[EMAIL PROTECTED] wrote:
> On Wed, 12 Jun 2002, Yasuo Ohgaki wrote:
>
>
>>Sascha Schumann wrote:
>>
>>>sas Wed Jun 12 04:18:38 2002 EDT
>>>
>>> Modified files:
>>> /php4/ext/session php_session.h session.c
>>> Log:
>>> This option enables administrators to make their users invulnerable to
>>> attacks which involve passing session ids in URLs.
>>>
>>
>>I'm +1 for merge this patch to release branch.
>
>
> -1 on that, as it's a new feature.
>
I noticed this risk long time before and I think it's a kind of
security fix as Sascha's comment, isn't it?
--
Yasuo Ohgaki
> Derick
>
>
>>>Index: php4/ext/session/php_session.h
>>>diff -u php4/ext/session/php_session.h:1.79 php4/ext/session/php_session.h:1.80
>>>--- php4/ext/session/php_session.h:1.79 Sun May 5 12:39:49 2002
>>>+++ php4/ext/session/php_session.h Wed Jun 12 04:18:33 2002
>>>@@ -113,6 +113,7 @@
>>> zval *http_session_vars;
>>> zend_bool auto_start;
>>> zend_bool use_cookies;
>>>+ zend_bool use_only_cookies;
>>> zend_bool use_trans_sid; /* contains the INI value of whether to use
>trans-sid */
>>> zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the
>current request */
>>> } php_ps_globals;
>>>Index: php4/ext/session/session.c
>>>diff -u php4/ext/session/session.c:1.308 php4/ext/session/session.c:1.309
>>>--- php4/ext/session/session.c:1.308 Mon May 13 13:28:37 2002
>>>+++ php4/ext/session/session.c Wed Jun 12 04:18:36 2002
>>>@@ -17,7 +17,7 @@
>>> +----------------------------------------------------------------------+
>>> */
>>>
>>>-/* $Id: session.c,v 1.308 2002/05/13 17:28:37 andrei Exp $ */
>>>+/* $Id: session.c,v 1.309 2002/06/12 08:18:36 sas Exp $ */
>>>
>>> #ifdef HAVE_CONFIG_H
>>> #include "config.h"
>>>@@ -131,6 +131,7 @@
>>> STD_PHP_INI_ENTRY("session.cookie_domain", "",
> PHP_INI_ALL, OnUpdateString, cookie_domain,
>php_ps_globals, ps_globals)
>>> STD_PHP_INI_BOOLEAN("session.cookie_secure", "",
> PHP_INI_ALL, OnUpdateBool, cookie_secure,
>php_ps_globals, ps_globals)
>>> STD_PHP_INI_BOOLEAN("session.use_cookies", "1",
> PHP_INI_ALL, OnUpdateBool, use_cookies,
>php_ps_globals, ps_globals)
>>>+ STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0",
>PHP_INI_ALL, OnUpdateBool, use_only_cookies,
>php_ps_globals, ps_globals)
>>> STD_PHP_INI_ENTRY("session.referer_check", "",
> PHP_INI_ALL, OnUpdateString, extern_referer_chk,
>php_ps_globals, ps_globals)
>>> STD_PHP_INI_ENTRY("session.entropy_file", "",
> PHP_INI_ALL, OnUpdateString, entropy_file,
>php_ps_globals, ps_globals)
>>> STD_PHP_INI_ENTRY("session.entropy_length", "0",
> PHP_INI_ALL, OnUpdateInt, entropy_length,
>php_ps_globals, ps_globals)
>>>@@ -839,7 +840,7 @@
>>> define_sid = 0;
>>> }
>>>
>>>- if (!PS(id) &&
>>>+ if (!PS(use_only_cookies) && !PS(id) &&
>>> zend_hash_find(&EG(symbol_table), "_GET",
>>> sizeof("_GET"), (void **) &data) == SUCCESS &&
>>> Z_TYPE_PP(data) == IS_ARRAY &&
>>>@@ -849,7 +850,7 @@
>>> send_cookie = 0;
>>> }
>>>
>>>- if (!PS(id) &&
>>>+ if (!PS(use_only_cookies) && !PS(id) &&
>>> zend_hash_find(&EG(symbol_table), "_POST",
>>> sizeof("_POST"), (void **) &data) == SUCCESS &&
>>> Z_TYPE_PP(data) == IS_ARRAY &&
>>>@@ -864,7 +865,7 @@
>>> '<session-name>=<session-id>' to allow URLs of the form
>>> http://yoursite/<session-name>=<session-id>/script.php */
>>>
>>>- if (!PS(id) &&
>>>+ if (!PS(use_only_cookies) && !PS(id) &&
>>> zend_hash_find(&EG(symbol_table), "REQUEST_URI",
>>> sizeof("REQUEST_URI"), (void **) &data) == SUCCESS &&
>>> Z_TYPE_PP(data) == IS_STRING &&
>>>
>>>
>>
>>
>>--
>>PHP Development Mailing List <http://www.php.net/>
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> ---------------------------------------------------------------------------
> Did I help you? http://www.jdimedia.nl/derick/link.php?url=giftlist
> Frequent ranting: http://www.jdimedia.nl/derick/
> ---------------------------------------------------------------------------
> PHP: Scripting the Web - [EMAIL PROTECTED]
> All your branches are belong to me!
> SRM: Script Running Machine - www.vl-srm.net
> ---------------------------------------------------------------------------
>
>
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
