iliaa Sun Jan 15 16:51:18 2006 UTC
Modified files: (Branch: PHP_5_1)
/php-src NEWS
/php-src/ext/session session.c
Log:
Added a check for special characters in the session name.
http://cvs.php.net/viewcvs.cgi/php-src/NEWS?r1=1.2027.2.355&r2=1.2027.2.356&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.355 php-src/NEWS:1.2027.2.356
--- php-src/NEWS:1.2027.2.355 Sat Jan 14 15:24:06 2006
+++ php-src/NEWS Sun Jan 15 16:51:18 2006
@@ -1,6 +1,7 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2006, PHP 5.1.3
+- Added a check for special characters in the session name. (Ilia)
- Added "consumed" stream filter. (Marcus)
- Added new mysqli constants for BIT and NEW_DECIMAL field types:
MYSQLI_TYPE_NEWDECIMAL and MYSQLI_TYPE_BIT. FR #36007. (Georg)
http://cvs.php.net/viewcvs.cgi/php-src/ext/session/session.c?r1=1.417.2.5&r2=1.417.2.6&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.417.2.5
php-src/ext/session/session.c:1.417.2.6
--- php-src/ext/session/session.c:1.417.2.5 Sun Jan 1 12:50:12 2006
+++ php-src/ext/session/session.c Sun Jan 15 16:51:18 2006
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.417.2.5 2006/01/01 12:50:12 sniper Exp $ */
+/* $Id: session.c,v 1.417.2.6 2006/01/15 16:51:18 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -741,6 +741,12 @@
char *val;
int vallen;
+ /* check session name for invalid characters */
+ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+ efree(PS(id));
+ PS(id) = NULL;
+ }
+
if (!PS(mod)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module
chosen - failed to initialize session.");
return;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
