security fixes forward ported from Drupal 5.2 - previously not committed parts of http://drupal.org/cvs?commit=74833

1 files changed, 23 insertions, 2 deletions

diff --git a/includes/session.inc b/includes/session.inc
index f79f11736..e589c07e4 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -56,8 +56,9 @@ function sess_read($key) {
 function sess_write($key, $value) {
   global $user;
 
-  // If the client doesn't have a session, and one isn't being created ($value), do nothing.
-  if (empty($_COOKIE[session_name()]) && empty($value)) {
+  // If saving of session data is disabled or if the client doesn't have a session,
+  // and one isn't being created ($value), do nothing.
+  if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) {
     return TRUE;
   }
 
@@ -153,3 +154,23 @@ function sess_gc($lifetime) {
 
   return TRUE;
 }
+
+/**
+ * Determine whether to save session data of the current request.
+ *
+ * This function allows the caller to temporarily disable writing of session data,
+ * should the request end while performing potentially dangerous operations, such as
+ * manipulating the global $user object.
+ *
+ * @param $status
+ *   Disables writing of session data when FALSE, (re-)enables writing when TRUE.
+ * @return
+ *   FALSE if writing session data has been disabled. Otherwise, TRUE.
+ */
+function session_save_session($status = NULL) {
+  static $save_session = TRUE;
+  if (isset($status)) {
+    $save_session = $status;
+  }
+  return ($save_session);
+}