PDA

View Full Version : Bug with PHPDIG_SESSID_VAR?


Edomondo
11-23-2004, 06:52 AM
It seems that the session ID remover have a small bug.

With the original configuration:
define('PHPDIG_SESSID_VAR','PHPSESSID,s');
every variable passed in the URL ending with one value of PHPDIG_SESSID_VAR are disregarded.

I add a problem with index.php?series=001 turned into index.php?serie.

Where is the function that uses PHPDIG_SESSID_VAR? :chicken:

indeh
11-30-2004, 09:56 AM
I can confirm this bug. The function is phpdigSessionRemoveIt in robot_functions.php (line 1776):

function phpdigSessionRemoveIt($what,$eval) {
$what = trim($what);
$eval = ereg_replace($what.'=[a-zA-Z0-9.,;=/-]*','',$eval);
$eval = str_replace("&&","&",$eval);
$eval = str_replace("?&","?",$eval);
$eval = eregi_replace("&$","",$eval);
$eval = str_replace("&&","&",$eval);
$eval = eregi_replace("[?][&]","?",$eval);
$eval = eregi_replace("&$","",$eval);
$eval = ereg_replace("[?]$","",$eval); // remove trailing question mark
return $eval;
}

My regex skills are kind of rusty at the moment, but shouldn't the second line of the function be something more like:

$eval = ereg_replace('([?&])'.$what.'=[a-zA-Z0-9.,;=/-]*','\\1',$eval);