Hi all, https://github.com/php/php-src/pull/725
This is the fix for https://bugs.php.net/bug.php?id=66827 This kind of malformed data is an attack most likely, but raising error is not an option. Quick grep show no module nor core log error only. i.e. There is no error logging only code. All of them raises E_NOTICE/E_WARNING/etc. I would like to record a log that could be an attack. Since there is no code like this, I ask your opinions. The patch tries to remove offensive cookie, but it's far from perfect. In fact, removing all of offensive cookie in session module is impossible. We may let E_NOTICE raise and try the best it can. If it could remove offensive cookie, error is recorded and user may use their app from next request. Any comments? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
