Re: [PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
Sascha Schumann wrote: I noticed this risk long time before and I think it's a kind of security fix as Sascha's comment, isn't it? That depends on your viewpoint. From my perspective, this is not urgent. It is not like an attacker can gain access to the server, it just makes it a bit harder for attackers to exploit ignorant people. That group will always be vulnerable to social engineering, something which can only be addressed by education. Technology is not able to upgrade your brain, after all. - Sascha We must watch out for technology not to downgrade it. Giancarlo -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
Sascha Schumann wrote: sas Wed Jun 12 04:18:38 2002 EDT Modified files: /php4/ext/session php_session.h session.c Log: This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs. I'm +1 for merge this patch to release branch. -- Yasuo Ohgaki Index: php4/ext/session/php_session.h diff -u php4/ext/session/php_session.h:1.79 php4/ext/session/php_session.h:1.80 --- php4/ext/session/php_session.h:1.79 Sun May 5 12:39:49 2002 +++ php4/ext/session/php_session.hWed Jun 12 04:18:33 2002 -113,6 +113,7 zval *http_session_vars; zend_bool auto_start; zend_bool use_cookies; + zend_bool use_only_cookies; zend_bool use_trans_sid;/* contains the INI value of whether to use trans-sid */ zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */ } php_ps_globals; Index: php4/ext/session/session.c diff -u php4/ext/session/session.c:1.308 php4/ext/session/session.c:1.309 --- php4/ext/session/session.c:1.308 Mon May 13 13:28:37 2002 +++ php4/ext/session/session.cWed Jun 12 04:18:36 2002 -17,7 +17,7 +--+ */ -/* $Id: session.c,v 1.308 2002/05/13 17:28:37 andrei Exp $ */ +/* $Id: session.c,v 1.309 2002/06/12 08:18:36 sas Exp $ */ #ifdef HAVE_CONFIG_H #include config.h -131,6 +131,7 STD_PHP_INI_ENTRY(session.cookie_domain, , PHP_INI_ALL, OnUpdateString,cookie_domain, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN(session.cookie_secure,, PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN(session.use_cookies, 1, PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN(session.use_only_cookies, 0, PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.referer_check, , PHP_INI_ALL, OnUpdateString,extern_referer_chk, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.entropy_file, , PHP_INI_ALL, OnUpdateString,entropy_file, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.entropy_length, 0, PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals) -839,7 +840,7 define_sid = 0; } - if (!PS(id) + if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), _GET, sizeof(_GET), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_ARRAY -849,7 +850,7 send_cookie = 0; } - if (!PS(id) + if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), _POST, sizeof(_POST), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_ARRAY -864,7 +865,7 'session-name=session-id' to allow URLs of the form http://yoursite/session-name=session-id/script.php */ - if (!PS(id) + if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), REQUEST_URI, sizeof(REQUEST_URI), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_STRING -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
On Wed, 12 Jun 2002, Yasuo Ohgaki wrote: Sascha Schumann wrote: sas Wed Jun 12 04:18:38 2002 EDT Modified files: /php4/ext/session php_session.h session.c Log: This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs. I'm +1 for merge this patch to release branch. -1 on that, as it's a new feature. Derick Index: php4/ext/session/php_session.h diff -u php4/ext/session/php_session.h:1.79 php4/ext/session/php_session.h:1.80 --- php4/ext/session/php_session.h:1.79 Sun May 5 12:39:49 2002 +++ php4/ext/session/php_session.h Wed Jun 12 04:18:33 2002 @@ -113,6 +113,7 @@ zval *http_session_vars; zend_bool auto_start; zend_bool use_cookies; + zend_bool use_only_cookies; zend_bool use_trans_sid;/* contains the INI value of whether to use trans-sid */ zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */ } php_ps_globals; Index: php4/ext/session/session.c diff -u php4/ext/session/session.c:1.308 php4/ext/session/session.c:1.309 --- php4/ext/session/session.c:1.308Mon May 13 13:28:37 2002 +++ php4/ext/session/session.c Wed Jun 12 04:18:36 2002 @@ -17,7 +17,7 @@ +--+ */ -/* $Id: session.c,v 1.308 2002/05/13 17:28:37 andrei Exp $ */ +/* $Id: session.c,v 1.309 2002/06/12 08:18:36 sas Exp $ */ #ifdef HAVE_CONFIG_H #include config.h @@ -131,6 +131,7 @@ STD_PHP_INI_ENTRY(session.cookie_domain, , PHP_INI_ALL, OnUpdateString,cookie_domain, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN(session.cookie_secure,, PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN(session.use_cookies, 1, PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN(session.use_only_cookies, 0, PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.referer_check, , PHP_INI_ALL, OnUpdateString,extern_referer_chk, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.entropy_file, , PHP_INI_ALL, OnUpdateString,entropy_file, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.entropy_length, 0, PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals) @@ -839,7 +840,7 @@ define_sid = 0; } - if (!PS(id) + if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), _GET, sizeof(_GET), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_ARRAY @@ -849,7 +850,7 @@ send_cookie = 0; } - if (!PS(id) + if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), _POST, sizeof(_POST), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_ARRAY @@ -864,7 +865,7 @@ 'session-name=session-id' to allow URLs of the form http://yoursite/session-name=session-id/script.php */ - if (!PS(id) + if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), REQUEST_URI, sizeof(REQUEST_URI), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_STRING -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php --- Did I help you? http://www.jdimedia.nl/derick/link.php?url=giftlist Frequent ranting: http://www.jdimedia.nl/derick/ --- PHP: Scripting the Web - [EMAIL PROTECTED] All your branches are belong to me! SRM: Script Running Machine - www.vl-srm.net --- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
