Added a check for special characters in the session name.

author Ilia Alshanetsky <iliaa@php.net>

Sun, 15 Jan 2006 16:51:18 +0000 (16:51 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Sun, 15 Jan 2006 16:51:18 +0000 (16:51 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Sun, 15 Jan 2006 16:51:18 +0000 (16:51 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Sun, 15 Jan 2006 16:51:18 +0000 (16:51 +0000)
diff --git a/NEWS b/NEWS

index b78ffd624604112646cf23d36e1d0900e7e3f622..50dddc5e29cd72a3ca34be5252efb48166b838d0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 2006, PHP 5.1.3
+- Added a check for special characters in the session name. (Ilia)
  - Added "consumed" stream filter. (Marcus)
  - Added new mysqli constants for BIT and NEW_DECIMAL field types:
    MYSQLI_TYPE_NEWDECIMAL and MYSQLI_TYPE_BIT. FR #36007. (Georg)
diff --git a/ext/session/session.c b/ext/session/session.c

index 1afd6ba51b8c7d230820014874d93b5979ce1668..2d13421f6cbc16115ce1048695839a9058ec929e 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -741,6 +741,12 @@ static void php_session_initialize(TSRMLS_D)
         char *val;
         int vallen;
  
+       /* check session name for invalid characters */
+       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+               efree(PS(id));
+               PS(id) = NULL;
+       }
+
         if (!PS(mod)) {
                 php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module chosen - failed to initialize session.");
                 return;
author	Ilia Alshanetsky <iliaa@php.net>
	Sun, 15 Jan 2006 16:51:18 +0000 (16:51 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Sun, 15 Jan 2006 16:51:18 +0000 (16:51 +0000)
NEWS		patch \| blob \| history
ext/session/session.c		patch \| blob \| history