tony2001 Wed Dec 20 19:31:28 2006 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/session session.c
Log:
protect _SESSION, HTTP_SESSION_VARS and GLOBALS
maintain an internal reference of _SESSION, so that it won't be possible to
destroy it from userspace
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.20&r2=1.417.2.8.2.21&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.417.2.8.2.20
php-src/ext/session/session.c:1.417.2.8.2.21
--- php-src/ext/session/session.c:1.417.2.8.2.20 Mon Dec 4 15:58:48 2006
+++ php-src/ext/session/session.c Wed Dec 20 19:31:28 2006
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.417.2.8.2.20 2006/12/04 15:58:48 tony2001 Exp $ */
+/* $Id: session.c,v 1.417.2.8.2.21 2006/12/20 19:31:28 tony2001 Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -465,6 +465,8 @@
int namelen;
int has_value;
php_unserialize_data_t var_hash;
+ int globals_on = PG(register_globals);
+ int longarrays_on = PG(register_long_arrays);
PHP_VAR_UNSERIALIZE_INIT(var_hash);
@@ -475,15 +477,22 @@
name = estrndup(p + 1, namelen);
p += namelen + 1;
-
- if (has_value) {
- ALLOC_INIT_ZVAL(current);
- if (php_var_unserialize(¤t, (const unsigned char
**) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
- php_set_session_var(name, namelen, current,
&var_hash TSRMLS_CC);
+ if (globals_on && namelen == sizeof("_SESSION")-1 &&
!memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
+ /* _SESSION hijack attempt */
+ } else if (globals_on && namelen == sizeof("GLOBALS")-1 &&
!memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
+ /* _GLOBALS hijack attempt */
+ } else if (globals_on && longarrays_on && namelen ==
sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS")-1)) {
+ /* HTTP_SESSION_VARS hijack attempt */
+ } else {
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(¤t, (const
unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+ php_set_session_var(name, namelen,
current, &var_hash TSRMLS_CC);
+ }
+ zval_ptr_dtor(¤t);
}
- zval_ptr_dtor(¤t);
+ PS_ADD_VARL(name, namelen);
}
- PS_ADD_VARL(name, namelen);
efree(name);
}
@@ -535,6 +544,8 @@
int namelen;
int has_value;
php_unserialize_data_t var_hash;
+ int globals_on = PG(register_globals);
+ int longarrays_on = PG(register_long_arrays);
PHP_VAR_UNSERIALIZE_INIT(var_hash);
@@ -556,14 +567,22 @@
name = estrndup(p, namelen);
q++;
- if (has_value) {
- ALLOC_INIT_ZVAL(current);
- if (php_var_unserialize(¤t, (const unsigned char
**) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
- php_set_session_var(name, namelen, current,
&var_hash TSRMLS_CC);
+ if (globals_on && namelen == sizeof("_SESSION")-1 &&
!memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
+ /* _SESSION hijack attempt */
+ } else if (globals_on && namelen == sizeof("GLOBALS")-1 &&
!memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
+ /* GLOBALS hijack attempt */
+ } else if (globals_on && longarrays_on && namelen ==
sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS")-1)) {
+ /* HTTP_SESSION_VARS hijack attempt */
+ } else {
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(¤t, (const
unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+ php_set_session_var(name, namelen,
current, &var_hash TSRMLS_CC);
+ }
+ zval_ptr_dtor(¤t);
}
- zval_ptr_dtor(¤t);
+ PS_ADD_VARL(name, namelen);
}
- PS_ADD_VARL(name, namelen);
efree(name);
p = q;
@@ -583,16 +602,20 @@
zend_delete_global_variable("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS")-1 TSRMLS_CC);
zend_delete_global_variable("_SESSION", sizeof("_SESSION")-1 TSRMLS_CC);
+ if (PS(http_session_vars)) {
+ zval_ptr_dtor(&PS(http_session_vars));
+ }
+
MAKE_STD_ZVAL(session_vars);
array_init(session_vars);
PS(http_session_vars) = session_vars;
if (PG(register_long_arrays)) {
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 2, 1);
+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 3, 1);
+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 3, 1);
}
else {
- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 1, 0);
+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 2, 1);
}
}
@@ -1828,6 +1851,10 @@
static void php_rshutdown_session_globals(TSRMLS_D)
{
+ if (PS(http_session_vars)) {
+ zval_ptr_dtor(&PS(http_session_vars));
+ PS(http_session_vars) = NULL;
+ }
if (PS(mod_data)) {
zend_try {
PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
