diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2017-10-22 19:54:44 +0200 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2017-10-22 19:54:44 +0200 |
| commit | fd7d84616d53486c3a276a42da869390e1d7f5eb (patch) | |
| tree | 215f22ad244d734d77c3dd4a38f52da689fa6dd7 /application | |
| parent | ebd650c06c67a67da2a0d099f625b6a7ec62ab2b (diff) | |
| download | Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.gz Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.tar.zst Shaarli-fd7d84616d53486c3a276a42da869390e1d7f5eb.zip | |
Move session ID check to SessionManager
Relates to https://github.com/shaarli/Shaarli/issues/324
Changed:
- `is_session_id_valid()` -> `SessionManager::checkId()`
- update tests
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application')
| -rw-r--r-- | application/SessionManager.php | 30 | ||||
| -rw-r--r-- | application/Utils.php | 30 |
2 files changed, 30 insertions, 30 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php index 2083df42..3aa4ddfc 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php | |||
| @@ -50,4 +50,34 @@ class SessionManager | |||
| 50 | unset($this->session['tokens'][$token]); | 50 | unset($this->session['tokens'][$token]); |
| 51 | return true; | 51 | return true; |
| 52 | } | 52 | } |
| 53 | |||
| 54 | /** | ||
| 55 | * Validate session ID to prevent Full Path Disclosure. | ||
| 56 | * | ||
| 57 | * See #298. | ||
| 58 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
| 59 | * | ||
| 60 | * @param string $sessionId Session ID | ||
| 61 | * | ||
| 62 | * @return true if valid, false otherwise. | ||
| 63 | * | ||
| 64 | * @see http://php.net/manual/en/function.hash-algos.php | ||
| 65 | * @see http://php.net/manual/en/session.configuration.php | ||
| 66 | */ | ||
| 67 | public static function checkId($sessionId) | ||
| 68 | { | ||
| 69 | if (empty($sessionId)) { | ||
| 70 | return false; | ||
| 71 | } | ||
| 72 | |||
| 73 | if (!$sessionId) { | ||
| 74 | return false; | ||
| 75 | } | ||
| 76 | |||
| 77 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
| 78 | return false; | ||
| 79 | } | ||
| 80 | |||
| 81 | return true; | ||
| 82 | } | ||
| 53 | } | 83 | } |
diff --git a/application/Utils.php b/application/Utils.php index 2f38a8de..97b12fcf 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
| @@ -182,36 +182,6 @@ function generateLocation($referer, $host, $loopTerms = array()) | |||
| 182 | } | 182 | } |
| 183 | 183 | ||
| 184 | /** | 184 | /** |
| 185 | * Validate session ID to prevent Full Path Disclosure. | ||
| 186 | * | ||
| 187 | * See #298. | ||
| 188 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
| 189 | * | ||
| 190 | * @param string $sessionId Session ID | ||
| 191 | * | ||
| 192 | * @return true if valid, false otherwise. | ||
| 193 | * | ||
| 194 | * @see http://php.net/manual/en/function.hash-algos.php | ||
| 195 | * @see http://php.net/manual/en/session.configuration.php | ||
| 196 | */ | ||
| 197 | function is_session_id_valid($sessionId) | ||
| 198 | { | ||
| 199 | if (empty($sessionId)) { | ||
| 200 | return false; | ||
| 201 | } | ||
| 202 | |||
| 203 | if (!$sessionId) { | ||
| 204 | return false; | ||
| 205 | } | ||
| 206 | |||
| 207 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
| 208 | return false; | ||
| 209 | } | ||
| 210 | |||
| 211 | return true; | ||
| 212 | } | ||
| 213 | |||
| 214 | /** | ||
| 215 | * Sniff browser language to set the locale automatically. | 185 | * Sniff browser language to set the locale automatically. |
| 216 | * Note that is may not work on your server if the corresponding locale is not installed. | 186 | * Note that is may not work on your server if the corresponding locale is not installed. |
| 217 | * | 187 | * |