MFH: Session deserializer protection.

author Ilia Alshanetsky <iliaa@php.net>

Tue, 26 Dec 2006 17:23:33 +0000 (17:23 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Tue, 26 Dec 2006 17:23:33 +0000 (17:23 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Tue, 26 Dec 2006 17:23:33 +0000 (17:23 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Tue, 26 Dec 2006 17:23:33 +0000 (17:23 +0000)
diff --git a/ext/session/session.c b/ext/session/session.c

index 7391fc442c8ce8aba09dac8f931587a73a05c7fd..1d60e085008b902dc4d0996e2cec1f038b0bba6e 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -418,33 +418,33 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
         int namelen;
         int has_value;
         php_unserialize_data_t var_hash;
-       int globals_on = PG(register_globals);
  
         PHP_VAR_UNSERIALIZE_INIT(var_hash);
  
         for (p = val; p < endptr; ) {
+               zval **tmp;
                 namelen = *p & (~PS_BIN_UNDEF);
                 has_value = *p & PS_BIN_UNDEF ? 0 : 1;
  
                 name = estrndup(p + 1, namelen);
                 
                 p += namelen + 1;
-               if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
-                       /* _SESSION hijack attempt */
-               } else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
-                       /* _GLOBALS hijack attempt */
-               } else if (globals_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) {
-                       /* HTTP_SESSION_VARS hijack attempt */
-               } else {
-                       if (has_value) {
-                               ALLOC_INIT_ZVAL(current);
-                               if (php_var_unserialize(&current, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) {
-                                       php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
-                               }
-                               zval_ptr_dtor(&current);
+
+               if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+                       if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+                               efree(name);
+                               continue;
+                       }
+               }
+
+               if (has_value) {
+                       ALLOC_INIT_ZVAL(current);
+                       if (php_var_unserialize(&current, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) {
+                               php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
                         }
-                       PS_ADD_VARL(name, namelen);
+                       zval_ptr_dtor(&current);
                 }
+               PS_ADD_VARL(name, namelen);
                 efree(name);
         }
  
@@ -496,13 +496,13 @@ PS_SERIALIZER_DECODE_FUNC(php)
         int namelen;
         int has_value;
         php_unserialize_data_t var_hash;
-       int globals_on = PG(register_globals);
  
         PHP_VAR_UNSERIALIZE_INIT(var_hash);
  
         p = val;
  
         while (p < endptr) {
+               zval **tmp;
                 q = p;
                 while (*q != PS_DELIMITER)
                         if (++q >= endptr) goto break_outer_loop;
@@ -517,23 +517,23 @@ PS_SERIALIZER_DECODE_FUNC(php)
                 namelen = q - p;
                 name = estrndup(p, namelen);
                 q++;
-               
-               if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
-                       /* _SESSION hijack attempt */
-               } else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
-                       /* _GLOBALS hijack attempt */
-               } else if (globals_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) {
-                       /* HTTP_SESSION_VARS hijack attempt */
-               } else { 
-                       if (has_value) {
-                               ALLOC_INIT_ZVAL(current);
-                               if (php_var_unserialize(&current, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) {
-                                       php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
-                               }
-                               zval_ptr_dtor(&current);
+
+               if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+                       if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+                               efree(name);
+                               goto skip;
+                       }
+               }
+
+               if (has_value) {
+                       ALLOC_INIT_ZVAL(current);
+                       if (php_var_unserialize(&current, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) {
+                               php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
                         }
-                       PS_ADD_VARL(name, namelen);
+                       zval_ptr_dtor(&current);
                 }
+               PS_ADD_VARL(name, namelen);
+skip:
                 efree(name);
                 
                 p = q;
author	Ilia Alshanetsky <iliaa@php.net>
	Tue, 26 Dec 2006 17:23:33 +0000 (17:23 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Tue, 26 Dec 2006 17:23:33 +0000 (17:23 +0000)