Fixed handling of session variable serialization on certain prefix characters. Report...

diff --git a/NEWS b/NEWS
index 1a8338c7f9fda12912701dcd57624ff9d13f4af5..8e3edf0bc842251ad8e1707dc40a869af16e4cbc 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,8 @@ PHP                                                                        NEWS
 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )
 
+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) 

diff --git a/ext/session/session.c b/ext/session/session.c
index 6456f68163d5f63868a09440c3d935e5f4f08da9..0debe75ae3690493b68f11a7d360c6dd820f216b 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -895,7 +895,7 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
 
        PS_ENCODE_LOOP(
                        smart_str_appendl(&buf, key, key_length);
-                       if (memchr(key, PS_DELIMITER, key_length)) {
+                       if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) {
                                PHP_VAR_SERIALIZE_DESTROY(var_hash);
                                smart_str_free(&buf);
                                return FAILURE;