From ebd650c06c67a67da2a0d099f625b6a7ec62ab2b Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Sun, 22 Oct 2017 18:44:46 +0200
Subject: Refactor session token management

Relates to https://github.com/shaarli/Shaarli/issues/324

Added:
- `SessionManager` class to group session-related features
- unit tests

Changed:
- `getToken()` -> `SessionManager->generateToken()`
- `tokenOk()` -> `SessionManager->checkToken()`
- inject a `$token` parameter to `PageBuilder`'s constructor

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/SessionManager.php | 53 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 application/SessionManager.php

(limited to 'application/SessionManager.php')

diff --git a/application/SessionManager.php b/application/SessionManager.php
new file mode 100644
index 00000000..2083df42
--- /dev/null
+++ b/application/SessionManager.php
@@ -0,0 +1,53 @@
+<?php
+namespace Shaarli;
+
+/**
+ * Manages the server-side session
+ */
+class SessionManager
+{
+    protected $session = [];
+
+    /**
+     * Constructor
+     *
+     * @param array         $session The $_SESSION array (reference)
+     * @param ConfigManager $conf    ConfigManager instance (reference)
+     */
+    public function __construct(& $session, & $conf)
+    {
+        $this->session = &$session;
+        $this->conf = &$conf;
+    }
+
+    /**
+     * Generates a session token
+     *
+     * @return string token
+     */
+    public function generateToken()
+    {
+        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
+        $this->session['tokens'][$token] = 1;
+        return $token;
+    }
+
+    /**
+     * Checks the validity of a session token, and destroys it afterwards
+     *
+     * @param string $token The token to check
+     *
+     * @return bool true if the token is valid, else false
+     */
+    public function checkToken($token)
+    {
+        if (! isset($this->session['tokens'][$token])) {
+            // the token is wrong, or has already been used
+            return false;
+        }
+
+        // destroy the token to prevent future use
+        unset($this->session['tokens'][$token]);
+        return true;
+    }
+}
-- 
cgit v1.2.3


From fd7d84616d53486c3a276a42da869390e1d7f5eb Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Sun, 22 Oct 2017 19:54:44 +0200
Subject: Move session ID check to SessionManager

Relates to https://github.com/shaarli/Shaarli/issues/324

Changed:
- `is_session_id_valid()` -> `SessionManager::checkId()`
- update tests

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/SessionManager.php | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'application/SessionManager.php')

diff --git a/application/SessionManager.php b/application/SessionManager.php
index 2083df42..3aa4ddfc 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -50,4 +50,34 @@ class SessionManager
         unset($this->session['tokens'][$token]);
         return true;
     }
+
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+
+        if (!$sessionId) {
+            return false;
+        }
+
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+
+        return true;
+    }
 }
-- 
cgit v1.2.3


From dd883aaf0999e9dc783a1a19bfeeab181c949d55 Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Wed, 8 Nov 2017 20:24:49 +0100
Subject: Improve SessionManager constructor and tests

Relates to https://github.com/shaarli/Shaarli/pull/1005

Changed:
- pass a copy of the ConfigManager instance instead of a reference
- move FakeConfigManager to a dedicated file
- update tests

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/SessionManager.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'application/SessionManager.php')

diff --git a/application/SessionManager.php b/application/SessionManager.php
index 3aa4ddfc..71f0b38d 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -12,12 +12,12 @@ class SessionManager
      * Constructor
      *
      * @param array         $session The $_SESSION array (reference)
-     * @param ConfigManager $conf    ConfigManager instance (reference)
+     * @param ConfigManager $conf    ConfigManager instance
      */
-    public function __construct(& $session, & $conf)
+    public function __construct(& $session, $conf)
     {
         $this->session = &$session;
-        $this->conf = &$conf;
+        $this->conf = $conf;
     }
 
     /**
-- 
cgit v1.2.3