sesser Sat Jun 16 07:48:07 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/session session.c
Log:
MFH
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.36&r2=1.417.2.8.2.37&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.417.2.8.2.36
php-src/ext/session/session.c:1.417.2.8.2.37
--- php-src/ext/session/session.c:1.417.2.8.2.36 Fri Jun 15 22:40:00 2007
+++ php-src/ext/session/session.c Sat Jun 16 07:48:07 2007
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.417.2.8.2.36 2007/06/15 22:40:00 stas Exp $ */
+/* $Id: session.c,v 1.417.2.8.2.37 2007/06/16 07:48:07 sesser Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -807,7 +807,7 @@
int vallen;
/* check session name for invalid characters */
- if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
+ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
efree(PS(id));
PS(id) = NULL;
}
@@ -1080,6 +1080,7 @@
{
smart_str ncookie = {0};
char *date_fmt = NULL;
+ char *e_session_name, *e_id;
if (SG(headers_sent)) {
char *output_start_filename =
php_get_output_start_filename(TSRMLS_C);
@@ -1093,11 +1094,18 @@
}
return;
}
+
+ /* URL encode session_name and id because they might be user supplied */
+ e_session_name = php_url_encode(PS(session_name),
strlen(PS(session_name)), NULL);
+ e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
- smart_str_appends(&ncookie, PS(session_name));
+ smart_str_appends(&ncookie, e_session_name);
smart_str_appendc(&ncookie, '=');
- smart_str_appends(&ncookie, PS(id));
+ smart_str_appends(&ncookie, e_id);
+
+ efree(e_session_name);
+ efree(e_id);
if (PS(cookie_lifetime) > 0) {
struct timeval tv;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