On Wed, Jun 12, 2002 at 01:22:49PM +0200, [EMAIL PROTECTED] wrote : On Wed, 12 Jun 2002, Yasuo Ohgaki wrote: Sascha Schumann wrote: sas Wed Jun 12 04:18:38 2002 EDT Modified files: /php4/ext/session php_session.h session.c Log: This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs. I'm +1 for merge this patch to release branch. -1 on that, as it's a new feature. Yeah, and the docs already say 4.3.0 ... :-) SCNR, - Markus -- GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
[EMAIL PROTECTED] wrote: On Wed, 12 Jun 2002, Yasuo Ohgaki wrote: Sascha Schumann wrote: sas Wed Jun 12 04:18:38 2002 EDT Modified files: /php4/ext/sessionphp_session.h session.c Log: This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs. I'm +1 for merge this patch to release branch. -1 on that, as it's a new feature. I noticed this risk long time before and I think it's a kind of security fix as Sascha's comment, isn't it? -- Yasuo Ohgaki Derick Index: php4/ext/session/php_session.h diff -u php4/ext/session/php_session.h:1.79 php4/ext/session/php_session.h:1.80 --- php4/ext/session/php_session.h:1.79 Sun May 5 12:39:49 2002 +++ php4/ext/session/php_session.h Wed Jun 12 04:18:33 2002 @@ -113,6 +113,7 @@ zval *http_session_vars; zend_bool auto_start; zend_bool use_cookies; +zend_bool use_only_cookies; zend_bool use_trans_sid;/* contains the INI value of whether to use trans-sid */ zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */ } php_ps_globals; Index: php4/ext/session/session.c diff -u php4/ext/session/session.c:1.308 php4/ext/session/session.c:1.309 --- php4/ext/session/session.c:1.308 Mon May 13 13:28:37 2002 +++ php4/ext/session/session.c Wed Jun 12 04:18:36 2002 @@ -17,7 +17,7 @@ +--+ */ -/* $Id: session.c,v 1.308 2002/05/13 17:28:37 andrei Exp $ */ +/* $Id: session.c,v 1.309 2002/06/12 08:18:36 sas Exp $ */ #ifdef HAVE_CONFIG_H #include config.h @@ -131,6 +131,7 @@ STD_PHP_INI_ENTRY(session.cookie_domain, , PHP_INI_ALL, OnUpdateString,cookie_domain, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN(session.cookie_secure,, PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN(session.use_cookies, 1, PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) +STD_PHP_INI_BOOLEAN(session.use_only_cookies, 0, PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.referer_check, , PHP_INI_ALL, OnUpdateString,extern_referer_chk, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.entropy_file, , PHP_INI_ALL, OnUpdateString,entropy_file, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY(session.entropy_length, 0, PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals) @@ -839,7 +840,7 @@ define_sid = 0; } -if (!PS(id) +if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), _GET, sizeof(_GET), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_ARRAY @@ -849,7 +850,7 @@ send_cookie = 0; } -if (!PS(id) +if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), _POST, sizeof(_POST), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_ARRAY @@ -864,7 +865,7 @@ 'session-name=session-id' to allow URLs of the form http://yoursite/session-name=session-id/script.php */ -if (!PS(id) +if (!PS(use_only_cookies) !PS(id) zend_hash_find(EG(symbol_table), REQUEST_URI, sizeof(REQUEST_URI), (void **) data) == SUCCESS Z_TYPE_PP(data) == IS_STRING -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php --- Did I help you? http://www.jdimedia.nl/derick/link.php?url=giftlist Frequent ranting: http://www.jdimedia.nl/derick/ --- PHP: Scripting the Web - [EMAIL PROTECTED] All your branches are belong to me! SRM: Script Running Machine - www.vl-srm.net --- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
I noticed this risk long time before and I think it's a kind of security fix as Sascha's comment, isn't it? That depends on your viewpoint. From my perspective, this is not urgent. It is not like an attacker can gain access to the server, it just makes it a bit harder for attackers to exploit ignorant people. That group will always be vulnerable to social engineering, something which can only be addressed by education. Technology is not able to upgrade your brain, after all. - Sascha -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: cvs: php4 /ext/session php_session.h session.c
Sascha Schumann wrote: I noticed this risk long time before and I think it's a kind of security fix as Sascha's comment, isn't it? That depends on your viewpoint. From my perspective, this is not urgent. It is not like an I agree. (That's the reason why I didn't mention the risk, too.) attacker can gain access to the server, it just makes it a bit harder for attackers to exploit ignorant people. That group will always be vulnerable to social engineering, something which can only be addressed by education. Technology is not able to upgrade your brain, after all. I just thought it's good one for merging. I'm not strong +1, anyway. It's also good for 4.3.0. -- Yasuo Ohgaki -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php