Move session ID check to SessionManager

Relates to https://github.com/shaarli/Shaarli/issues/324 Changed: - `is_session_id_valid()` -> `SessionManager::checkId()` - update tests Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2017-10-22 19:54:44 +0200
committer: VirtualTam <virtualtam@flibidi.net> 2017-10-22 19:54:44 +0200
commit: fd7d84616d53486c3a276a42da869390e1d7f5eb (patch)
tree: 215f22ad244d734d77c3dd4a38f52da689fa6dd7 /application/SessionManager.php
parent: ebd650c06c67a67da2a0d099f625b6a7ec62ab2b (diff)
download: Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.gz
Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.zst
Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.zip
1 files changed, 30 insertions, 0 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
index 2083df42..3aa4ddfc 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -50,4 +50,34 @@ class SessionManager
        unset($this->session['tokens'][$token]);
        return true;
    }
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+        if (!$sessionId) {
+            return false;
+        }
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+        return true;
+    }
 }
author	VirtualTam <virtualtam@flibidi.net>	2017-10-22 19:54:44 +0200
committer	VirtualTam <virtualtam@flibidi.net>	2017-10-22 19:54:44 +0200
commit	fd7d84616d53486c3a276a42da869390e1d7f5eb (patch)
tree	215f22ad244d734d77c3dd4a38f52da689fa6dd7 /application/SessionManager.php
parent	ebd650c06c67a67da2a0d099f625b6a7ec62ab2b (diff)
download	Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.gz Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.zst Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.zip

diff --git a/application/SessionManager.php b/application/SessionManager.php index 2083df42..3aa4ddfc 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php
@@ -50,4 +50,34 @@ class SessionManager
50	unset($this->session['tokens'][$token]);	50	unset($this->session['tokens'][$token]);
51	return true;	51	return true;
52	}	52	}
		53
		54	/**
		55	* Validate session ID to prevent Full Path Disclosure.
		56	*
		57	* See #298.
		58	* The session ID's format depends on the hash algorithm set in PHP settings
		59	*
		60	* @param string $sessionId Session ID
		61	*
		62	* @return true if valid, false otherwise.
		63	*
		64	* @see http://php.net/manual/en/function.hash-algos.php
		65	* @see http://php.net/manual/en/session.configuration.php
		66	*/
		67	public static function checkId($sessionId)
		68	{
		69	if (empty($sessionId)) {
		70	return false;
		71	}
		72
		73	if (!$sessionId) {
		74	return false;
		75	}
		76
		77	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
		78	return false;
		79	}
		80
		81	return true;
		82	}
53	}	83	}