iliaa                                    Mon, 26 Apr 2010 18:35:54 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298608

Log:
Fixed handling of session variable serialization on certain prefix characters. 
Reported by Stefan Esser

Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/ext/session/session.c
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/session/session.c
    U   php/php-src/trunk/ext/session/session.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS   2010-04-26 18:27:10 UTC (rev 298607)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-04-26 18:35:54 UTC (rev 298608)
@@ -11,6 +11,8 @@
 - Reset error state in PDO::beginTransaction() reset error state. (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)

 - Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading).
   (Pierre)

Modified: php/php-src/branches/PHP_5_2/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/session/session.c  2010-04-26 18:27:10 UTC 
(rev 298607)
+++ php/php-src/branches/PHP_5_2/ext/session/session.c  2010-04-26 18:35:54 UTC 
(rev 298608)
@@ -813,7 +813,7 @@

        PS_ENCODE_LOOP(
                        smart_str_appendl(&buf, key, key_length);
-                       if (memchr(key, PS_DELIMITER, key_length)) {
+                       if (memchr(key, PS_DELIMITER, key_length) || 
memchr(key, PS_UNDEF_MARKER, key_length)) {
                                PHP_VAR_SERIALIZE_DESTROY(var_hash);
                                smart_str_free(&buf);
                                return FAILURE;

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-26 18:27:10 UTC (rev 298607)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-26 18:35:54 UTC (rev 298608)
@@ -17,6 +17,8 @@
 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )

+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas)

Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/session/session.c  2010-04-26 18:27:10 UTC 
(rev 298607)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c  2010-04-26 18:35:54 UTC 
(rev 298608)
@@ -895,7 +895,7 @@

        PS_ENCODE_LOOP(
                        smart_str_appendl(&buf, key, key_length);
-                       if (memchr(key, PS_DELIMITER, key_length)) {
+                       if (memchr(key, PS_DELIMITER, key_length) || 
memchr(key, PS_UNDEF_MARKER, key_length)) {
                                PHP_VAR_SERIALIZE_DESTROY(var_hash);
                                smart_str_free(&buf);
                                return FAILURE;

Modified: php/php-src/trunk/ext/session/session.c
===================================================================
--- php/php-src/trunk/ext/session/session.c     2010-04-26 18:27:10 UTC (rev 
298607)
+++ php/php-src/trunk/ext/session/session.c     2010-04-26 18:35:54 UTC (rev 
298608)
@@ -770,7 +770,7 @@

        PS_ENCODE_LOOP(
                        smart_str_appendl(&buf, key, key_length);
-                       if (memchr(key, PS_DELIMITER, key_length)) {
+                       if (memchr(key, PS_DELIMITER, key_length) || 
memchr(key, PS_UNDEF_MARKER, key_length)) {
                                PHP_VAR_SERIALIZE_DESTROY(var_hash);
                                smart_str_free(&buf);
                                return FAILURE;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to