Re: [PHP-CVS] cvs: php-src /ext/session session.c

Sat, 16 Jun 2007 01:31:52 -0700

That's nice. Could you now explain why you need these symbols in session IDs? 

Stefan Esser wrote:

sesser          Sat Jun 16 07:47:46 2007 UTC
Modified files: /php-src/ext/session session.c Log: Fix attribute injection security bug correctly by URL encoding session name and session value. (in future maybe encode path/domain, too) Remove backward compatibility breaking blacklist of characters. http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.472&r2=1.473&diff_format=u 
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.472 php-src/ext/session/session.c:1.473
--- php-src/ext/session/session.c:1.472 Fri Jun 15 22:42:43 2007
+++ php-src/ext/session/session.c       Sat Jun 16 07:47:46 2007
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
-/* $Id: session.c,v 1.472 2007/06/15 22:42:43 stas Exp $ */ 
+/* $Id: session.c,v 1.473 2007/06/16 07:47:46 sesser Exp $ */
#ifdef HAVE_CONFIG_H 
 #include "config.h"
@@ -398,7 +398,7 @@
        int vallen;
/* check session name for invalid characters */ 
-       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
+       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
                efree(PS(id));
                PS(id) = NULL;
        }
@@ -1069,6 +1069,7 @@
 {
        smart_str ncookie = {0};
        char *date_fmt = NULL;
+       char *e_session_name, *e_id;
if (SG(headers_sent)) { 
                char *output_start_filename = 
php_output_get_start_filename(TSRMLS_C);
@@ -1082,11 +1083,18 @@
                }       
                return;
        }
+       
+       /* URL encode session_name and id because they might be user supplied */
+       e_session_name = php_url_encode(PS(session_name), 
strlen(PS(session_name)), NULL);
+       e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
smart_str_appends(&ncookie, COOKIE_SET_COOKIE); 
-       smart_str_appends(&ncookie, PS(session_name));
+       smart_str_appends(&ncookie, e_session_name);
        smart_str_appendc(&ncookie, '=');
-       smart_str_appends(&ncookie, PS(id));
+       smart_str_appends(&ncookie, e_id);
+       
+       efree(e_session_name);
+       efree(e_id);
        
        if (PS(cookie_lifetime) > 0) {
                struct timeval tv;



--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED]  http://www.zend.com/

--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to