sesser Sat Jun 16 07:48:23 2007 UTC
Modified files: (Branch: PHP_4_4)
/php-src/ext/session session.c
Log:
MFH
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.19&r2=1.336.2.53.2.20&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.19
php-src/ext/session/session.c:1.336.2.53.2.20
--- php-src/ext/session/session.c:1.336.2.53.2.19 Fri Jun 15 22:45:25 2007
+++ php-src/ext/session/session.c Sat Jun 16 07:48:23 2007
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.336.2.53.2.19 2007/06/15 22:45:25 stas Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.20 2007/06/16 07:48:23 sesser Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -666,7 +666,7 @@
int vallen;
/* check session name for invalid characters */
- if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
+ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
efree(PS(id));
PS(id) = NULL;
}
@@ -918,6 +918,7 @@
{
smart_str ncookie = {0};
char *date_fmt = NULL;
+ char *e_session_name, *e_id;
if (SG(headers_sent)) {
char *output_start_filename =
php_get_output_start_filename(TSRMLS_C);
@@ -931,11 +932,18 @@
}
return;
}
+
+ /* URL encode session_name and id because they might be user supplied */
+ e_session_name = php_url_encode(PS(session_name),
strlen(PS(session_name)), NULL);
+ e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
smart_str_appends(&ncookie, COOKIE_SET_COOKIE);
- smart_str_appends(&ncookie, PS(session_name));
+ smart_str_appends(&ncookie, e_session_name);
smart_str_appendc(&ncookie, '=');
- smart_str_appends(&ncookie, PS(id));
+ smart_str_appends(&ncookie, e_id);
+
+ efree(e_session_name);
+ efree(e_id);
if (PS(cookie_lifetime) > 0) {
struct timeval tv;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
