From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 26 Dec 2006 17:23:33 +0000 (+0000)
Subject: MFH: Session deserializer protection.
X-Git-Tag: php-4.4.5RC1~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f025e896df5ec9b22c7d846f0e60f286e6f346f5;p=php

MFH: Session deserializer protection.
---

diff --git a/ext/session/session.c b/ext/session/session.c
index 7391fc442c..1d60e08500 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -418,33 +418,33 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
 	int namelen;
 	int has_value;
 	php_unserialize_data_t var_hash;
-	int globals_on = PG(register_globals);
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	for (p = val; p < endptr; ) {
+		zval **tmp;
 		namelen = *p & (~PS_BIN_UNDEF);
 		has_value = *p & PS_BIN_UNDEF ? 0 : 1;
 
 		name = estrndup(p + 1, namelen);
 		
 		p += namelen + 1;
-		if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
-			/* _SESSION hijack attempt */
-		} else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
-			/* _GLOBALS hijack attempt */
-		} else if (globals_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) {
-			/* HTTP_SESSION_VARS hijack attempt */
-		} else {
-			if (has_value) {
-				ALLOC_INIT_ZVAL(current);
-				if (php_var_unserialize(&current, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) {
-					php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
-				}
-				zval_ptr_dtor(&current);
+
+		if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+			if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+				efree(name);
+				continue;
+			}
+		}
+
+		if (has_value) {
+			ALLOC_INIT_ZVAL(current);
+			if (php_var_unserialize(&current, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) {
+				php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
 			}
-			PS_ADD_VARL(name, namelen);
+			zval_ptr_dtor(&current);
 		}
+		PS_ADD_VARL(name, namelen);
 		efree(name);
 	}
 
@@ -496,13 +496,13 @@ PS_SERIALIZER_DECODE_FUNC(php)
 	int namelen;
 	int has_value;
 	php_unserialize_data_t var_hash;
-	int globals_on = PG(register_globals);
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	p = val;
 
 	while (p < endptr) {
+		zval **tmp;
 		q = p;
 		while (*q != PS_DELIMITER)
 			if (++q >= endptr) goto break_outer_loop;
@@ -517,23 +517,23 @@ PS_SERIALIZER_DECODE_FUNC(php)
 		namelen = q - p;
 		name = estrndup(p, namelen);
 		q++;
-		
-		if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
-			/* _SESSION hijack attempt */
-		} else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
-			/* _GLOBALS hijack attempt */
-		} else if (globals_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) {
-			/* HTTP_SESSION_VARS hijack attempt */
-		} else { 
-			if (has_value) {
-				ALLOC_INIT_ZVAL(current);
-				if (php_var_unserialize(&current, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) {
-					php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
-				}
-				zval_ptr_dtor(&current);
+
+		if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+			if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+				efree(name);
+				goto skip;
+			}
+		}
+
+		if (has_value) {
+			ALLOC_INIT_ZVAL(current);
+			if (php_var_unserialize(&current, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) {
+				php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
 			}
-			PS_ADD_VARL(name, namelen);
+			zval_ptr_dtor(&current);
 		}
+		PS_ADD_VARL(name, namelen);
+skip:
 		efree(name);
 		
 		p = q;