like "0" to be used as the namespace. This is a problem because 0 is not a valid key of $_SESSION. From the PHP manual:

"The keys in the $_SESSION associative array are subject to the same limitations as regular variable names in PHP, i.e. they cannot start with a number and must start with a letter or underscore. For more details see the section on variables in this manual."

This is because of register_globals compatibility. Also, see bug #42472:

Trying to set $_SESSION[0] produces an E_NOTICE message of the following form: Notice: Unknown: Skipping numeric key 0. in Unknown on line 0

$_SESSION[0] is never stored persistently either.

Zend_Session_Namespace should validate the namespace passed so that it meets the requirements specified in the PHP manual: It must start with a letter or underscore.


Any word on committing fixes for this issue? Should I reassign to myself?

Yes! Please Darby.

I am having some particular issues these days and i can't look this issue now. Thank you.

Thanks for the update; I've reassigned to myself. :) If you find time to work on this and it hasn't been resolved yet, please feel free to reassign.

Changed nature of issue to Improvement and priority to minor, since an easy workaround is present (don't present keys that are illegal according to the manual).

This issue should have been fixed for the 1.5 release.

This doesn't appear to have been fixed in 1.5.0. Please update if this is not correct.

Updating project management info.

Attached is my proposed patch.

Patch looks good, commit away

This has been fixed with r13337