From e4e1f601258e52d3fb63c5b26b0dd8c6034167bf Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Fri, 15 Jun 2007 22:42:43 +0000
Subject: [PATCH] MF5: Disallow characters that Cookie RFC does not allow in
 unquoted cookies

---
 ext/session/session.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/session/session.c b/ext/session/session.c
index 93c185d443..9d0694dcc8 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -398,7 +398,7 @@ static void php_session_initialize(TSRMLS_D)
 	int vallen;
 
 	/* check session name for invalid characters */
-	if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+	if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
 		efree(PS(id));
 		PS(id) = NULL;
 	}
-- 
2.50.1