[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Ilia Alshanetsky]

iliaa   Sun Jun 17 14:26:32 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  
  : Fixed compiler warning
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.20r2=1.336.2.53.2.21diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.20 
php-src/ext/session/session.c:1.336.2.53.2.21
--- php-src/ext/session/session.c:1.336.2.53.2.20   Sat Jun 16 07:48:23 2007
+++ php-src/ext/session/session.c   Sun Jun 17 14:26:32 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.20 2007/06/16 07:48:23 sesser Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.21 2007/06/17 14:26:32 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -45,6 +45,7 @@
 #include ext/standard/php_rand.h   /* for RAND_MAX */
 #include ext/standard/info.h
 #include ext/standard/php_smart_str.h
+#include ext/standard/url.h
 
 #include mod_files.h
 #include mod_user.h

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Stefan Esser]

sesser  Sat Jun 16 07:48:23 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MFH
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.19r2=1.336.2.53.2.20diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.19 
php-src/ext/session/session.c:1.336.2.53.2.20
--- php-src/ext/session/session.c:1.336.2.53.2.19   Fri Jun 15 22:45:25 2007
+++ php-src/ext/session/session.c   Sat Jun 16 07:48:23 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.19 2007/06/15 22:45:25 stas Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.20 2007/06/16 07:48:23 sesser Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -666,7 +666,7 @@
int vallen;
 
/* check session name for invalid characters */
-   if (PS(id)  strpbrk(PS(id), \r\n\t '\\\()@,;:[]?={}%)) {
+   if (PS(id)  strpbrk(PS(id), \r\n\t '\\\)) {
efree(PS(id));
PS(id) = NULL;
}
@@ -918,6 +918,7 @@
 {
smart_str ncookie = {0};
char *date_fmt = NULL;
+   char *e_session_name, *e_id;
 
if (SG(headers_sent)) {
char *output_start_filename = 
php_get_output_start_filename(TSRMLS_C);
@@ -931,11 +932,18 @@
}   
return;
}
+   
+   /* URL encode session_name and id because they might be user supplied */
+   e_session_name = php_url_encode(PS(session_name), 
strlen(PS(session_name)), NULL);
+   e_id = php_url_encode(PS(id), strlen(PS(id)), NULL);
 
smart_str_appends(ncookie, COOKIE_SET_COOKIE);
-   smart_str_appends(ncookie, PS(session_name));
+   smart_str_appends(ncookie, e_session_name);
smart_str_appendc(ncookie, '=');
-   smart_str_appends(ncookie, PS(id));
+   smart_str_appends(ncookie, e_id);
+   
+   efree(e_session_name);
+   efree(e_id);

if (PS(cookie_lifetime)  0) {
struct timeval tv;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Stanislav Malyshev]

stasFri Jun 15 22:45:25 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MF5: Disallow characters that Cookie RFC does not allow in unquoted cookies
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.18r2=1.336.2.53.2.19diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.18 
php-src/ext/session/session.c:1.336.2.53.2.19
--- php-src/ext/session/session.c:1.336.2.53.2.18   Wed May 16 01:34:14 2007
+++ php-src/ext/session/session.c   Fri Jun 15 22:45:25 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.18 2007/05/16 01:34:14 stas Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.19 2007/06/15 22:45:25 stas Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -666,7 +666,7 @@
int vallen;
 
/* check session name for invalid characters */
-   if (PS(id)  strpbrk(PS(id), \r\n\t '\\\)) {
+   if (PS(id)  strpbrk(PS(id), \r\n\t '\\\()@,;:[]?={}%)) {
efree(PS(id));
PS(id) = NULL;
}

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Stanislav Malyshev]

stasWed May 16 01:34:14 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  do not send cookie when session is passed in URL, same as it happens with 
GET/POST
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.17r2=1.336.2.53.2.18diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.17 
php-src/ext/session/session.c:1.336.2.53.2.18
--- php-src/ext/session/session.c:1.336.2.53.2.17   Wed Apr  4 19:52:26 2007
+++ php-src/ext/session/session.c   Wed May 16 01:34:14 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.17 2007/04/04 19:52:26 tony2001 Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.18 2007/05/16 01:34:14 stas Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -1120,8 +1120,10 @@
char *q;
 
p += lensess + 1;
-   if ((q = strpbrk(p, /?\\)))
+   if ((q = strpbrk(p, /?\\))) {
PS(id) = estrndup(p, q - p);
+   PS(send_cookie) = 0;
+   }
}
 
