2 Fix for XSS in session.use_trans_sid support: CAN-2003-0442.
4 --- php-4.2.2/ext/session/session.c.sessid
5 +++ php-4.2.2/ext/session/session.c
7 static void php_session_output_handler(char *output, uint output_len, char **handled_output, uint *handled_output_len, int mode TSRMLS_DC)
9 if ((PS(session_status) == php_session_active)) {
10 - *handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), PS(id), handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
11 + char *encoded = php_url_encode(PS(id), strlen(PS(id)), NULL);
12 + *handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), encoded, handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
15 *handled_output = NULL;