3 files changed, 87 insertions, 32 deletions
diff --git a/application/PageBuilder.php b/application/PageBuilder.php
index af290671..468f144b 100644
--- a/application/PageBuilder.php
+++ b/application/PageBuilder.php
@@ -32,12 +32,14 @@ class PageBuilder
     *
     * @param ConfigManager $conf   Configuration Manager instance (reference).
     * @param LinkDB        $linkDB instance.
+     * @param string        $token  Session token
     */
-    public function __construct(&$conf, $linkDB = null)
+    public function __construct(&$conf, $linkDB = null, $token = null)
    {
        $this->tpl = false;
        $this->conf = $conf;
        $this->linkDB = $linkDB;
+        $this->token = $token;
    }
    /**
@@ -92,7 +94,7 @@ class PageBuilder
        $this->tpl->assign('showatom', $this->conf->get('feed.show_atom', true));
        $this->tpl->assign('feed_type', $this->conf->get('feed.show_atom', true) !== false ? 'atom' : 'rss');
        $this->tpl->assign('hide_timestamps', $this->conf->get('privacy.hide_timestamps', false));
-        $this->tpl->assign('token', getToken($this->conf));
+        $this->tpl->assign('token', $this->token);
        if ($this->linkDB !== null) {
            $this->tpl->assign('tags', $this->linkDB->linksCountPerTag());
diff --git a/application/SessionManager.php b/application/SessionManager.php
new file mode 100644
index 00000000..3aa4ddfc
--- /dev/null
+++ b/application/SessionManager.php
@@ -0,0 +1,83 @@
+<?php
+namespace Shaarli;
+/**
+ * Manages the server-side session
+ */
+class SessionManager
+{
+    protected $session = [];
+    /**
+     * Constructor
+     *
+     * @param array         $session The $_SESSION array (reference)
+     * @param ConfigManager $conf    ConfigManager instance (reference)
+     */
+    public function __construct(& $session, & $conf)
+    {
+        $this->session = &$session;
+        $this->conf = &$conf;
+    }
+    /**
+     * Generates a session token
+     *
+     * @return string token
+     */
+    public function generateToken()
+    {
+        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
+        $this->session['tokens'][$token] = 1;
+        return $token;
+    }
+    /**
+     * Checks the validity of a session token, and destroys it afterwards
+     *
+     * @param string $token The token to check
+     *
+     * @return bool true if the token is valid, else false
+     */
+    public function checkToken($token)
+    {
+        if (! isset($this->session['tokens'][$token])) {
+            // the token is wrong, or has already been used
+            return false;
+        }
+        // destroy the token to prevent future use
+        unset($this->session['tokens'][$token]);
+        return true;
+    }
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+        if (!$sessionId) {
+            return false;
+        }
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+        return true;
+    }
+}
diff --git a/application/Utils.php b/application/Utils.php
index 2f38a8de..97b12fcf 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -182,36 +182,6 @@ function generateLocation($referer, $host, $loopTerms = array())
 }
 /**
- * Validate session ID to prevent Full Path Disclosure.
- *
- * See #298.
- * The session ID's format depends on the hash algorithm set in PHP settings
- *
- * @param string $sessionId Session ID
- *
- * @return true if valid, false otherwise.
- *
- * @see http://php.net/manual/en/function.hash-algos.php
- * @see http://php.net/manual/en/session.configuration.php
- */
-function is_session_id_valid($sessionId)
-{
-    if (empty($sessionId)) {
-        return false;
-    }
-    if (!$sessionId) {
-        return false;
-    }
-    if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
-        return false;
-    }
-    return true;
-}
-/**
 * Sniff browser language to set the locale automatically.
 * Note that is may not work on your server if the corresponding locale is not installed.
 *

