Skip to content

Commit db30407

Browse files
author
Yasuo Ohgaki
committed
Remove "register_globals" support codes from php/php_binary serializers. As a result, users may use PS_UNDEF_MAKER(=!) char for session variable name.
1 parent 5011a11 commit db30407

File tree

2 files changed

+28
-56
lines changed

2 files changed

+28
-56
lines changed

ext/session/session.c

Lines changed: 27 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -887,10 +887,6 @@ PS_SERIALIZER_ENCODE_FUNC(php_binary) /* {{{ */
887887
smart_str_appendc(&buf, (unsigned char)ZSTR_LEN(key));
888888
smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
889889
php_var_serialize(&buf, struc, &var_hash);
890-
} else {
891-
if (ZSTR_LEN(key) > PS_BIN_MAX) continue;
892-
smart_str_appendc(&buf, (unsigned char) (ZSTR_LEN(key) & PS_BIN_UNDEF));
893-
smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
894890
);
895891

896892
smart_str_0(&buf);
@@ -904,10 +900,10 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
904900
{
905901
const char *p;
906902
const char *endptr = val + vallen;
907-
int has_value;
908903
int namelen;
909904
zend_string *name;
910905
php_unserialize_data_t var_hash;
906+
zval *current, rv;
911907

912908
PHP_VAR_UNSERIALIZE_INIT(var_hash);
913909

@@ -919,26 +915,18 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
919915
return FAILURE;
920916
}
921917

922-
has_value = *p & PS_BIN_UNDEF ? 0 : 1;
923-
924918
name = zend_string_init(p + 1, namelen, 0);
925-
926919
p += namelen + 1;
920+
current = var_tmp_var(&var_hash);
927921

928-
if (has_value) {
929-
zval *current, rv;
930-
current = var_tmp_var(&var_hash);
931-
if (php_var_unserialize(current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash)) {
932-
ZVAL_PTR(&rv, current);
933-
php_set_session_var(name, &rv, &var_hash);
934-
} else {
935-
zend_string_release(name);
936-
php_session_normalize_vars();
937-
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
938-
return FAILURE;
939-
}
922+
if (php_var_unserialize(current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash)) {
923+
ZVAL_PTR(&rv, current);
924+
php_set_session_var(name, &rv, &var_hash);
940925
} else {
941-
PS_ADD_VARL(name);
926+
zend_string_release(name);
927+
php_session_normalize_vars();
928+
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
929+
return FAILURE;
942930
}
943931
zend_string_release(name);
944932
}
@@ -951,7 +939,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
951939
/* }}} */
952940

953941
#define PS_DELIMITER '|'
954-
#define PS_UNDEF_MARKER '!'
955942

956943
PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
957944
{
@@ -962,19 +949,14 @@ PS_SERIALIZER_ENCODE_FUNC(php) /* {{{ */
962949
PHP_VAR_SERIALIZE_INIT(var_hash);
963950

964951
PS_ENCODE_LOOP(
965-
smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
966-
if (memchr(ZSTR_VAL(key), PS_DELIMITER, ZSTR_LEN(key)) || memchr(ZSTR_VAL(key), PS_UNDEF_MARKER, ZSTR_LEN(key))) {
967-
PHP_VAR_SERIALIZE_DESTROY(var_hash);
968-
smart_str_free(&buf);
969-
return NULL;
970-
}
971-
smart_str_appendc(&buf, PS_DELIMITER);
972-
973-
php_var_serialize(&buf, struc, &var_hash);
974-
} else {
975-
smart_str_appendc(&buf, PS_UNDEF_MARKER);
976-
smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
977-
smart_str_appendc(&buf, PS_DELIMITER);
952+
smart_str_appendl(&buf, ZSTR_VAL(key), ZSTR_LEN(key));
953+
if (memchr(ZSTR_VAL(key), PS_DELIMITER, ZSTR_LEN(key))) {
954+
PHP_VAR_SERIALIZE_DESTROY(var_hash);
955+
smart_str_free(&buf);
956+
return NULL;
957+
}
958+
smart_str_appendc(&buf, PS_DELIMITER);
959+
php_var_serialize(&buf, struc, &var_hash);
978960
);
979961

980962
smart_str_0(&buf);
@@ -990,8 +972,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
990972
const char *endptr = val + vallen;
991973
ptrdiff_t namelen;
992974
zend_string *name;
993-
int has_value, retval = SUCCESS;
975+
int retval = SUCCESS;
994976
php_unserialize_data_t var_hash;
977+
zval *current, rv;
995978

996979
PHP_VAR_UNSERIALIZE_INIT(var_hash);
997980

@@ -1002,35 +985,24 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
1002985
while (*q != PS_DELIMITER) {
1003986
if (++q >= endptr) goto break_outer_loop;
1004987
}
1005-
if (p[0] == PS_UNDEF_MARKER) {
1006-
p++;
1007-
has_value = 0;
1008-
} else {
1009-
has_value = 1;
1010-
}
1011988

1012989
namelen = q - p;
1013990
name = zend_string_init(p, namelen, 0);
1014991
q++;
1015992

1016-
if (has_value) {
1017-
zval *current, rv;
1018-
current = var_tmp_var(&var_hash);
1019-
if (php_var_unserialize(current, (const unsigned char **)&q, (const unsigned char *)endptr, &var_hash)) {
1020-
ZVAL_PTR(&rv, current);
1021-
php_set_session_var(name, &rv, &var_hash);
1022-
} else {
1023-
zend_string_release(name);
1024-
retval = FAILURE;
1025-
goto break_outer_loop;
1026-
}
993+
current = var_tmp_var(&var_hash);
994+
if (php_var_unserialize(current, (const unsigned char **)&q, (const unsigned char *)endptr, &var_hash)) {
995+
ZVAL_PTR(&rv, current);
996+
php_set_session_var(name, &rv, &var_hash);
1027997
} else {
1028-
PS_ADD_VARL(name);
998+
zend_string_release(name);
999+
retval = FAILURE;
1000+
goto break_outer_loop;
10291001
}
10301002
zend_string_release(name);
1031-
10321003
p = q;
10331004
}
1005+
10341006
break_outer_loop:
10351007
php_session_normalize_vars();
10361008

ext/session/tests/session_encode_error2.phpt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ bool(true)
220220

221221
-- Iteration 20 --
222222
bool(true)
223-
bool(false)
223+
string(33) "Hello World!|s:12:"Hello World!";"
224224
bool(true)
225225

226226
-- Iteration 21 --

0 commit comments

Comments
 (0)