diff -Nurp orig/ext/session/session.c new/ext/session/session.c
--- orig/ext/session/session.c	2007-02-21 09:31:23.000000000 +0100
+++ new/ext/session/session.c	2007-02-21 09:32:02.000000000 +0100
@@ -291,9 +291,12 @@ void php_add_session_var(char *name, siz
 	if (PG(register_globals)) {
 		zval **sym_global = NULL;
 		
-		zend_hash_find(&EG(symbol_table), name, namelen + 1, 
-				(void *) &sym_global);
-				
+		if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void *) &sym_global) == SUCCESS) {				
+			if ((Z_TYPE_PP(sym_global) == IS_ARRAY && Z_ARRVAL_PP(sym_global) == &EG(symbol_table)) || *sym_global == PS(http_session_vars)) {
+				return;
+			}
+		}
+
 		if (sym_global == NULL && sym_track == NULL) {
 			zval *empty_var;
 
@@ -323,7 +326,10 @@ void php_set_session_var(char *name, siz
 	if (PG(register_globals)) {
 		zval **old_symbol;
 		if (zend_hash_find(&EG(symbol_table),name,namelen+1,(void *)&old_symbol) == SUCCESS) { 
-			
+			if ((Z_TYPE_PP(old_symbol) == IS_ARRAY && Z_ARRVAL_PP(old_symbol) == &EG(symbol_table)) || *old_symbol == PS(http_session_vars)) {
+				return;
+			}
+
 			/* 
 			 * A global symbol with the same name exists already. That
 			 * symbol might have been created by other means (e.g. $_GET).
@@ -432,12 +438,20 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	for (p = val; p < endptr; ) {
+		zval **tmp;
 		namelen = *p & (~PS_BIN_UNDEF);
 
 		if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
 			return FAILURE;
 		}
 
+		if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+			if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+				efree(name);
+				continue;
+  			}
+  		}
+
 		has_value = *p & PS_BIN_UNDEF ? 0 : 1;
 
 		name = estrndup(p + 1, namelen);
@@ -509,6 +523,7 @@ PS_SERIALIZER_DECODE_FUNC(php)	
 	p = val;
 
 	while (p < endptr) {
+		zval **tmp;
 		q = p;
 		while (*q != PS_DELIMITER)
 			if (++q >= endptr) goto break_outer_loop;
@@ -523,7 +538,13 @@ PS_SERIALIZER_DECODE_FUNC(php)	
 		namelen = q - p;
 		name = estrndup(p, namelen);
 		q++;
-		
+
+		if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+			if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+				goto skip;
+  			}
+  		}
+
 		if (has_value) {
 			ALLOC_INIT_ZVAL(current);
 			if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
@@ -532,6 +553,7 @@ PS_SERIALIZER_DECODE_FUNC(php)	
 			zval_ptr_dtor(&current);
 		}
 		PS_ADD_VARL(name, namelen);
+skip:
 		efree(name);
 		
 		p = q;
@@ -672,7 +694,7 @@ PHPAPI char *php_session_create_id(PS_CR
 	buf = emalloc(100);
 
 	/* maximum 15+19+19+10 bytes */	
-	sprintf(buf, "%.15s%ld%ld%0.8f", remote_addr ? remote_addr : "", 
+	sprintf(buf, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", 
 			tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10);
 
 	switch (PS(hash_func)) {
@@ -1435,6 +1457,11 @@ PHP_FUNCTION(session_save_path)
 
 	if (ac == 1) {
 		convert_to_string_ex(p_name);
+		if (memchr(Z_STRVAL_PP(p_name), '\0', Z_STRLEN_PP(p_name)) != NULL) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "The save_path cannot contain NULL characters.");
+			efree(old);
+			RETURN_FALSE;
+		}
 		zend_alter_ini_entry("session.save_path", sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
 	}
 	
diff -Nurp orig/main/php_variables.c new/main/php_variables.c
--- orig/main/php_variables.c	2007-02-21 09:31:20.000000000 +0100
+++ new/main/php_variables.c	2007-02-21 09:32:31.000000000 +0100
@@ -611,8 +611,6 @@ int php_hash_environment(TSRMLS_D)
 {
 	char *p;
 	unsigned char _gpc_flags[5] = {0, 0, 0, 0, 0};
-	zval *dummy_track_vars_array = NULL;
-	zend_bool initialized_dummy_track_vars_array=0;
 	zend_bool jit_initialization = (PG(auto_globals_jit) && !PG(register_globals) && !PG(register_long_arrays));
 	struct auto_global_record {
 		char *name;
@@ -703,15 +701,9 @@ int php_hash_environment(TSRMLS_D)
 			continue;
 		}
 		if (!PG(http_globals)[i]) {
-			if (!initialized_dummy_track_vars_array) {
-				ALLOC_ZVAL(dummy_track_vars_array);
-				array_init(dummy_track_vars_array);
-				INIT_PZVAL(dummy_track_vars_array);
-				initialized_dummy_track_vars_array = 1;
-			} else {
-				dummy_track_vars_array->refcount++;
-			}
-			PG(http_globals)[i] = dummy_track_vars_array;
+			ALLOC_ZVAL(PG(http_globals)[i]);
+			array_init(PG(http_globals)[i]);
+			INIT_PZVAL(PG(http_globals)[i]);
 		}
 
 		PG(http_globals)[i]->refcount++;