diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2015-07-25 13:15:47 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2015-08-22 10:10:55 +0200 |
| commit | 06b6660a7e8891c6e1c47815cf50ee5b2ef5f270 (patch) | |
| tree | b496ead047ccedb898c1917ee98d95c9cbde179c /application/Utils.php | |
| parent | d7efade5d651ec60a05a86baa53f99188ad5d72c (diff) | |
| download | Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.tar.gz Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.tar.zst Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.zip | |
Avoid Full Path Disclosure error on session error.
* Add a function to validate session ID.
* Generate a new session ID if an invalid token is passed.
Diffstat (limited to 'application/Utils.php')
| -rw-r--r-- | application/Utils.php | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/application/Utils.php b/application/Utils.php index cd4724fa..fa18f158 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
| @@ -137,4 +137,28 @@ function checkPHPVersion($minVersion, $curVersion) | |||
| 137 | ); | 137 | ); |
| 138 | } | 138 | } |
| 139 | } | 139 | } |
| 140 | ?> | 140 | |
| 141 | /** | ||
| 142 | * Validate session ID to prevent Full Path Disclosure. | ||
| 143 | * See #298. | ||
| 144 | * | ||
| 145 | * @param string $sessionId Session ID | ||
| 146 | * | ||
| 147 | * @return true if valid, false otherwise. | ||
| 148 | */ | ||
| 149 | function is_session_id_valid($sessionId) | ||
| 150 | { | ||
| 151 | if (empty($sessionId)) { | ||
| 152 | return false; | ||
| 153 | } | ||
| 154 | |||
| 155 | if (!$sessionId) { | ||
| 156 | return false; | ||
| 157 | } | ||
| 158 | |||
| 159 | if (!preg_match('/^[a-z0-9]{2,32}$/', $sessionId)) { | ||
| 160 | return false; | ||
| 161 | } | ||
| 162 | |||
| 163 | return true; | ||
| 164 | } | ||