fix: protect internal session keys in set and __set methods

Author: gr8man

system/Session/Session.php

@@ -303,6 +303,10 @@ public function set($data, $value = null)
         }
 
         foreach ($data as $sessionKey => $sessionValue) {
+            if (is_string($sessionKey) && str_starts_with($sessionKey, '__ci_')) {
+                continue;
+            }
+
             $_SESSION[$sessionKey] = $sessionValue;
         }
     }
@@ -370,6 +374,10 @@ public function remove($key)
      */
     public function __set(string $key, $value)
     {
+        if (str_starts_with($key, '__ci_')) {
+            return;
+        }
+
         $_SESSION[$key] = $value;
     }
 

tests/system/Session/SessionTest.php

@@ -328,6 +328,30 @@ public function testSetMagicMethod(): void
         $this->assertSame('bar', $_SESSION['foo']);
     }
 
+    public function testSetIgnoresCiVars(): void
+    {
+        $session = $this->getInstance();
+        $session->start();
+
+        $session->set('__ci_vars', 'malicious');
+        $session->set('__ci_last_regenerate', 'malicious');
+
+        $this->assertArrayNotHasKey('__ci_vars', $_SESSION);
+        $this->assertNotSame('malicious', $_SESSION['__ci_last_regenerate']);
+    }
+
+    public function testSetMagicMethodIgnoresCiVars(): void
+    {
+        $session = $this->getInstance();
+        $session->start();
+
+        $session->__ci_vars = 'malicious'; // @phpstan-ignore property.notFound
+        $session->__ci_last_regenerate = 'malicious'; // @phpstan-ignore property.notFound
+
+        $this->assertArrayNotHasKey('__ci_vars', $_SESSION);
+        $this->assertNotSame('malicious', $_SESSION['__ci_last_regenerate']);
+    }
+
     public function testCanFlashData(): void
     {
         $session = $this->getInstance();