Fixed handling of session variable serialization on certain prefix characters. Report...

diff --git a/NEWS b/NEWS
index bc868dcd9fc7ce8795ad20b797dc39d68c8ceb84..418b730c833ebb34d085382ecb40484318a68cf6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
 - Reset error state in PDO::beginTransaction() reset error state. (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)
 
 - Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading).
   (Pierre)

diff --git a/ext/session/session.c b/ext/session/session.c
index 4318aba023ad90ed30113c85c4377ddb8ce04261..992b627d934786111e0f51660f7e3ab4962ad39e 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -813,7 +813,7 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
 
        PS_ENCODE_LOOP(
                        smart_str_appendl(&buf, key, key_length);
-                       if (memchr(key, PS_DELIMITER, key_length)) {
+                       if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) {
                                PHP_VAR_SERIALIZE_DESTROY(var_hash);
                                smart_str_free(&buf);
                                return FAILURE;