Removing the use of unserialize() when reading the cookie. There is a…

… critical bug in PHP <= 5.2.13 and PHP <= 5.3.2. http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-free-vulnerability/index.html
fluxbb · Aug 8, 2010 · 242b06b · 242b06b
1 parent 421e67c
commit 242b06b
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/include/functions.php b/include/functions.php
@@ -26,11 +26,11 @@ function check_cookie(&$pun_user)
 	$now = time();
 
 	// We assume it's a guest
-	$cookie = array('user_id' => 1, 'password_hash' => 'Guest');
+	$cookie = array('user_id' => 1, 'password_hash' => 'Guest', 'expiration_time' => 0);
 
 	// If a cookie is set, we get the user_id and password hash from it
-	if (isset($_COOKIE[$cookie_name]))
-		list($cookie['user_id'], $cookie['password_hash'], $cookie['expiration_time']) = @unserialize($_COOKIE[$cookie_name]);
+	if (isset($_COOKIE[$cookie_name]) && preg_match('/a:3:{i:0;s:[\d]+:"([\d]+)";i:1;s:[\d]+:"([0-9a-f]+)";i:2;i:([\d]+);};/', $_COOKIE[$cookie_name], $matches))
+		list(, $cookie['user_id'], $cookie['password_hash'], $cookie['expiration_time']) = $matches;
 
 	if ($cookie['user_id'] > 1)
 	{