From 7bf62c33af160ed699af938ef10320ff95ac4a02 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 31 Jan 2010 18:06:29 +0000
Subject: [PATCH] Fixed a possible open_basedir/safe_mode bypass in session
 extension identified by Grzegorz Stachowiak.

---
 ext/session/session.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ext/session/session.c b/ext/session/session.c
index cd53cf1ac63..2004b2de138 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -563,8 +563,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 			return FAILURE;
 		}
 
-		if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+		/* we do not use zend_memrchr() since path can contain ; itself */
+		if ((p = strchr(new_value, ';'))) {
+			char *p2;
 			p++;
+			if ((p2 = strchr(p, ';'))) {
+				p = p2 + 1;
+			}
 		} else {
 			p = new_value;
 		}