]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1685282)
Remove outdate checks
authorXinchen Hui <laruence@gmail.com>
Thu, 18 Aug 2016 07:37:15 +0000 (15:37 +0800)
committerXinchen Hui <laruence@gmail.com>
Thu, 18 Aug 2016 07:37:15 +0000 (15:37 +0800)
ext/session/session.c patch | blob | history
ext/session/tests/bug72681.phpt patch | blob | history

diff --git a/ext/session/session.c b/ext/session/session.c
index b303b9065308af3cb0125a3cb172972e5d887a50..9668db4c833f96dea4e8d103b2f072428750b596 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -835,7 +835,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
        PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
        for (p = val; p < endptr; ) {
-               zval *tmp;
                skip = 0;
                namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
 
@@ -850,13 +849,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
 
                p += namelen + 1;
 
-               if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
-                       if ((Z_TYPE_P(tmp) == IS_ARRAY &&
-                               Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-                               skip = 1;
-                       }
-               }
-
                if (has_value) {
                        zval *current, rv;
                        current = var_tmp_var(&var_hash);
@@ -933,7 +925,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
        p = val;
 
        while (p < endptr) {
-               zval *tmp;
                q = p;
                skip = 0;
                while (*q != PS_DELIMITER) {
@@ -950,13 +941,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
                name = zend_string_init(p, namelen, 0);
                q++;
 
-               if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
-                       if ((Z_TYPE_P(tmp) == IS_ARRAY &&
-                               Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-                               skip = 1;
-                       }
-               }
-
                if (has_value) {
                        zval *current, rv;
                        current = var_tmp_var(&var_hash);
diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt
index ceca6ecc33fe2273603eb7f51ef8fd649d33cdbb..4752767d50afa1c1c8d09a8db882e741018ee899 100644 (file)
--- a/ext/session/tests/bug72681.phpt
+++ b/ext/session/tests/bug72681.phpt
@@ -6,12 +6,17 @@ Bug #72681: PHP Session Data Injection Vulnerability
 <?php
 ini_set('session.serialize_handler', 'php');
 session_start();
-$GLOBALS['ryat'] = $GLOBALS;
+$GLOBALS['ryat'] = $_SESSION;
 $_SESSION['ryat'] = 'ryat|O:8:"stdClass":0:{}';
 session_write_close();
 session_start();
+var_dump($ryat);
 var_dump($_SESSION);
 ?>
 --EXPECT--
 array(0) {
 }
+array(1) {
+  ["ryat"]=>
+  string(24) "ryat|O:8:"stdClass":0:{}"
+}
Unnamed repository; edit this file 'description' to name the repository.