iliaa Mon, 26 Apr 2010 18:35:54 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=298608
Log:
Fixed handling of session variable serialization on certain prefix characters.
Reported by Stefan Esser
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/ext/session/session.c
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/session/session.c
U php/php-src/trunk/ext/session/session.c
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2010-04-26 18:27:10 UTC (rev 298607)
+++ php/php-src/branches/PHP_5_2/NEWS 2010-04-26 18:35:54 UTC (rev 298608)
@@ -11,6 +11,8 @@
- Reset error state in PDO::beginTransaction() reset error state. (Ilia)
- Fixed a NULL pointer dereference when processing invalid XML-RPC
requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+- Fixed handling of session variable serialization on certain prefix
+ characters. Reported by Stefan Esser (Ilia)
- Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading).
(Pierre)
Modified: php/php-src/branches/PHP_5_2/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/session/session.c 2010-04-26 18:27:10 UTC
(rev 298607)
+++ php/php-src/branches/PHP_5_2/ext/session/session.c 2010-04-26 18:35:54 UTC
(rev 298608)
@@ -813,7 +813,7 @@
PS_ENCODE_LOOP(
smart_str_appendl(&buf, key, key_length);
- if (memchr(key, PS_DELIMITER, key_length)) {
+ if (memchr(key, PS_DELIMITER, key_length) ||
memchr(key, PS_UNDEF_MARKER, key_length)) {
PHP_VAR_SERIALIZE_DESTROY(var_hash);
smart_str_free(&buf);
return FAILURE;
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-04-26 18:27:10 UTC (rev 298607)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-04-26 18:35:54 UTC (rev 298608)
@@ -17,6 +17,8 @@
- Implemented FR#35638 (Adding udate to imap_fetch_overview results).
(Charles_Duffy at dell dot com )
+- Fixed handling of session variable serialization on certain prefix
+ characters. Reported by Stefan Esser (Ilia)
- Fixed a NULL pointer dereference when processing invalid XML-RPC
requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
- Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas)
Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/session/session.c 2010-04-26 18:27:10 UTC
(rev 298607)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c 2010-04-26 18:35:54 UTC
(rev 298608)
@@ -895,7 +895,7 @@
PS_ENCODE_LOOP(
smart_str_appendl(&buf, key, key_length);
- if (memchr(key, PS_DELIMITER, key_length)) {
+ if (memchr(key, PS_DELIMITER, key_length) ||
memchr(key, PS_UNDEF_MARKER, key_length)) {
PHP_VAR_SERIALIZE_DESTROY(var_hash);
smart_str_free(&buf);
return FAILURE;
Modified: php/php-src/trunk/ext/session/session.c
===================================================================
--- php/php-src/trunk/ext/session/session.c 2010-04-26 18:27:10 UTC (rev
298607)
+++ php/php-src/trunk/ext/session/session.c 2010-04-26 18:35:54 UTC (rev
298608)
@@ -770,7 +770,7 @@
PS_ENCODE_LOOP(
smart_str_appendl(&buf, key, key_length);
- if (memchr(key, PS_DELIMITER, key_length)) {
+ if (memchr(key, PS_DELIMITER, key_length) ||
memchr(key, PS_UNDEF_MARKER, key_length)) {
PHP_VAR_SERIALIZE_DESTROY(var_hash);
smart_str_free(&buf);
return FAILURE;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
