What site do you want to break today?
at 2007-08-12 15:10:20
I just came back home and saw a very recent commit to PHP's session management. It is another attempt to fix the session cookie attribute injection that the PHP developers already tried to fix in PHP 5.2.3 without giving any credits. They still refuse to implement the correct fix that consists of just encoding the session id before sending it back through the cookie.
The amusing thing this time is that their new fix that consists of blacklisting a bunch of legal characters from the session id, will most probably result in hundreds or thousands of broken sites. What is even more funny is that the commit comes from a Zend employee that blacklists the ':' character from being used in the session id. The last time I audited the Zend Platform session clustering module it used exactly this character within session ids. This basically means that the session clustering of the Zend Platform will no longer work with the next PHP versions.
And as a final comment to the commiter: You are blacklisting a bunch of legal characters. Whatever RFC you used for choosing the characters for your blacklist was the wrong one. PHP implements the Netscape Cookie standard that is defined here. That document described very clearly that all characters are allowed except whitespace and semicolon. So nearly all the characters in your list are legal. Thank you for breaking lots of sites.
Blog Source - http://blog.php-security.org/feeds/index.rss
|