/* check whether the current request was referred to by

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Ilia Alshanetsky]

iliaa   Sun Mar 25 14:33:53 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  
  Fixed MOPB-32-2007 (Double free inside session_decode())
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.15r2=1.336.2.53.2.16diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.15 
php-src/ext/session/session.c:1.336.2.53.2.16
--- php-src/ext/session/session.c:1.336.2.53.2.15   Wed Mar 14 19:42:59 2007
+++ php-src/ext/session/session.c   Sun Mar 25 14:33:53 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.15 2007/03/14 19:42:59 iliaa Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.16 2007/03/25 14:33:53 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -535,7 +535,6 @@
 
if (zend_hash_find(EG(symbol_table), name, namelen + 1, (void 
**) tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY  Z_ARRVAL_PP(tmp) == 
EG(symbol_table)) || *tmp == PS(http_session_vars)) {
-   efree(name);
goto skip;
}
}

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c /ext/session/tests 002.phpt

[Antony Dovgal]

tony2001Thu Feb 15 09:41:31 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
/php-src/ext/session/tests  002.phpt 
  Log:
  fix segfault in php_add_session_var()
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.13r2=1.336.2.53.2.14diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.13 
php-src/ext/session/session.c:1.336.2.53.2.14
--- php-src/ext/session/session.c:1.336.2.53.2.13   Tue Jan  9 15:31:36 2007
+++ php-src/ext/session/session.c   Thu Feb 15 09:41:30 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.13 2007/01/09 15:31:36 iliaa Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.14 2007/02/15 09:41:30 tony2001 Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -271,8 +271,12 @@
 {
zval **sym_track = NULL;

-   zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen + 1, 
-   (void *) sym_track);
+   IF_SESSION_VARS() {
+   zend_hash_find(Z_ARRVAL_P(PS(http_session_vars)), name, namelen 
+ 1,
+   (void *) sym_track);
+   } else {
+   return;
+   }
 
/*
 * Set up a proper reference between $_SESSION[x] and $x.
@@ -281,11 +285,10 @@
if (PG(register_globals)) {
zval **sym_global = NULL;

-   zend_hash_find(EG(symbol_table), name, namelen + 1, 
-   (void *) sym_global);
-   
-   if ((Z_TYPE_PP(sym_global) == IS_ARRAY  
Z_ARRVAL_PP(sym_global) == EG(symbol_table)) || *sym_global == 
PS(http_session_vars)) {
-   return;
+   if (zend_hash_find(EG(symbol_table), name, namelen + 1, (void 
*) sym_global) == SUCCESS) {
+   if ((Z_TYPE_PP(sym_global) == IS_ARRAY  
Z_ARRVAL_PP(sym_global) == EG(symbol_table)) || *sym_global == 
PS(http_session_vars)) {
+   return;
+   }
}
 
if (sym_global == NULL  sym_track == NULL) {
http://cvs.php.net/viewvc.cgi/php-src/ext/session/tests/002.phpt?r1=1.5r2=1.5.12.1diff_format=u
Index: php-src/ext/session/tests/002.phpt
diff -u php-src/ext/session/tests/002.phpt:1.5 
php-src/ext/session/tests/002.phpt:1.5.12.1
--- php-src/ext/session/tests/002.phpt:1.5  Thu Oct  3 16:14:54 2002
+++ php-src/ext/session/tests/002.phpt  Thu Feb 15 09:41:31 2007
@@ -7,6 +7,7 @@
 error_reporting(E_ALL);
 session_unset();
 print ok\n;
+?
 --GET--
 --POST--
 --EXPECT--

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Ilia Alshanetsky]

iliaa   Tue Jan  9 15:31:36 2007 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  
  MFH: Prevent SESSION/GLOBALS overload via session decoding
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.12r2=1.336.2.53.2.13diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.12 
php-src/ext/session/session.c:1.336.2.53.2.13
--- php-src/ext/session/session.c:1.336.2.53.2.12   Mon Jan  1 09:46:47 2007
+++ php-src/ext/session/session.c   Tue Jan  9 15:31:36 2007
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.12 2007/01/01 09:46:47 sebastian Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.13 2007/01/09 15:31:36 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -284,6 +284,10 @@
zend_hash_find(EG(symbol_table), name, namelen + 1, 
(void *) sym_global);

+   if ((Z_TYPE_PP(sym_global) == IS_ARRAY  
Z_ARRVAL_PP(sym_global) == EG(symbol_table)) || *sym_global == 
PS(http_session_vars)) {
+   return;
+   }
+
if (sym_global == NULL  sym_track == NULL) {
zval *empty_var;
 
