Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser

author: Ilia Alshanetsky <iliaa@php.net> 2010-04-26 18:35:54 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2010-04-26 18:35:54 +0000
commit: 64f372fae2876a197996a1753d3659d8fa9d0bb4 (patch)
tree: cd2b6c71743ce92a2a6a8b88cb17b1588289192f
parent: 0f88851e92ee077dc1ec27ee936b8317af1797a5 (diff)
download: php-git-64f372fae2876a197996a1753d3659d8fa9d0bb4.tar.gz
2 files changed, 3 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 1a8338c7f9..8e3edf0bc8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,8 @@ PHP                                                                        NEWS
 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )
 
+- Fixed handling of session variable serialization on certain prefix
+  characters. Reported by Stefan Esser (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
 - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) 
diff --git a/ext/session/session.c b/ext/session/session.c
index 6456f68163..0debe75ae3 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -895,7 +895,7 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
 
 	PS_ENCODE_LOOP(
 			smart_str_appendl(&buf, key, key_length);
-			if (memchr(key, PS_DELIMITER, key_length)) {
+			if (memchr(key, PS_DELIMITER, key_length) || memchr(key, PS_UNDEF_MARKER, key_length)) {
 				PHP_VAR_SERIALIZE_DESTROY(var_hash);
 				smart_str_free(&buf);
 				return FAILURE;
author	Ilia Alshanetsky <iliaa@php.net>	2010-04-26 18:35:54 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2010-04-26 18:35:54 +0000
commit	64f372fae2876a197996a1753d3659d8fa9d0bb4 (patch)
tree	cd2b6c71743ce92a2a6a8b88cb17b1588289192f
parent	0f88851e92ee077dc1ec27ee936b8317af1797a5 (diff)
download	php-git-64f372fae2876a197996a1753d3659d8fa9d0bb4.tar.gz