From: Stanislav Malyshev <stas@php.net>
Date: Fri, 15 Jun 2007 22:40:00 +0000 (+0000)
Subject: Disallow characters that Cookie RFC does not allow in unquoted cookies
X-Git-Tag: php-5.2.4RC1~340
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=70a8f9313bd2e6102ff12a1a5b5b9c096f9ce30f;p=php

Disallow characters that Cookie RFC does not allow in unquoted cookies
---

diff --git a/ext/session/session.c b/ext/session/session.c
index b249f3a758..3d87a423c5 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -807,7 +807,7 @@ static void php_session_initialize(TSRMLS_D)
 	int vallen;
 
 	/* check session name for invalid characters */
-	if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+	if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
 		efree(PS(id));
 		PS(id) = NULL;
 	}