diff options
author | VirtualTam <virtualtam@flibidi.net> | 2017-10-22 19:54:44 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2017-10-22 19:54:44 +0200 |
commit | fd7d84616d53486c3a276a42da869390e1d7f5eb (patch) | |
tree | 215f22ad244d734d77c3dd4a38f52da689fa6dd7 /application/SessionManager.php | |
parent | ebd650c06c67a67da2a0d099f625b6a7ec62ab2b (diff) | |
download | Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.gz Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.zst Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.zip |
Move session ID check to SessionManager
Relates to https://github.com/shaarli/Shaarli/issues/324
Changed:
- `is_session_id_valid()` -> `SessionManager::checkId()`
- update tests
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/SessionManager.php')
-rw-r--r-- | application/SessionManager.php | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php index 2083df42..3aa4ddfc 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php | |||
@@ -50,4 +50,34 @@ class SessionManager | |||
50 | unset($this->session['tokens'][$token]); | 50 | unset($this->session['tokens'][$token]); |
51 | return true; | 51 | return true; |
52 | } | 52 | } |
53 | |||
54 | /** | ||
55 | * Validate session ID to prevent Full Path Disclosure. | ||
56 | * | ||
57 | * See #298. | ||
58 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
59 | * | ||
60 | * @param string $sessionId Session ID | ||
61 | * | ||
62 | * @return true if valid, false otherwise. | ||
63 | * | ||
64 | * @see http://php.net/manual/en/function.hash-algos.php | ||
65 | * @see http://php.net/manual/en/session.configuration.php | ||
66 | */ | ||
67 | public static function checkId($sessionId) | ||
68 | { | ||
69 | if (empty($sessionId)) { | ||
70 | return false; | ||
71 | } | ||
72 | |||
73 | if (!$sessionId) { | ||
74 | return false; | ||
75 | } | ||
76 | |||
77 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
78 | return false; | ||
79 | } | ||
80 | |||
81 | return true; | ||
82 | } | ||
53 | } | 83 | } |