From: Antony Dovgal Date: Wed, 20 Dec 2006 19:31:40 +0000 (+0000) Subject: protect _SESSION, HTTP_SESSION_VARS and GLOBALS X-Git-Tag: php-4.4.5RC1~36 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d1da48659934fe66b6e747dd8e4669615a7bcf79;p=php protect _SESSION, HTTP_SESSION_VARS and GLOBALS maintain an internal reference of _SESSION, so that it won't be possible to destroy it from userspace --- diff --git a/ext/session/session.c b/ext/session/session.c index f433caf52b..7391fc442c 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -418,6 +418,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) int namelen; int has_value; php_unserialize_data_t var_hash; + int globals_on = PG(register_globals); PHP_VAR_UNSERIALIZE_INIT(var_hash); @@ -428,15 +429,22 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) name = estrndup(p + 1, namelen); p += namelen + 1; - - if (has_value) { - ALLOC_INIT_ZVAL(current); - if (php_var_unserialize(¤t, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) { - php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) { + /* _SESSION hijack attempt */ + } else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) { + /* _GLOBALS hijack attempt */ + } else if (globals_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) { + /* HTTP_SESSION_VARS hijack attempt */ + } else { + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) { + php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + } + zval_ptr_dtor(¤t); } - zval_ptr_dtor(¤t); + PS_ADD_VARL(name, namelen); } - PS_ADD_VARL(name, namelen); efree(name); } @@ -488,6 +496,7 @@ PS_SERIALIZER_DECODE_FUNC(php) int namelen; int has_value; php_unserialize_data_t var_hash; + int globals_on = PG(register_globals); PHP_VAR_UNSERIALIZE_INIT(var_hash); @@ -509,14 +518,22 @@ PS_SERIALIZER_DECODE_FUNC(php) name = estrndup(p, namelen); q++; - if (has_value) { - ALLOC_INIT_ZVAL(current); - if (php_var_unserialize(¤t, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) { - php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) { + /* _SESSION hijack attempt */ + } else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) { + /* _GLOBALS hijack attempt */ + } else if (globals_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) { + /* HTTP_SESSION_VARS hijack attempt */ + } else { + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) { + php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + } + zval_ptr_dtor(¤t); } - zval_ptr_dtor(¤t); + PS_ADD_VARL(name, namelen); } - PS_ADD_VARL(name, namelen); efree(name); p = q; @@ -536,12 +553,16 @@ static void php_session_track_init(TSRMLS_D) zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")); zend_hash_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION")); + if (PS(http_session_vars)) { + zval_ptr_dtor(&PS(http_session_vars)); + } + MAKE_STD_ZVAL(session_vars); array_init(session_vars); PS(http_session_vars) = session_vars; - ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1); - ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1); + ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 3, 1); + ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 3, 1); } static char *php_session_encode(int *newlen TSRMLS_DC) @@ -1641,6 +1662,10 @@ static void php_rinit_session_globals(TSRMLS_D) static void php_rshutdown_session_globals(TSRMLS_D) { + if (PS(http_session_vars)) { + zval_ptr_dtor(&PS(http_session_vars)); + PS(http_session_vars) = NULL; + } if (PS(mod_data)) { zend_try { PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);