Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:20217 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6453 invoked by uid 1010); 21 Nov 2005 16:04:30 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 6437 invoked from network); 21 Nov 2005 16:04:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Nov 2005 16:04:30 -0000 X-Host-Fingerprint: 81.169.145.161 natfrord.rzone.de Solaris 8 (1) Received: from ([81.169.145.161:38260] helo=natfrord.rzone.de) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id F1/44-11378-C00F1834 for ; Mon, 21 Nov 2005 11:04:29 -0500 Received: from [192.168.1.77] (p50875FA9.dip.t-dialin.net [80.135.95.169]) by post.webmailer.de (8.13.1/8.13.1) with ESMTP id jALG4NBO006398 for ; Mon, 21 Nov 2005 17:04:24 +0100 (MET) Message-ID: <4381F007.9070408@hardened-php.net> Date: Mon, 21 Nov 2005 17:04:23 +0100 User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: internals@lists.php.net X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Session Extension Strict Mode Patch From: sesser@hardened-php.net (Stefan Esser) Hello again, some of you may remember the discussions about our session extension using a permissive mode for session id, which means that PHP accepts all session IDs from the outside and not only those created by itself. While I have repeatedly stated, that the strict_mode provides only little additional protection against real world attacks (Yes there are theoretical advantages of strict mode, but in nearly all cases it does NOT offer additonal protection), I have created a little patch against ext/session of PHP5.1 that provides the following new features. Ini-Setting: session.use_strict_mode = 0/1 -> to disable or enable strict mode checking in internal files/mm session handlers (currently it defaults to enable) session_set_save_handler - does now accept two more (optional) handlers string create_sid() bool validate_sid($key) one can provide NULL as create_sid() handler to use the normal PHP handler. In validate_sid() one can add his own detection of a given sid is allowed (f.e. charset) or not. When a SID is not allowed, it will create a new one through the create_sid() handler. To implement all this, I had to add the validate_sid function to the internal structure of session_modules. This means that the sqlite session module has also to be patched to stay compatible. The patch is for review at: http://www.suspekt.org/session_strict_mode.patch Please comment on it. I will add this to the next version of my Hardening-Patch and would like to sync my idea with what we can put into 5.2/6.0. Stefan Esser -- -------------------------------------------------------------------------- Stefan Esser sesser@php.net Hardened-PHP Project http://www.hardened-php.net/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 --------------------------------------------------------------------------