Avoid Full Path Disclosure error on session error.

[github/shaarli/Shaarli.git] / application / Utils.php

diff --git a/application/Utils.php b/application/Utils.php
index cd4724fa388fe7de20eaa12bc97189cea993f119..fa18f1588b278352554dbf85312980f4be6289e8 100644 (file)
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -137,4 +137,28 @@ function checkPHPVersion($minVersion, $curVersion)
         );
     }
 }
-?>
+
+/**
+ * Validate session ID to prevent Full Path Disclosure.
+ * See #298.
+ *
+ * @param string $sessionId Session ID
+ *
+ * @return true if valid, false otherwise.
+ */
+function is_session_id_valid($sessionId)
+{
+    if (empty($sessionId)) {
+        return false;
+    }
+
+    if (!$sessionId) {
+        return false;
+    }
+
+    if (!preg_match('/^[a-z0-9]{2,32}$/', $sessionId)) {
+        return false;
+    }
+
+    return true;
+}