mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-24 18:34:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove outdate checks

Browse Source
This commit is contained in:
Xinchen Hui 2016-08-18 15:37:15 +08:00
parent 1685282a15
commit a3740dadec
2 changed files with 6 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ext/session/session.c
View File

@ -835,7 +835,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
PHP_VAR_UNSERIALIZE_INIT(var_hash);
for (p = val; p < endptr; ) {
zval *tmp;
skip = 0;
namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
@ -850,13 +849,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
p += namelen + 1;
if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
if ((Z_TYPE_P(tmp) == IS_ARRAY &&
Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
skip = 1;
}
}
if (has_value) {
zval *current, rv;
current = var_tmp_var(&var_hash);
@ -933,7 +925,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
p = val;
while (p < endptr) {
zval *tmp;
q = p;
skip = 0;
while (*q != PS_DELIMITER) {
@ -950,13 +941,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
name = zend_string_init(p, namelen, 0);
q++;
if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
if ((Z_TYPE_P(tmp) == IS_ARRAY &&
Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
skip = 1;
}
}
if (has_value) {
zval *current, rv;
current = var_tmp_var(&var_hash);

7
ext/session/tests/bug72681.phpt
View File

@ -6,12 +6,17 @@ Bug #72681: PHP Session Data Injection Vulnerability
<?php
ini_set('session.serialize_handler', 'php');
session_start();
$GLOBALS['ryat'] = $GLOBALS;
$GLOBALS['ryat'] = $_SESSION;
$_SESSION['ryat'] = 'ryat|O:8:"stdClass":0:{}';
session_write_close();
session_start();
var_dump($ryat);
var_dump($_SESSION);
?>
--EXPECT--
array(0) {
}
array(1) {
["ryat"]=>
string(24) "ryat|O:8:"stdClass":0:{}"
}