improve session check security by just searching for sid=@xxx@

VERSION

@@ -1 +1 @@
-2.5
+2.6

www/exec.cgi

@@ -1,18 +1,7 @@
 #!/bin/tclsh
 
-load tclrega.so
 source session.tcl
 
-catch {
-  set input $env(QUERY_STRING)
-  set pairs [split $input &]
-  foreach pair $pairs {
-    if {0 != [regexp "^(\[^=]*)=(.*)$" $pair dummy varname val]} {
-      set $varname $val
-    }
-  }
-}
-
 proc toString { str } {
   set map {
     "\"" "\\\""

www/exec1.cgi

@@ -1,18 +1,7 @@
 #!/bin/tclsh
 
-load tclrega.so
 source session.tcl
 
-catch {
-  set input $env(QUERY_STRING)
-  set pairs [split $input &]
-  foreach pair $pairs {
-    if {0 != [regexp "^(\[^=]*)=(.*)$" $pair dummy varname val]} {
-      set $varname $val
-    }
-  }
-}
-
 proc toString { str } {
   set map {
     "\"" "\\\""

www/session.tcl

@@ -2,6 +2,18 @@
 
 load tclrega.so
 
+catch {
+  set input $env(QUERY_STRING)
+  set pairs [split $input &]
+  set sid ""
+  foreach pair $pairs {
+    if {0 != [regexp "^sid=(@.*@)$" $pair dummy val]} {
+      set sid $val
+      break
+    }
+  }
+}
+
 proc check_session sid {
   if {[regexp {@([0-9a-zA-Z]{10})@} $sid all sidnr]} {
     set res [lindex [rega_script "Write(system.GetSessionVarStr('$sidnr'));"] 1]
@@ -10,4 +22,4 @@ proc check_session sid {
     }
   }
   return 0
-} 
+}