nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prevent attack on the session name cookie

Browse Source
This commit is contained in:
Marc Delisle
2007-01-08 18:09:57 +00:00
parent 9ae2b21e22
commit c9d93f6394
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
$Id$ $Id$
$Source$ $Source$
2007-01-08 Marc Delisle <lem9@users.sourceforge.net>
* libraries/session.inc.php: prevent attack on session name cookie
2007-01-05 Marc Delisle <lem9@users.sourceforge.net> 2007-01-05 Marc Delisle <lem9@users.sourceforge.net>
* libraries/session.inc.php: bug #1538132, remove the setting of * libraries/session.inc.php: bug #1538132, remove the setting of
session.save_handler to 'files' session.save_handler to 'files'

9
libraries/session.inc.php
View File

@@ -77,7 +77,14 @@ if (version_compare(PHP_VERSION, '5.0.0', 'ge')
// See bug #1538132. This would block normal behavior on a cluster // See bug #1538132. This would block normal behavior on a cluster
//ini_set('session.save_handler', 'files'); //ini_set('session.save_handler', 'files');
@session_name('phpMyAdmin'); $session_name = 'phpMyAdmin';
@session_name($session_name);
// strictly, PHP 4 since 4.4.2 would not need a verification
if (version_compare(PHP_VERSION, '5.1.2', 'lt')
&& isset($_COOKIE[$session_name])
&& eregi("\r|\n", $_COOKIE[$session_name])) {
die('attacked');
}
@session_start(); @session_start();
/** /**