diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2021-02-22 12:36:43 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2021-02-22 12:36:43 +0100 |
commit | 59d030c55b6515e448d324bf0f97189aefc554bc (patch) | |
tree | eb5658c7fc78828e9b315587cd26f9c1fbb4809f /ext | |
parent | 8e8e0017b986d4a2ca45cb2931e4d50f565e1f89 (diff) | |
parent | 6dcd640f35a88bfc0f07b056ef47e2ff9c366ffc (diff) | |
download | php-git-59d030c55b6515e448d324bf0f97189aefc554bc.tar.gz |
Merge branch 'PHP-8.0'
* PHP-8.0:
Fix #80774: session_name() problem with backslash
Diffstat (limited to 'ext')
-rw-r--r-- | ext/session/session.c | 20 | ||||
-rw-r--r-- | ext/session/tests/bug80774.phpt | 15 | ||||
-rw-r--r-- | ext/session/tests/session_name_variation1.phpt | 4 |
3 files changed, 30 insertions, 9 deletions
diff --git a/ext/session/session.c b/ext/session/session.c index 7a78c87805..f9d111768a 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -1264,13 +1264,11 @@ static void php_session_remove_cookie(void) { zend_llist_element *next; zend_llist_element *current; char *session_cookie; - zend_string *e_session_name; size_t session_cookie_len; size_t len = sizeof("Set-Cookie")-1; - e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name))); - spprintf(&session_cookie, 0, "Set-Cookie: %s=", ZSTR_VAL(e_session_name)); - zend_string_free(e_session_name); + ZEND_ASSERT(strpbrk(PS(session_name), "=,; \t\r\n\013\014") == NULL); + spprintf(&session_cookie, 0, "Set-Cookie: %s=", PS(session_name)); session_cookie_len = strlen(session_cookie); current = l->head; @@ -1302,7 +1300,7 @@ static int php_session_send_cookie(void) /* {{{ */ { smart_str ncookie = {0}; zend_string *date_fmt = NULL; - zend_string *e_session_name, *e_id; + zend_string *e_id; if (SG(headers_sent)) { const char *output_start_filename = php_output_get_start_filename(); @@ -1316,16 +1314,20 @@ static int php_session_send_cookie(void) /* {{{ */ return FAILURE; } - /* URL encode session_name and id because they might be user supplied */ - e_session_name = php_url_encode(PS(session_name), strlen(PS(session_name))); + /* Prevent broken Set-Cookie header, because the session_name might be user supplied */ + if (strpbrk(PS(session_name), "=,; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ + php_error_docref(NULL, E_WARNING, "session.name cannot contain any of the following '=,; \\t\\r\\n\\013\\014'"); + return FAILURE; + } + + /* URL encode id because it might be user supplied */ e_id = php_url_encode(ZSTR_VAL(PS(id)), ZSTR_LEN(PS(id))); smart_str_appendl(&ncookie, "Set-Cookie: ", sizeof("Set-Cookie: ")-1); - smart_str_appendl(&ncookie, ZSTR_VAL(e_session_name), ZSTR_LEN(e_session_name)); + smart_str_appendl(&ncookie, PS(session_name), strlen(PS(session_name))); smart_str_appendc(&ncookie, '='); smart_str_appendl(&ncookie, ZSTR_VAL(e_id), ZSTR_LEN(e_id)); - zend_string_release_ex(e_session_name, 0); zend_string_release_ex(e_id, 0); if (PS(cookie_lifetime) > 0) { diff --git a/ext/session/tests/bug80774.phpt b/ext/session/tests/bug80774.phpt new file mode 100644 index 0000000000..2ce07263f2 --- /dev/null +++ b/ext/session/tests/bug80774.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #80774 (session_name() problem with backslash) +--SKIPIF-- +<?php +if (!extension_loaded('session')) die("skip session extension not available"); +?> +--FILE-- +<?php +session_name("foo\\bar"); +session_id('12345'); +session_start(); +?> +--EXPECTHEADERS-- +Set-Cookie: foo\bar=12345; path=/ +--EXPECT-- diff --git a/ext/session/tests/session_name_variation1.phpt b/ext/session/tests/session_name_variation1.phpt index 71849de565..b9debaef2c 100644 --- a/ext/session/tests/session_name_variation1.phpt +++ b/ext/session/tests/session_name_variation1.phpt @@ -42,6 +42,8 @@ string(9) "PHPSESSID" bool(true) string(9) "PHPSESSID" string(9) "PHPSESSID" + +Warning: session_start(): session.name cannot contain any of the following '=,; \t\r\n\013\014' in %s on line %d bool(true) string(1) " " bool(true) @@ -49,6 +51,8 @@ string(1) " " Warning: session_name(): session.name "" cannot be numeric or empty in %s on line %d string(1) " " + +Warning: session_start(): session.name cannot contain any of the following '=,; \t\r\n\013\014' in %s on line %d bool(true) string(1) " " bool(true) |