Index: ext/session/session.c
===================================================================
RCS file: /repository/php-src/ext/session/session.c,v
retrieving revision 1.417.2.8.2.21
diff -u -p -d -r1.417.2.8.2.21 session.c
--- ext/session/session.c	20 Dec 2006 19:31:28 -0000	1.417.2.8.2.21
+++ ext/session/session.c	23 Dec 2006 00:10:13 -0000
@@ -466,33 +466,38 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
 	int has_value;
 	php_unserialize_data_t var_hash;
 	int globals_on = PG(register_globals);
-	int longarrays_on = PG(register_long_arrays);
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	for (p = val; p < endptr; ) {
+		zval **tmp = NULL;
+
 		namelen = *p & (~PS_BIN_UNDEF);
 		has_value = *p & PS_BIN_UNDEF ? 0 : 1;
 
 		name = estrndup(p + 1, namelen);
 		
 		p += namelen + 1;
-		if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
-			/* _SESSION hijack attempt */
-		} else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
-			/* _GLOBALS hijack attempt */
-		} else if (globals_on && longarrays_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) {
-			/* HTTP_SESSION_VARS hijack attempt */
-		} else {	
-			if (has_value) {
-				ALLOC_INIT_ZVAL(current);
-				if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
-					php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
-				}
-				zval_ptr_dtor(&current);
+		if (globals_on && PS(http_session_vars) && zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+			if (tmp && *tmp == PS(http_session_vars)) {
+				/* _SESSION */
+				efree(name);
+				continue;
+			}
+			if (tmp && Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) {
+				/* GLOBALS */
+				efree(name);
+				continue;
 			}
-			PS_ADD_VARL(name, namelen);
 		}
+		if (has_value) {
+			ALLOC_INIT_ZVAL(current);
+			if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+				php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
+			}
+			zval_ptr_dtor(&current);
+		}
+		PS_ADD_VARL(name, namelen);
 		efree(name);
 	}
 
@@ -545,13 +550,14 @@ PS_SERIALIZER_DECODE_FUNC(php)	
 	int has_value;
 	php_unserialize_data_t var_hash;
 	int globals_on = PG(register_globals);
-	int longarrays_on = PG(register_long_arrays);
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	p = val;
 
 	while (p < endptr) {
+		zval **tmp = NULL;
+
 		q = p;
 		while (*q != PS_DELIMITER)
 			if (++q >= endptr) goto break_outer_loop;
@@ -567,22 +573,28 @@ PS_SERIALIZER_DECODE_FUNC(php)	
 		name = estrndup(p, namelen);
 		q++;
 		
-		if (globals_on && namelen == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION") - 1)) {
-			/* _SESSION hijack attempt */
-		} else if (globals_on && namelen == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS") - 1)) {
-			/* GLOBALS hijack attempt */
-		} else if (globals_on && longarrays_on && namelen == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) {
-			/* HTTP_SESSION_VARS hijack attempt */
-		} else {
-			if (has_value) {
-				ALLOC_INIT_ZVAL(current);
-				if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
-					php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
-				}
-				zval_ptr_dtor(&current);
+		if (globals_on && PS(http_session_vars) && zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+			if (tmp && *tmp == PS(http_session_vars)) {
+				/* _SESSION */
+				efree(name);
+				p = q;
+				continue;
+			}
+			if (tmp && Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) {
+				/* GLOBALS */
+				efree(name);
+				p = q;
+				continue;
 			}
-			PS_ADD_VARL(name, namelen);
 		}
+		if (has_value) {
+			ALLOC_INIT_ZVAL(current);
+			if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+				php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
+			}
+			zval_ptr_dtor(&current);
+		}
+		PS_ADD_VARL(name, namelen);
 		efree(name);
 		
 		p = q;