[EMAIL PROTECTED] wrote: > On Wed, 12 Jun 2002, Yasuo Ohgaki wrote: > > >>Sascha Schumann wrote: >> >>>sas Wed Jun 12 04:18:38 2002 EDT >>> >>> Modified files: >>> /php4/ext/session php_session.h session.c >>> Log: >>> This option enables administrators to make their users invulnerable to >>> attacks which involve passing session ids in URLs. >>> >> >>I'm +1 for merge this patch to release branch. > > > -1 on that, as it's a new feature. >
I noticed this risk long time before and I think it's a kind of security fix as Sascha's comment, isn't it? -- Yasuo Ohgaki > Derick > > >>>Index: php4/ext/session/php_session.h >>>diff -u php4/ext/session/php_session.h:1.79 php4/ext/session/php_session.h:1.80 >>>--- php4/ext/session/php_session.h:1.79 Sun May 5 12:39:49 2002 >>>+++ php4/ext/session/php_session.h Wed Jun 12 04:18:33 2002 >>>@@ -113,6 +113,7 @@ >>> zval *http_session_vars; >>> zend_bool auto_start; >>> zend_bool use_cookies; >>>+ zend_bool use_only_cookies; >>> zend_bool use_trans_sid; /* contains the INI value of whether to use >trans-sid */ >>> zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the >current request */ >>> } php_ps_globals; >>>Index: php4/ext/session/session.c >>>diff -u php4/ext/session/session.c:1.308 php4/ext/session/session.c:1.309 >>>--- php4/ext/session/session.c:1.308 Mon May 13 13:28:37 2002 >>>+++ php4/ext/session/session.c Wed Jun 12 04:18:36 2002 >>>@@ -17,7 +17,7 @@ >>> +----------------------------------------------------------------------+ >>> */ >>> >>>-/* $Id: session.c,v 1.308 2002/05/13 17:28:37 andrei Exp $ */ >>>+/* $Id: session.c,v 1.309 2002/06/12 08:18:36 sas Exp $ */ >>> >>> #ifdef HAVE_CONFIG_H >>> #include "config.h" >>>@@ -131,6 +131,7 @@ >>> STD_PHP_INI_ENTRY("session.cookie_domain", "", > PHP_INI_ALL, OnUpdateString, cookie_domain, >php_ps_globals, ps_globals) >>> STD_PHP_INI_BOOLEAN("session.cookie_secure", "", > PHP_INI_ALL, OnUpdateBool, cookie_secure, >php_ps_globals, ps_globals) >>> STD_PHP_INI_BOOLEAN("session.use_cookies", "1", > PHP_INI_ALL, OnUpdateBool, use_cookies, >php_ps_globals, ps_globals) >>>+ STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0", >PHP_INI_ALL, OnUpdateBool, use_only_cookies, >php_ps_globals, ps_globals) >>> STD_PHP_INI_ENTRY("session.referer_check", "", > PHP_INI_ALL, OnUpdateString, extern_referer_chk, >php_ps_globals, ps_globals) >>> STD_PHP_INI_ENTRY("session.entropy_file", "", > PHP_INI_ALL, OnUpdateString, entropy_file, >php_ps_globals, ps_globals) >>> STD_PHP_INI_ENTRY("session.entropy_length", "0", > PHP_INI_ALL, OnUpdateInt, entropy_length, >php_ps_globals, ps_globals) >>>@@ -839,7 +840,7 @@ >>> define_sid = 0; >>> } >>> >>>- if (!PS(id) && >>>+ if (!PS(use_only_cookies) && !PS(id) && >>> zend_hash_find(&EG(symbol_table), "_GET", >>> sizeof("_GET"), (void **) &data) == SUCCESS && >>> Z_TYPE_PP(data) == IS_ARRAY && >>>@@ -849,7 +850,7 @@ >>> send_cookie = 0; >>> } >>> >>>- if (!PS(id) && >>>+ if (!PS(use_only_cookies) && !PS(id) && >>> zend_hash_find(&EG(symbol_table), "_POST", >>> sizeof("_POST"), (void **) &data) == SUCCESS && >>> Z_TYPE_PP(data) == IS_ARRAY && >>>@@ -864,7 +865,7 @@ >>> '<session-name>=<session-id>' to allow URLs of the form >>> http://yoursite/<session-name>=<session-id>/script.php */ >>> >>>- if (!PS(id) && >>>+ if (!PS(use_only_cookies) && !PS(id) && >>> zend_hash_find(&EG(symbol_table), "REQUEST_URI", >>> sizeof("REQUEST_URI"), (void **) &data) == SUCCESS && >>> Z_TYPE_PP(data) == IS_STRING && >>> >>> >> >> >>-- >>PHP Development Mailing List <http://www.php.net/> >>To unsubscribe, visit: http://www.php.net/unsub.php >> > > > --------------------------------------------------------------------------- > Did I help you? http://www.jdimedia.nl/derick/link.php?url=giftlist > Frequent ranting: http://www.jdimedia.nl/derick/ > --------------------------------------------------------------------------- > PHP: Scripting the Web - [EMAIL PROTECTED] > All your branches are belong to me! > SRM: Script Running Machine - www.vl-srm.net > --------------------------------------------------------------------------- > > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php