aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/SessionManager.php
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2017-10-22 19:54:44 +0200
committerVirtualTam <virtualtam@flibidi.net>2017-10-22 19:54:44 +0200
commitfd7d84616d53486c3a276a42da869390e1d7f5eb (patch)
tree215f22ad244d734d77c3dd4a38f52da689fa6dd7 /application/SessionManager.php
parentebd650c06c67a67da2a0d099f625b6a7ec62ab2b (diff)
downloadShaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.gz
Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.zst
Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.zip
Move session ID check to SessionManager
Relates to https://github.com/shaarli/Shaarli/issues/324 Changed: - `is_session_id_valid()` -> `SessionManager::checkId()` - update tests Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/SessionManager.php')
-rw-r--r--application/SessionManager.php30
1 files changed, 30 insertions, 0 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
index 2083df42..3aa4ddfc 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -50,4 +50,34 @@ class SessionManager
50 unset($this->session['tokens'][$token]); 50 unset($this->session['tokens'][$token]);
51 return true; 51 return true;
52 } 52 }
53
54 /**
55 * Validate session ID to prevent Full Path Disclosure.
56 *
57 * See #298.
58 * The session ID's format depends on the hash algorithm set in PHP settings
59 *
60 * @param string $sessionId Session ID
61 *
62 * @return true if valid, false otherwise.
63 *
64 * @see http://php.net/manual/en/function.hash-algos.php
65 * @see http://php.net/manual/en/session.configuration.php
66 */
67 public static function checkId($sessionId)
68 {
69 if (empty($sessionId)) {
70 return false;
71 }
72
73 if (!$sessionId) {
74 return false;
75 }
76
77 if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
78 return false;
79 }
80
81 return true;
82 }
53} 83}