[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/session/session.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/session/session.c trunk/ext/session/session.c
iliaaMon, 26 Apr 2010 18:35:54 + Revision: http://svn.php.net/viewvc?view=revisionrevision=298608 Log: Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/session/session.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/session/session.c U php/php-src/trunk/ext/session/session.c Modified: php/php-src/branches/PHP_5_2/NEWS === --- php/php-src/branches/PHP_5_2/NEWS 2010-04-26 18:27:10 UTC (rev 298607) +++ php/php-src/branches/PHP_5_2/NEWS 2010-04-26 18:35:54 UTC (rev 298608) @@ -11,6 +11,8 @@ - Reset error state in PDO::beginTransaction() reset error state. (Ilia) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) +- Fixed handling of session variable serialization on certain prefix + characters. Reported by Stefan Esser (Ilia) - Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading). (Pierre) Modified: php/php-src/branches/PHP_5_2/ext/session/session.c === --- php/php-src/branches/PHP_5_2/ext/session/session.c 2010-04-26 18:27:10 UTC (rev 298607) +++ php/php-src/branches/PHP_5_2/ext/session/session.c 2010-04-26 18:35:54 UTC (rev 298608) @@ -813,7 +813,7 @@ PS_ENCODE_LOOP( smart_str_appendl(buf, key, key_length); - if (memchr(key, PS_DELIMITER, key_length)) { + if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) { PHP_VAR_SERIALIZE_DESTROY(var_hash); smart_str_free(buf); return FAILURE; Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2010-04-26 18:27:10 UTC (rev 298607) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-26 18:35:54 UTC (rev 298608) @@ -17,6 +17,8 @@ - Implemented FR#35638 (Adding udate to imap_fetch_overview results). (Charles_Duffy at dell dot com ) +- Fixed handling of session variable serialization on certain prefix + characters. Reported by Stefan Esser (Ilia) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) Modified: php/php-src/branches/PHP_5_3/ext/session/session.c === --- php/php-src/branches/PHP_5_3/ext/session/session.c 2010-04-26 18:27:10 UTC (rev 298607) +++ php/php-src/branches/PHP_5_3/ext/session/session.c 2010-04-26 18:35:54 UTC (rev 298608) @@ -895,7 +895,7 @@ PS_ENCODE_LOOP( smart_str_appendl(buf, key, key_length); - if (memchr(key, PS_DELIMITER, key_length)) { + if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) { PHP_VAR_SERIALIZE_DESTROY(var_hash); smart_str_free(buf); return FAILURE; Modified: php/php-src/trunk/ext/session/session.c === --- php/php-src/trunk/ext/session/session.c 2010-04-26 18:27:10 UTC (rev 298607) +++ php/php-src/trunk/ext/session/session.c 2010-04-26 18:35:54 UTC (rev 298608) @@ -770,7 +770,7 @@ PS_ENCODE_LOOP( smart_str_appendl(buf, key, key_length); - if (memchr(key, PS_DELIMITER, key_length)) { + if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) { PHP_VAR_SERIALIZE_DESTROY(var_hash); smart_str_free(buf); return FAILURE; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/session/session.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/session/session.c trunk/ext/session/session.c
iliaaSun, 31 Jan 2010 18:06:29 + Revision: http://svn.php.net/viewvc?view=revisionrevision=294272 Log: Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak. Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/session/session.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/session/session.c U php/php-src/trunk/ext/session/session.c Modified: php/php-src/branches/PHP_5_2/NEWS === --- php/php-src/branches/PHP_5_2/NEWS 2010-01-31 17:43:29 UTC (rev 294271) +++ php/php-src/branches/PHP_5_2/NEWS 2010-01-31 18:06:29 UTC (rev 294272) @@ -1,7 +1,10 @@ PHPNEWS ||| ?? Feb 2010, PHP 5.2.13 +- Fixed a possible open_basedir/safe_mode bypass in session extension + identified by Grzegorz Stachowiak. (Ilia) + 28 Jan 2010, PHP 5.2.13RC1 - Updated timezone database to version 2010.2. (Derick) - Upgraded bundled PCRE to version 8.01. (Ilia) Modified: php/php-src/branches/PHP_5_2/ext/session/session.c === --- php/php-src/branches/PHP_5_2/ext/session/session.c 2010-01-31 17:43:29 UTC (rev 294271) +++ php/php-src/branches/PHP_5_2/ext/session/session.c 2010-01-31 18:06:29 UTC (rev 294272) @@ -653,8 +653,13 @@ return FAILURE; } - if ((p = zend_memrchr(new_value, ';', new_value_length))) { + /* we do not use zend_memrchr() since path can contain ; itself */ + if ((p = strchr(new_value, ';'))) { + char *p2; p++; + if ((p2 = strchr(p, ';'))) { + p = p2 + 1; + } } else { p = new_value; } Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2010-01-31 17:43:29 UTC (rev 294271) +++ php/php-src/branches/PHP_5_3/NEWS 2010-01-31 18:06:29 UTC (rev 294272) @@ -5,6 +5,8 @@ - Upgraded bundled sqlite to version 3.6.22. (Ilia) - Upgraded bundled libmagic to version 5.03. (Mikko) +- Fixed a possible open_basedir/safe_mode bypass in session extension + identified by Grzegorz Stachowiak. (Ilia) - Improved LCG entropy. (Rasmus, Samy Kamkar) - Added libpng 1.4.0 support. (Pierre) Modified: php/php-src/branches/PHP_5_3/ext/session/session.c === --- php/php-src/branches/PHP_5_3/ext/session/session.c 2010-01-31 17:43:29 UTC (rev 294271) +++ php/php-src/branches/PHP_5_3/ext/session/session.c 2010-01-31 18:06:29 UTC (rev 294272) @@ -687,8 +687,13 @@ return FAILURE; } - if ((p = zend_memrchr(new_value, ';', new_value_length))) { + /* we do not use zend_memrchr() since path can contain ; itself */ + if ((p = strchr(new_value, ';'))) { + char *p2; p++; + if ((p2 = strchr(p, ';'))) { + p = p2 + 1; + } } else { p = new_value; } Modified: php/php-src/trunk/ext/session/session.c === --- php/php-src/trunk/ext/session/session.c 2010-01-31 17:43:29 UTC (rev 294271) +++ php/php-src/trunk/ext/session/session.c 2010-01-31 18:06:29 UTC (rev 294272) @@ -563,8 +563,13 @@ return FAILURE; } - if ((p = zend_memrchr(new_value, ';', new_value_length))) { + /* we do not use zend_memrchr() since path can contain ; itself */ + if ((p = strchr(new_value, ';'))) { + char *p2; p++; + if ((p2 = strchr(p, ';'))) { + p = p2 + 1; + } } else { p = new_value; } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php