From: Ilia Alshanetsky <iliaa@php.net>
Date: Mon, 26 Apr 2010 18:35:54 +0000 (+0000)
Subject: Fixed handling of session variable serialization on certain prefix characters. Report... 
X-Git-Tag: php-5.3.3RC1~263
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=64f372fae2876a197996a1753d3659d8fa9d0bb4;p=php

Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser
---

diff --git a/NEWS b/NEWS
index 1a8338c7f9..8e3edf0bc8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,8 @@ PHP                                                                        NEWS
 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )
 
+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) 
diff --git a/ext/session/session.c b/ext/session/session.c
index 6456f68163..0debe75ae3 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -895,7 +895,7 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
 
 	PS_ENCODE_LOOP(
 			smart_str_appendl(&buf, key, key_length);
-			if (memchr(key, PS_DELIMITER, key_length)) {
+			if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) {
 				PHP_VAR_SERIALIZE_DESTROY(var_hash);
 				smart_str_free(&buf);
 				return FAILURE;