@@ -313,7 +317,10 @@
if (PG(register_globals)) {
zval **old_symbol;
if (zend_hash_find(EG(symbol_table),name,namelen+1,(void 
*)old_symbol) == SUCCESS) { 
-   
+   if ((Z_TYPE_PP(old_symbol) == IS_ARRAY  
Z_ARRVAL_PP(old_symbol) == EG(symbol_table)) || *old_symbol == 
PS(http_session_vars)) {
+   return;
+   }
+
/* 
 * A global symbol with the same name exists already. 
That
 * symbol might have been created by other means (e.g. 
$_GET).

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Ilia Alshanetsky]

iliaa   Sun Dec 31 22:26:25 2006 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  
  MFH: Added boundary checks to php_binary deserializer
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.10r2=1.336.2.53.2.11diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.10 
php-src/ext/session/session.c:1.336.2.53.2.11
--- php-src/ext/session/session.c:1.336.2.53.2.10   Tue Dec 26 17:23:33 2006
+++ php-src/ext/session/session.c   Sun Dec 31 22:26:25 2006
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.10 2006/12/26 17:23:33 iliaa Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.11 2006/12/31 22:26:25 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -424,6 +424,11 @@
for (p = val; p  endptr; ) {
zval **tmp;
namelen = *p  (~PS_BIN_UNDEF);
+
+   if (namelen  PS_BIN_MAX || (p + namelen) = endptr) {
+   return FAILURE;
+   }
+
has_value = *p  PS_BIN_UNDEF ? 0 : 1;
 
name = estrndup(p + 1, namelen);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Ilia Alshanetsky]

iliaa   Tue Dec 26 17:23:33 2006 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MFH: Session deserializer protection.
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.9r2=1.336.2.53.2.10diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.9 
php-src/ext/session/session.c:1.336.2.53.2.10
--- php-src/ext/session/session.c:1.336.2.53.2.9Wed Dec 20 19:31:40 2006
+++ php-src/ext/session/session.c   Tue Dec 26 17:23:33 2006
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.9 2006/12/20 19:31:40 tony2001 Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.10 2006/12/26 17:23:33 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -418,33 +418,33 @@
int namelen;
int has_value;
php_unserialize_data_t var_hash;
-   int globals_on = PG(register_globals);
 
PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
for (p = val; p  endptr; ) {
+   zval **tmp;
namelen = *p  (~PS_BIN_UNDEF);
has_value = *p  PS_BIN_UNDEF ? 0 : 1;
 
name = estrndup(p + 1, namelen);

p += namelen + 1;
-   if (globals_on  namelen == sizeof(_SESSION)-1  
!memcmp(name, _SESSION, sizeof(_SESSION) - 1)) {
-   /* _SESSION hijack attempt */
-   } else if (globals_on  namelen == sizeof(GLOBALS)-1  
!memcmp(name, GLOBALS, sizeof(GLOBALS) - 1)) {
-   /* _GLOBALS hijack attempt */
-   } else if (globals_on  namelen == 
sizeof(HTTP_SESSION_VARS)-1  !memcmp(name, HTTP_SESSION_VARS, 
sizeof(HTTP_SESSION_VARS)-1)) {
-   /* HTTP_SESSION_VARS hijack attempt */
-   } else {
-   if (has_value) {
-   ALLOC_INIT_ZVAL(current);
-   if (php_var_unserialize(current, (const 
unsigned char **)p, endptr, var_hash TSRMLS_CC)) {
-   php_set_session_var(name, namelen, 
current, var_hash  TSRMLS_CC);
-   }
-   zval_ptr_dtor(current);
+
+   if (zend_hash_find(EG(symbol_table), name, namelen + 1, (void 
**) tmp) == SUCCESS) {
+   if ((Z_TYPE_PP(tmp) == IS_ARRAY  Z_ARRVAL_PP(tmp) == 
EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+   efree(name);
+   continue;
+   }
+   }
+
+   if (has_value) {
+   ALLOC_INIT_ZVAL(current);
+   if (php_var_unserialize(current, (const unsigned char 
**)p, endptr, var_hash TSRMLS_CC)) {
+   php_set_session_var(name, namelen, current, 
var_hash  TSRMLS_CC);
}
-   PS_ADD_VARL(name, namelen);
+   zval_ptr_dtor(current);
}
+   PS_ADD_VARL(name, namelen);
efree(name);
}
 
