From: Marcus Boerger <helly@php.net>
Date: Mon, 14 Feb 2005 20:58:22 +0000 (+0000)
Subject: - Disallow illegal class names
X-Git-Tag: RELEASE_0_2_4~48
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ff8055fc5c9750482aac7a25a074aae0b1e64706;p=php

- Disallow illegal class names
---

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index c520302d1e..bc2a477df3 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -473,7 +473,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 }
 
 "O:" uiv ":" ["]	{
-	size_t len, len2, maxlen;
+	size_t len, len2, len3, maxlen;
 	int elements;
 	char *class_name;
 	zend_class_entry *ce;
@@ -506,6 +506,13 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 		return 0;
 	}
 
+	len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
+	if (len3 != len)
+	{
+		*p = YYCURSOR + len3 - len;
+		return 0;
+	}
+
 	class_name = estrndup(class_name, len);
 
 	do {