diff --git a/application/PageBuilder.php b/application/PageBuilder.php index af290671..468f144b 100644 --- a/application/PageBuilder.php +++ b/application/PageBuilder.php
@@ -32,12 +32,14 @@ class PageBuilder
32	*	32	*
33	* @param ConfigManager $conf Configuration Manager instance (reference).	33	* @param ConfigManager $conf Configuration Manager instance (reference).
34	* @param LinkDB $linkDB instance.	34	* @param LinkDB $linkDB instance.
		35	* @param string $token Session token
35	*/	36	*/
36	public function __construct(&$conf, $linkDB = null)	37	public function __construct(&$conf, $linkDB = null, $token = null)
37	{	38	{
38	$this->tpl = false;	39	$this->tpl = false;
39	$this->conf = $conf;	40	$this->conf = $conf;
40	$this->linkDB = $linkDB;	41	$this->linkDB = $linkDB;
		42	$this->token = $token;
41	}	43	}
42		44
43	/**	45	/**
@@ -92,7 +94,7 @@ class PageBuilder
92	$this->tpl->assign('showatom', $this->conf->get('feed.show_atom', true));	94	$this->tpl->assign('showatom', $this->conf->get('feed.show_atom', true));
93	$this->tpl->assign('feed_type', $this->conf->get('feed.show_atom', true) !== false ? 'atom' : 'rss');	95	$this->tpl->assign('feed_type', $this->conf->get('feed.show_atom', true) !== false ? 'atom' : 'rss');
94	$this->tpl->assign('hide_timestamps', $this->conf->get('privacy.hide_timestamps', false));	96	$this->tpl->assign('hide_timestamps', $this->conf->get('privacy.hide_timestamps', false));
95	$this->tpl->assign('token', getToken($this->conf));	97	$this->tpl->assign('token', $this->token);
96		98
97	if ($this->linkDB !== null) {	99	if ($this->linkDB !== null) {
98	$this->tpl->assign('tags', $this->linkDB->linksCountPerTag());	100	$this->tpl->assign('tags', $this->linkDB->linksCountPerTag());


diff --git a/application/SessionManager.php b/application/SessionManager.php new file mode 100644 index 00000000..3aa4ddfc --- /dev/null +++ b/application/SessionManager.php
@@ -0,0 +1,83 @@
		1	<?php
		2	namespace Shaarli;
		3
		4	/**
		5	* Manages the server-side session
		6	*/
		7	class SessionManager
		8	{
		9	protected $session = [];
		10
		11	/**
		12	* Constructor
		13	*
		14	* @param array $session The $_SESSION array (reference)
		15	* @param ConfigManager $conf ConfigManager instance (reference)
		16	*/
		17	public function __construct(& $session, & $conf)
		18	{
		19	$this->session = &$session;
		20	$this->conf = &$conf;
		21	}
		22
		23	/**
		24	* Generates a session token
		25	*
		26	* @return string token
		27	*/
		28	public function generateToken()
		29	{
		30	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
		31	$this->session['tokens'][$token] = 1;
		32	return $token;
		33	}
		34
		35	/**
		36	* Checks the validity of a session token, and destroys it afterwards
		37	*
		38	* @param string $token The token to check
		39	*
		40	* @return bool true if the token is valid, else false
		41	*/
		42	public function checkToken($token)
		43	{
		44	if (! isset($this->session['tokens'][$token])) {
		45	// the token is wrong, or has already been used
		46	return false;
		47	}
		48
		49	// destroy the token to prevent future use
		50	unset($this->session['tokens'][$token]);
		51	return true;
		52	}
		53
		54	/**
		55	* Validate session ID to prevent Full Path Disclosure.
		56	*
		57	* See #298.
		58	* The session ID's format depends on the hash algorithm set in PHP settings
		59	*
		60	* @param string $sessionId Session ID
		61	*
		62	* @return true if valid, false otherwise.
		63	*
		64	* @see http://php.net/manual/en/function.hash-algos.php
		65	* @see http://php.net/manual/en/session.configuration.php
		66	*/
		67	public static function checkId($sessionId)
		68	{
		69	if (empty($sessionId)) {
		70	return false;
		71	}
		72
		73	if (!$sessionId) {
		74	return false;
		75	}
		76
		77	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
		78	return false;
		79	}
		80
		81	return true;
		82	}
		83	}


diff --git a/application/Utils.php b/application/Utils.php index 2f38a8de..97b12fcf 100644 --- a/application/Utils.php +++ b/application/Utils.php
@@ -182,36 +182,6 @@ function generateLocation($referer, $host, $loopTerms = array())
182	}	182	}
183		183
184	/**	184	/**
185	* Validate session ID to prevent Full Path Disclosure.
186	*
187	* See #298.
188	* The session ID's format depends on the hash algorithm set in PHP settings
189	*
190	* @param string $sessionId Session ID
191	*
192	* @return true if valid, false otherwise.
193	*
194	* @see http://php.net/manual/en/function.hash-algos.php
195	* @see http://php.net/manual/en/session.configuration.php
196	*/
197	function is_session_id_valid($sessionId)
198	{
199	if (empty($sessionId)) {
200	return false;
201	}
202
203	if (!$sessionId) {
204	return false;
205	}
206
207	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
208	return false;
209	}
210
211	return true;
212	}
213
214	/**
215	* Sniff browser language to set the locale automatically.	185	* Sniff browser language to set the locale automatically.
216	* Note that is may not work on your server if the corresponding locale is not installed.	186	* Note that is may not work on your server if the corresponding locale is not installed.
217	*	187	*