diff options
author | ArthurHoaro <arthur@hoa.ro> | 2015-07-25 13:15:47 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2015-08-22 10:10:55 +0200 |
commit | 06b6660a7e8891c6e1c47815cf50ee5b2ef5f270 (patch) | |
tree | b496ead047ccedb898c1917ee98d95c9cbde179c /application | |
parent | d7efade5d651ec60a05a86baa53f99188ad5d72c (diff) | |
download | Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.tar.gz Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.tar.zst Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.zip |
Avoid Full Path Disclosure error on session error.
* Add a function to validate session ID.
* Generate a new session ID if an invalid token is passed.
Diffstat (limited to 'application')
-rw-r--r-- | application/Utils.php | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/application/Utils.php b/application/Utils.php index cd4724fa..fa18f158 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
@@ -137,4 +137,28 @@ function checkPHPVersion($minVersion, $curVersion) | |||
137 | ); | 137 | ); |
138 | } | 138 | } |
139 | } | 139 | } |
140 | ?> | 140 | |
141 | /** | ||
142 | * Validate session ID to prevent Full Path Disclosure. | ||
143 | * See #298. | ||
144 | * | ||
145 | * @param string $sessionId Session ID | ||
146 | * | ||
147 | * @return true if valid, false otherwise. | ||
148 | */ | ||
149 | function is_session_id_valid($sessionId) | ||
150 | { | ||
151 | if (empty($sessionId)) { | ||
152 | return false; | ||
153 | } | ||
154 | |||
155 | if (!$sessionId) { | ||
156 | return false; | ||
157 | } | ||
158 | |||
159 | if (!preg_match('/^[a-z0-9]{2,32}$/', $sessionId)) { | ||
160 | return false; | ||
161 | } | ||
162 | |||
163 | return true; | ||
164 | } | ||