subject:"\[PHP\-CVS\] svn\: \/php\/php\-src\/ branches\/PHP_5_2\/NEWS branches\/PHP_5_2\/ext\/session\/session.c branches\/PHP_5_3\/NEWS branches\/PHP_5_3\/ext\/session\/session.c trunk\/ext\/session\/session.c"

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/session/session.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/session/session.c trunk/ext/session/session.c

2010-04-26 Thread Ilia Alshanetsky

iliaaMon, 26 Apr 2010 18:35:54 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=298608

Log:
Fixed handling of session variable serialization on certain prefix characters. 
Reported by Stefan Esser

Changed paths:
U   php/php-src/branches/PHP_5_2/NEWS
U   php/php-src/branches/PHP_5_2/ext/session/session.c
U   php/php-src/branches/PHP_5_3/NEWS
U   php/php-src/branches/PHP_5_3/ext/session/session.c
U   php/php-src/trunk/ext/session/session.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===
--- php/php-src/branches/PHP_5_2/NEWS   2010-04-26 18:27:10 UTC (rev 298607)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-04-26 18:35:54 UTC (rev 298608)
@@ -11,6 +11,8 @@
 - Reset error state in PDO::beginTransaction() reset error state. (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)

 - Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading).
   (Pierre)

Modified: php/php-src/branches/PHP_5_2/ext/session/session.c
===
--- php/php-src/branches/PHP_5_2/ext/session/session.c  2010-04-26 18:27:10 UTC 
(rev 298607)
+++ php/php-src/branches/PHP_5_2/ext/session/session.c  2010-04-26 18:35:54 UTC 
(rev 298608)
@@ -813,7 +813,7 @@

PS_ENCODE_LOOP(
smart_str_appendl(buf, key, key_length);
-   if (memchr(key, PS_DELIMITER, key_length)) {
+   if (memchr(key, PS_DELIMITER, key_length) || 
memchr(key, PS_UNDEF_MARKER, key_length)) {
PHP_VAR_SERIALIZE_DESTROY(var_hash);
smart_str_free(buf);
return FAILURE;

Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-26 18:27:10 UTC (rev 298607)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-26 18:35:54 UTC (rev 298608)
@@ -17,6 +17,8 @@
 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )

+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas)

Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===
--- php/php-src/branches/PHP_5_3/ext/session/session.c  2010-04-26 18:27:10 UTC 
(rev 298607)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c  2010-04-26 18:35:54 UTC 
(rev 298608)
@@ -895,7 +895,7 @@

PS_ENCODE_LOOP(
smart_str_appendl(buf, key, key_length);
-   if (memchr(key, PS_DELIMITER, key_length)) {
+   if (memchr(key, PS_DELIMITER, key_length) || 
memchr(key, PS_UNDEF_MARKER, key_length)) {
PHP_VAR_SERIALIZE_DESTROY(var_hash);
smart_str_free(buf);
return FAILURE;

Modified: php/php-src/trunk/ext/session/session.c
===
--- php/php-src/trunk/ext/session/session.c 2010-04-26 18:27:10 UTC (rev 
298607)
+++ php/php-src/trunk/ext/session/session.c 2010-04-26 18:35:54 UTC (rev 
298608)
@@ -770,7 +770,7 @@

PS_ENCODE_LOOP(
smart_str_appendl(buf, key, key_length);
-   if (memchr(key, PS_DELIMITER, key_length)) {
+   if (memchr(key, PS_DELIMITER, key_length) || 
memchr(key, PS_UNDEF_MARKER, key_length)) {
PHP_VAR_SERIALIZE_DESTROY(var_hash);
smart_str_free(buf);
return FAILURE;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/session/session.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/session/session.c trunk/ext/session/session.c

2010-01-31 Thread Ilia Alshanetsky

iliaaSun, 31 Jan 2010 18:06:29 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=294272

Log:
Fixed a possible open_basedir/safe_mode bypass in session extension identified 
by Grzegorz Stachowiak.

Changed paths:
U   php/php-src/branches/PHP_5_2/NEWS
U   php/php-src/branches/PHP_5_2/ext/session/session.c
U   php/php-src/branches/PHP_5_3/NEWS
U   php/php-src/branches/PHP_5_3/ext/session/session.c
U   php/php-src/trunk/ext/session/session.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===
--- php/php-src/branches/PHP_5_2/NEWS   2010-01-31 17:43:29 UTC (rev 294271)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-01-31 18:06:29 UTC (rev 294272)
@@ -1,7 +1,10 @@
 PHPNEWS
 |||
 ?? Feb 2010, PHP 5.2.13
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)

+
 28 Jan 2010, PHP 5.2.13RC1
 - Updated timezone database to version 2010.2. (Derick)
 - Upgraded bundled PCRE to version 8.01. (Ilia)

Modified: php/php-src/branches/PHP_5_2/ext/session/session.c
===
--- php/php-src/branches/PHP_5_2/ext/session/session.c  2010-01-31 17:43:29 UTC 
(rev 294271)
+++ php/php-src/branches/PHP_5_2/ext/session/session.c  2010-01-31 18:06:29 UTC 
(rev 294272)
@@ -653,8 +653,13 @@
return FAILURE;
}

-   if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+   /* we do not use zend_memrchr() since path can contain ; itself 
*/
+   if ((p = strchr(new_value, ';'))) {
+   char *p2;
p++;
+   if ((p2 = strchr(p, ';'))) {
+   p = p2 + 1;
+   }
} else {
p = new_value;
}

Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS   2010-01-31 17:43:29 UTC (rev 294271)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-01-31 18:06:29 UTC (rev 294272)
@@ -5,6 +5,8 @@
 - Upgraded bundled sqlite to version 3.6.22. (Ilia)
 - Upgraded bundled libmagic to version 5.03. (Mikko)

+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)
 - Improved LCG entropy. (Rasmus, Samy Kamkar)

 - Added libpng 1.4.0 support. (Pierre)

Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===
--- php/php-src/branches/PHP_5_3/ext/session/session.c  2010-01-31 17:43:29 UTC 
(rev 294271)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c  2010-01-31 18:06:29 UTC 
(rev 294272)
@@ -687,8 +687,13 @@
return FAILURE;
}

-   if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+   /* we do not use zend_memrchr() since path can contain ; itself 
*/
+   if ((p = strchr(new_value, ';'))) {
+   char *p2;
p++;
+   if ((p2 = strchr(p, ';'))) {
+   p = p2 + 1;
+   }
} else {
p = new_value;
}

Modified: php/php-src/trunk/ext/session/session.c
===
--- php/php-src/trunk/ext/session/session.c 2010-01-31 17:43:29 UTC (rev 
294271)
+++ php/php-src/trunk/ext/session/session.c 2010-01-31 18:06:29 UTC (rev 
294272)
@@ -563,8 +563,13 @@
return FAILURE;
}

-   if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+   /* we do not use zend_memrchr() since path can contain ; itself 
*/
+   if ((p = strchr(new_value, ';'))) {
+   char *p2;
p++;
+   if ((p2 = strchr(p, ';'))) {
+   p = p2 + 1;
+   }
} else {
p = new_value;
}

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/session/session.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/session/session.c trunk/ext/session/session.c

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/session/session.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/session/session.c trunk/ext/session/session.c

2 matches

Site Navigation

Mail list logo

Footer information