[Phplib-commit] CVS: php-lib/php/session session3.inc,1.7,1.8 session4.inc,1.13,1.14

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/phplib/php-lib/php/session
In directory usw-pr-cvs1:/tmp/cvs-serv22170/session

Modified Files:
	session3.inc session4.inc 
Log Message:
Changes to prevent cross-site scripting attacks:
Encode dangerous characters in session URLs
Pass user input through htmlentities before output

Index: session3.inc
===================================================================
RCS file: /cvsroot/phplib/php-lib/php/session/session3.inc,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** session3.inc	2001/08/26 04:50:40	1.7
--- session3.inc	2001/08/29 07:26:44	1.8
***************
*** 198,201 ****
--- 198,205 ----
        break;
      }
+ 
+     // Encode naughty characters in the URL
+     $url = str_replace(array("<", ">", " ", "\"", "'"), 
+                        array("%3C", "%3E", "+", "%22", "%27"), $url);
      return $url;
    }

Index: session4.inc
===================================================================
RCS file: /cvsroot/phplib/php-lib/php/session/session4.inc,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** session4.inc	2001/05/30 14:37:05	1.13
--- session4.inc	2001/08/29 07:26:44	1.14
***************
*** 329,335 ****
        return $url;
      
!     $url = preg_replace("[&?]+$", "", $url); 
!     if (strstr($url, $this->name)) 
!       return $url;
  
      if (!$HTTP_COOKIE_VARS[$this->name]) {
--- 329,339 ----
        return $url;
      
!     // Remove existing session info from url
!     $url = ereg_replace(
!       "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)",
!       "\\1", $url);
! 
!     // Remove trailing ?/& if needed
!     $url = ereg_replace("[&?]+$", "", $url);
  
      if (!$HTTP_COOKIE_VARS[$this->name]) {
***************
*** 337,351 ****
      }
  
      return $url;
-     /*
- 
-     $url                            .=(
-     strpos                       ( $url,
-     '?' )  )                   ?  chr (
-     ord (  '&')              & ord ( '?'
-     )  )  :  chr          ( ord ( '&'  )
-     |  ord      (   '?'))   .urlencode (
-     $this->name).    "="    .$this->id ;
-     */
    } // end func url
  
--- 341,348 ----
      }
  
+     // Encode naughty characters in the URL
+     $url = str_replace(array("<", ">", " ", "\"", "'"), 
+                        array("%3C", "%3E", "+", "%22", "%27"), $url);
      return $url;
    } // end func url