diff options
author | Xinchen Hui <laruence@gmail.com> | 2016-08-18 15:37:15 +0800 |
---|---|---|
committer | Xinchen Hui <laruence@gmail.com> | 2016-08-18 15:37:15 +0800 |
commit | a3740dadecec9d47cde6055996e2ca13dd10c4f6 (patch) | |
tree | 36c336a6bf2b1ef6c4c10ee7f897f2ebe3c7c029 | |
parent | 1685282a158e5c92a7e84aed703355d27774d018 (diff) | |
download | php-git-a3740dadecec9d47cde6055996e2ca13dd10c4f6.tar.gz |
Remove outdate checks
-rw-r--r-- | ext/session/session.c | 16 | ||||
-rw-r--r-- | ext/session/tests/bug72681.phpt | 7 |
2 files changed, 6 insertions, 17 deletions
diff --git a/ext/session/session.c b/ext/session/session.c index b303b90653..9668db4c83 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -835,7 +835,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ PHP_VAR_UNSERIALIZE_INIT(var_hash); for (p = val; p < endptr; ) { - zval *tmp; skip = 0; namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); @@ -850,13 +849,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ p += namelen + 1; - if ((tmp = zend_hash_find(&EG(symbol_table), name))) { - if ((Z_TYPE_P(tmp) == IS_ARRAY && - Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) { - skip = 1; - } - } - if (has_value) { zval *current, rv; current = var_tmp_var(&var_hash); @@ -933,7 +925,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ p = val; while (p < endptr) { - zval *tmp; q = p; skip = 0; while (*q != PS_DELIMITER) { @@ -950,13 +941,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ name = zend_string_init(p, namelen, 0); q++; - if ((tmp = zend_hash_find(&EG(symbol_table), name))) { - if ((Z_TYPE_P(tmp) == IS_ARRAY && - Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) { - skip = 1; - } - } - if (has_value) { zval *current, rv; current = var_tmp_var(&var_hash); diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt index ceca6ecc33..4752767d50 100644 --- a/ext/session/tests/bug72681.phpt +++ b/ext/session/tests/bug72681.phpt @@ -6,12 +6,17 @@ Bug #72681: PHP Session Data Injection Vulnerability <?php ini_set('session.serialize_handler', 'php'); session_start(); -$GLOBALS['ryat'] = $GLOBALS; +$GLOBALS['ryat'] = $_SESSION; $_SESSION['ryat'] = 'ryat|O:8:"stdClass":0:{}'; session_write_close(); session_start(); +var_dump($ryat); var_dump($_SESSION); ?> --EXPECT-- array(0) { } +array(1) { + ["ryat"]=> + string(24) "ryat|O:8:"stdClass":0:{}" +} |