From 06b6660a7e8891c6e1c47815cf50ee5b2ef5f270 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Sat, 25 Jul 2015 13:15:47 +0200
Subject: Avoid Full Path Disclosure error on session error.

  * Add a function to validate session ID.
  * Generate a new session ID if an invalid token is passed.
---
 application/Utils.php | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

(limited to 'application/Utils.php')

diff --git a/application/Utils.php b/application/Utils.php
index cd4724fa..fa18f158 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -137,4 +137,28 @@ function checkPHPVersion($minVersion, $curVersion)
         );
     }
 }
-?>
+
+/**
+ * Validate session ID to prevent Full Path Disclosure.
+ * See #298.
+ *
+ * @param string $sessionId Session ID
+ *
+ * @return true if valid, false otherwise.
+ */
+function is_session_id_valid($sessionId)
+{
+    if (empty($sessionId)) {
+        return false;
+    }
+
+    if (!$sessionId) {
+        return false;
+    }
+
+    if (!preg_match('/^[a-z0-9]{2,32}$/', $sessionId)) {
+        return false;
+    }
+
+    return true;
+}
-- 
cgit v1.2.3