X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2FSessionManager.php;h=71f0b38dc227e38e2a9022a5c6c7a417060db935;hb=7a205fb21c698380afdf91dfacb83d6d918ce656;hp=2083df4279ac277c24066b340b30a29462397840;hpb=ebd650c06c67a67da2a0d099f625b6a7ec62ab2b;p=github%2Fshaarli%2FShaarli.git

diff --git a/application/SessionManager.php b/application/SessionManager.php
index 2083df42..71f0b38d 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -12,12 +12,12 @@ class SessionManager
      * Constructor
      *
      * @param array         $session The $_SESSION array (reference)
-     * @param ConfigManager $conf    ConfigManager instance (reference)
+     * @param ConfigManager $conf    ConfigManager instance
      */
-    public function __construct(& $session, & $conf)
+    public function __construct(& $session, $conf)
     {
         $this->session = &$session;
-        $this->conf = &$conf;
+        $this->conf = $conf;
     }
 
     /**
@@ -50,4 +50,34 @@ class SessionManager
         unset($this->session['tokens'][$token]);
         return true;
     }
+
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+
+        if (!$sessionId) {
+            return false;
+        }
+
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+
+        return true;
+    }
 }