X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2FSessionManager.php;h=3aa4ddfc7be9f80866538f0f73f4512beaf52af8;hb=fd7d84616d53486c3a276a42da869390e1d7f5eb;hp=2083df4279ac277c24066b340b30a29462397840;hpb=ebd650c06c67a67da2a0d099f625b6a7ec62ab2b;p=github%2Fshaarli%2FShaarli.git

diff --git a/application/SessionManager.php b/application/SessionManager.php
index 2083df42..3aa4ddfc 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -50,4 +50,34 @@ class SessionManager
         unset($this->session['tokens'][$token]);
         return true;
     }
+
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+
+        if (!$sessionId) {
+            return false;
+        }
+
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+
+        return true;
+    }
 }