From 06b6660a7e8891c6e1c47815cf50ee5b2ef5f270 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Sat, 25 Jul 2015 13:15:47 +0200 Subject: Avoid Full Path Disclosure error on session error. * Add a function to validate session ID. * Generate a new session ID if an invalid token is passed. --- application/Utils.php | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'application') diff --git a/application/Utils.php b/application/Utils.php index cd4724fa..fa18f158 100644 --- a/application/Utils.php +++ b/application/Utils.php @@ -137,4 +137,28 @@ function checkPHPVersion($minVersion, $curVersion) ); } } -?> + +/** + * Validate session ID to prevent Full Path Disclosure. + * See #298. + * + * @param string $sessionId Session ID + * + * @return true if valid, false otherwise. + */ +function is_session_id_valid($sessionId) +{ + if (empty($sessionId)) { + return false; + } + + if (!$sessionId) { + return false; + } + + if (!preg_match('/^[a-z0-9]{2,32}$/', $sessionId)) { + return false; + } + + return true; +} -- cgit v1.2.3