Allow uppercase letters in PHP sessionid format

[github/shaarli/Shaarli.git] / application / Utils.php

diff --git a/application/Utils.php b/application/Utils.php
old mode 100644 (file)
new mode 100755 (executable)
index cd4724f..cb03f11
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -137,4 +137,28 @@ function checkPHPVersion($minVersion, $curVersion)
         );
     }
 }
-?>
+
+/**
+ * Validate session ID to prevent Full Path Disclosure.
+ * See #298.
+ *
+ * @param string $sessionId Session ID
+ *
+ * @return true if valid, false otherwise.
+ */
+function is_session_id_valid($sessionId)
+{
+    if (empty($sessionId)) {
+        return false;
+    }
+
+    if (!$sessionId) {
+        return false;
+    }
+
+    if (!preg_match('/^[a-z0-9]{2,32}$/i', $sessionId)) {
+        return false;
+    }
+
+    return true;
+}