diff options
author | VirtualTam <virtualtam@flibidi.net> | 2017-10-22 19:54:44 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2017-10-22 19:54:44 +0200 |
commit | fd7d84616d53486c3a276a42da869390e1d7f5eb (patch) | |
tree | 215f22ad244d734d77c3dd4a38f52da689fa6dd7 /application | |
parent | ebd650c06c67a67da2a0d099f625b6a7ec62ab2b (diff) | |
download | Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.gz Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.zst Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.zip |
Move session ID check to SessionManager
Relates to https://github.com/shaarli/Shaarli/issues/324
Changed:
- `is_session_id_valid()` -> `SessionManager::checkId()`
- update tests
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application')
-rw-r--r-- | application/SessionManager.php | 30 | ||||
-rw-r--r-- | application/Utils.php | 30 |
2 files changed, 30 insertions, 30 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php index 2083df42..3aa4ddfc 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php | |||
@@ -50,4 +50,34 @@ class SessionManager | |||
50 | unset($this->session['tokens'][$token]); | 50 | unset($this->session['tokens'][$token]); |
51 | return true; | 51 | return true; |
52 | } | 52 | } |
53 | |||
54 | /** | ||
55 | * Validate session ID to prevent Full Path Disclosure. | ||
56 | * | ||
57 | * See #298. | ||
58 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
59 | * | ||
60 | * @param string $sessionId Session ID | ||
61 | * | ||
62 | * @return true if valid, false otherwise. | ||
63 | * | ||
64 | * @see http://php.net/manual/en/function.hash-algos.php | ||
65 | * @see http://php.net/manual/en/session.configuration.php | ||
66 | */ | ||
67 | public static function checkId($sessionId) | ||
68 | { | ||
69 | if (empty($sessionId)) { | ||
70 | return false; | ||
71 | } | ||
72 | |||
73 | if (!$sessionId) { | ||
74 | return false; | ||
75 | } | ||
76 | |||
77 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
78 | return false; | ||
79 | } | ||
80 | |||
81 | return true; | ||
82 | } | ||
53 | } | 83 | } |
diff --git a/application/Utils.php b/application/Utils.php index 2f38a8de..97b12fcf 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
@@ -182,36 +182,6 @@ function generateLocation($referer, $host, $loopTerms = array()) | |||
182 | } | 182 | } |
183 | 183 | ||
184 | /** | 184 | /** |
185 | * Validate session ID to prevent Full Path Disclosure. | ||
186 | * | ||
187 | * See #298. | ||
188 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
189 | * | ||
190 | * @param string $sessionId Session ID | ||
191 | * | ||
192 | * @return true if valid, false otherwise. | ||
193 | * | ||
194 | * @see http://php.net/manual/en/function.hash-algos.php | ||
195 | * @see http://php.net/manual/en/session.configuration.php | ||
196 | */ | ||
197 | function is_session_id_valid($sessionId) | ||
198 | { | ||
199 | if (empty($sessionId)) { | ||
200 | return false; | ||
201 | } | ||
202 | |||
203 | if (!$sessionId) { | ||
204 | return false; | ||
205 | } | ||
206 | |||
207 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
208 | return false; | ||
209 | } | ||
210 | |||
211 | return true; | ||
212 | } | ||
213 | |||
214 | /** | ||
215 | * Sniff browser language to set the locale automatically. | 185 | * Sniff browser language to set the locale automatically. |
216 | * Note that is may not work on your server if the corresponding locale is not installed. | 186 | * Note that is may not work on your server if the corresponding locale is not installed. |
217 | * | 187 | * |