@@ -496,13 +496,13 @@
int namelen;
int has_value;
php_unserialize_data_t var_hash;
-   int globals_on = PG(register_globals);
 
PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
p = val;
 
while (p  endptr) {
+   zval **tmp;
q = p;
while (*q != PS_DELIMITER)
if (++q = endptr) goto break_outer_loop;
@@ -517,23 +517,23 @@
namelen = q - p;
name = estrndup(p, namelen);
q++;
-   
-   if (globals_on  namelen == sizeof(_SESSION)-1  
!memcmp(name, _SESSION, sizeof(_SESSION) - 1)) {
-   /* _SESSION hijack attempt */
-   } else if (globals_on  namelen == sizeof(GLOBALS)-1  
!memcmp(name, GLOBALS, sizeof(GLOBALS) - 1)) {
-   /* _GLOBALS hijack attempt */
-   } else if (globals_on  namelen == 
sizeof(HTTP_SESSION_VARS)-1  !memcmp(name, HTTP_SESSION_VARS, 
sizeof(HTTP_SESSION_VARS)-1)) {
-   /* HTTP_SESSION_VARS hijack attempt */
-   } else { 
-   if (has_value) {
-   ALLOC_INIT_ZVAL(current);
-   if (php_var_unserialize(current, (const 
unsigned char **)q, endptr, var_hash TSRMLS_CC)) {
-   php_set_session_var(name, namelen, 
current, var_hash TSRMLS_CC);
-   }
-   zval_ptr_dtor(current);
+
+   if (zend_hash_find(EG(symbol_table), name, namelen + 1, (void 
**) tmp) == SUCCESS) {
+   if ((Z_TYPE_PP(tmp) == IS_ARRAY  Z_ARRVAL_PP(tmp) == 
EG(symbol_table)) || *tmp == 

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Antony Dovgal]

tony2001Wed Dec 20 19:31:40 2006 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  protect _SESSION, HTTP_SESSION_VARS and GLOBALS
  maintain an internal reference of _SESSION, so that it won't be possible to 
destroy it from userspace
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.8r2=1.336.2.53.2.9diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.8 
php-src/ext/session/session.c:1.336.2.53.2.9
--- php-src/ext/session/session.c:1.336.2.53.2.8Fri Dec  1 00:28:43 2006
+++ php-src/ext/session/session.c   Wed Dec 20 19:31:40 2006
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.8 2006/12/01 00:28:43 iliaa Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.9 2006/12/20 19:31:40 tony2001 Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -418,6 +418,7 @@
int namelen;
int has_value;
php_unserialize_data_t var_hash;
+   int globals_on = PG(register_globals);
 
PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
@@ -428,15 +429,22 @@
name = estrndup(p + 1, namelen);

p += namelen + 1;
-   
-   if (has_value) {
-   ALLOC_INIT_ZVAL(current);
-   if (php_var_unserialize(current, (const unsigned char 
**)p, endptr, var_hash TSRMLS_CC)) {
-   php_set_session_var(name, namelen, current, 
var_hash  TSRMLS_CC);
+   if (globals_on  namelen == sizeof(_SESSION)-1  
!memcmp(name, _SESSION, sizeof(_SESSION) - 1)) {
+   /* _SESSION hijack attempt */
+   } else if (globals_on  namelen == sizeof(GLOBALS)-1  
!memcmp(name, GLOBALS, sizeof(GLOBALS) - 1)) {
+   /* _GLOBALS hijack attempt */
+   } else if (globals_on  namelen == 
sizeof(HTTP_SESSION_VARS)-1  !memcmp(name, HTTP_SESSION_VARS, 
sizeof(HTTP_SESSION_VARS)-1)) {
+   /* HTTP_SESSION_VARS hijack attempt */
+   } else {
+   if (has_value) {
+   ALLOC_INIT_ZVAL(current);
+   if (php_var_unserialize(current, (const 
unsigned char **)p, endptr, var_hash TSRMLS_CC)) {
+   php_set_session_var(name, namelen, 
current, var_hash  TSRMLS_CC);
+   }
+   zval_ptr_dtor(current);
}
-   zval_ptr_dtor(current);
+   PS_ADD_VARL(name, namelen);
}
-   PS_ADD_VARL(name, namelen);
efree(name);
}
 
@@ -488,6 +496,7 @@
int namelen;
int has_value;
php_unserialize_data_t var_hash;
+   int globals_on = PG(register_globals);
 
PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
@@ -509,14 +518,22 @@
name = estrndup(p, namelen);
q++;

-   if (has_value) {
-   ALLOC_INIT_ZVAL(current);
-   if (php_var_unserialize(current, (const unsigned char 
**)q, endptr, var_hash TSRMLS_CC)) {
-   php_set_session_var(name, namelen, current, 
var_hash TSRMLS_CC);
+   if (globals_on  namelen == sizeof(_SESSION)-1  
!memcmp(name, _SESSION, sizeof(_SESSION) - 1)) {
+   /* _SESSION hijack attempt */
+   } else if (globals_on  namelen == sizeof(GLOBALS)-1  
!memcmp(name, GLOBALS, sizeof(GLOBALS) - 1)) {
+   /* _GLOBALS hijack attempt */
+   } else if (globals_on  namelen == 
sizeof(HTTP_SESSION_VARS)-1  !memcmp(name, HTTP_SESSION_VARS, 
sizeof(HTTP_SESSION_VARS)-1)) {
+   /* HTTP_SESSION_VARS hijack attempt */
+   } else { 
+   if (has_value) {
+   ALLOC_INIT_ZVAL(current);
+   if (php_var_unserialize(current, (const 
unsigned char **)q, endptr, var_hash TSRMLS_CC)) {
+   php_set_session_var(name, namelen, 
current, var_hash TSRMLS_CC);
+   }
+   zval_ptr_dtor(current);
}
-   zval_ptr_dtor(current);
+   PS_ADD_VARL(name, namelen);
}
-   PS_ADD_VARL(name, namelen);
efree(name);

p = q;
@@ -536,12 +553,16 @@
zend_hash_del(EG(symbol_table), HTTP_SESSION_VARS, 
sizeof(HTTP_SESSION_VARS));
zend_hash_del(EG(symbol_table), _SESSION, sizeof(_SESSION));
 
+   if (PS(http_session_vars)) {
+   zval_ptr_dtor(PS(http_session_vars));
+   }
+

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Ilia Alshanetsky]

iliaa   Fri Dec  1 00:28:43 2006 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MFH: Disallow \0 chars inside session.save_path
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.7r2=1.336.2.53.2.8diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.7 
php-src/ext/session/session.c:1.336.2.53.2.8
--- php-src/ext/session/session.c:1.336.2.53.2.7Tue Aug  1 08:33:13 2006
+++ php-src/ext/session/session.c   Fri Dec  1 00:28:43 2006
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.7 2006/08/01 08:33:13 tony2001 Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.8 2006/12/01 00:28:43 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -120,6 +120,10 @@
 static PHP_INI_MH(OnUpdateSaveDir) {
/* Only do the safemode/open_basedir check at runtime */
if(stage == PHP_INI_STAGE_RUNTIME) {
+   if (memchr(new_value, '\0', new_value_length) != NULL) {
+   return FAILURE;
+   }
+
if (PG(safe_mode)  (!php_checkuid(new_value, NULL, 
CHECKUID_ALLOW_ONLY_DIR))) {
return FAILURE;
}



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Antony Dovgal]

tony2001Tue Aug  1 08:33:14 2006 UTC

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MFH: fix #38278 (session_cache_expire()'s value does not match phpinfo's 
session.cache_expire)
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.6r2=1.336.2.53.2.7diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.6 
php-src/ext/session/session.c:1.336.2.53.2.7
--- php-src/ext/session/session.c:1.336.2.53.2.6Thu May 18 22:16:27 2006
+++ php-src/ext/session/session.c   Tue Aug  1 08:33:13 2006
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.6 2006/05/18 22:16:27 helly Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.7 2006/08/01 08:33:13 tony2001 Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -1405,8 +1405,8 @@
WRONG_PARAM_COUNT;
 
if (ac == 1) {
-   convert_to_long_ex(p_cache_expire);
-   PS(cache_expire) = Z_LVAL_PP(p_cache_expire);
+   convert_to_string_ex(p_cache_expire);
+   zend_alter_ini_entry(session.cache_expire, 
sizeof(session.cache_expire), Z_STRVAL_PP(p_cache_expire), 
Z_STRLEN_PP(p_cache_expire), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME);
}
 
