[PHP-CVS] cvs: php-src(PHP_4_4) / NEWS /ext/session session.c

Sun, 15 Jan 2006 08:52:25 -0800 

iliaa           Sun Jan 15 16:52:11 2006 UTC

  Modified files:              (Branch: PHP_4_4)
    /php-src    NEWS 
    /php-src/ext/session        session.c 
  Log:
  MFH: Added a check for special characters in the session name.
  
  
http://cvs.php.net/viewcvs.cgi/php-src/NEWS?r1=1.1247.2.920.2.110&r2=1.1247.2.920.2.111&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.110 php-src/NEWS:1.1247.2.920.2.111
--- php-src/NEWS:1.1247.2.920.2.110     Thu Jan 12 17:55:04 2006
+++ php-src/NEWS        Sun Jan 15 16:52:10 2006
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
+- Added a check for special characters in the session name. (Ilia)
        
 13 Jan 2006, Version 4.4.2
 - Added missing safe_mode/open_basedir checks into cURL extension. (Ilia)
http://cvs.php.net/viewcvs.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.4&r2=1.336.2.53.2.5&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.4 
php-src/ext/session/session.c:1.336.2.53.2.5
--- php-src/ext/session/session.c:1.336.2.53.2.4        Sun Jan  1 13:46:56 2006
+++ php-src/ext/session/session.c       Sun Jan 15 16:52:10 2006
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.4 2006/01/01 13:46:56 sniper Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.5 2006/01/15 16:52:10 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -626,6 +626,12 @@
        char *val;
        int vallen;
 
+       /* check session name for invalid characters */
+       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+               efree(PS(id));
+               PS(id) = NULL;
+       }
+
        if (!PS(mod)) {
                php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module 
chosen - failed to initialize session.");
                return;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to