MF5: Disallow characters that Cookie RFC does not allow in unquoted cookies

diff --git a/ext/session/session.c b/ext/session/session.c
index 93c185d44329e69acaa560506db778537abf788f..9d0694dcc8dfe07cc10c55360c11efef36784778 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -398,7 +398,7 @@ static void php_session_initialize(TSRMLS_D)
        int vallen;
 
        /* check session name for invalid characters */
-       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
                efree(PS(id));
                PS(id) = NULL;
        }