RETVAL_LONG(old);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Jani Taskinen]

sniper  Fri Sep 23 04:16:02 2005 EDT

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MFH: Improved the fix for #21306 a bit
  
http://cvs.php.net/diff.php/php-src/ext/session/session.c?r1=1.336.2.53.2.2r2=1.336.2.53.2.3ty=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.2 
php-src/ext/session/session.c:1.336.2.53.2.3
--- php-src/ext/session/session.c:1.336.2.53.2.2Tue Sep 20 16:59:25 2005
+++ php-src/ext/session/session.c   Fri Sep 23 04:16:01 2005
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.2 2005/09/20 20:59:25 sniper Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.3 2005/09/23 08:16:01 sniper Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -1628,7 +1628,9 @@
 static void php_rshutdown_session_globals(TSRMLS_D)
 {
if (PS(mod_data)) {
-   PS(mod)-s_close(PS(mod_data) TSRMLS_CC);
+   zend_try {
+   PS(mod)-s_close(PS(mod_data) TSRMLS_CC);
+   } zend_end_try();
}
if (PS(id)) {
efree(PS(id));
@@ -1665,10 +1667,12 @@
 
 static void php_session_flush(TSRMLS_D)
 {
-   if(PS(session_status)==php_session_active) {
-   php_session_save_current_state(TSRMLS_C);
+   if (PS(session_status) == php_session_active) {
+   PS(session_status) = php_session_none;
+   zend_try {
+   php_session_save_current_state(TSRMLS_C);
+   } zend_end_try();
}
-   PS(session_status)=php_session_none;
 }
 
 /* {{{ proto void session_write_close(void)
@@ -1680,10 +1684,8 @@
 
 PHP_RSHUTDOWN_FUNCTION(session)
 {
-   zend_try {
-   php_session_flush(TSRMLS_C);
-   php_rshutdown_session_globals(TSRMLS_C);
-   } zend_end_try();
+   php_session_flush(TSRMLS_C);
+   php_rshutdown_session_globals(TSRMLS_C);
 
return SUCCESS;
 }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Stanislav Malyshev]

stasTue Sep 20 10:01:42 2005 EDT

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  fix crash on restarting static PHP having session modules loaded
  
  
http://cvs.php.net/diff.php/php-src/ext/session/session.c?r1=1.336.2.53r2=1.336.2.53.2.1ty=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53 
php-src/ext/session/session.c:1.336.2.53.2.1
--- php-src/ext/session/session.c:1.336.2.53Sun May 22 08:59:29 2005
+++ php-src/ext/session/session.c   Tue Sep 20 10:01:40 2005
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53 2005/05/22 12:59:29 tony2001 Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.1 2005/09/20 14:01:40 stas Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -178,6 +178,7 @@
 };
 
 #define MAX_MODULES 10
+#define PREDEFINED_MODULES 2
 
 static ps_module *ps_modules[MAX_MODULES + 1] = {
ps_files_ptr,
@@ -1727,6 +1728,7 @@
 #ifdef HAVE_LIBMM
PHP_MSHUTDOWN(ps_mm) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
 #endif
+   memset(ps_modules[PREDEFINED_MODULES], 0, 
(MAX_MODULES-PREDEFINED_MODULES)*sizeof(ps_module *));
 
return SUCCESS;
 }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) /ext/session session.c

[Jani Taskinen]

sniper  Tue Sep 20 16:59:26 2005 EDT

  Modified files:  (Branch: PHP_4_4)
/php-src/ext/sessionsession.c 
  Log:
  MFH: - Fixed bug #21306 (catch bailouts of write handler during RSHUTDOWN)
  
http://cvs.php.net/diff.php/php-src/ext/session/session.c?r1=1.336.2.53.2.1r2=1.336.2.53.2.2ty=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.1 
php-src/ext/session/session.c:1.336.2.53.2.2
--- php-src/ext/session/session.c:1.336.2.53.2.1Tue Sep 20 10:01:40 2005
+++ php-src/ext/session/session.c   Tue Sep 20 16:59:25 2005
@@ -17,7 +17,7 @@
+--+
  */
 
-/* $Id: session.c,v 1.336.2.53.2.1 2005/09/20 14:01:40 stas Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.2 2005/09/20 20:59:25 sniper Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include config.h
@@ -1680,8 +1680,11 @@
 
 PHP_RSHUTDOWN_FUNCTION(session)
 {
-   php_session_flush(TSRMLS_C);
-   php_rshutdown_session_globals(TSRMLS_C);
+   zend_try {
+   php_session_flush(TSRMLS_C);
+   php_rshutdown_session_globals(TSRMLS_C);
+   } zend_end_try();
+
return SUCCESS;
 }
 /* }}} */

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php