From ed1d212ae2daea5e4bd043417610177093e99f19 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 16 Jan 2016 03:03:51 -0500
Subject: [PATCH] Improved SVG cleanup code
---
program/lib/Roundcube/rcube_session.php | 56 +++++++++++++++++++++++++++++++++++++-------------------
1 files changed, 37 insertions(+), 19 deletions(-)
diff --git a/program/lib/Roundcube/rcube_session.php b/program/lib/Roundcube/rcube_session.php
index 2d26ad6..f0c012c 100644
--- a/program/lib/Roundcube/rcube_session.php
+++ b/program/lib/Roundcube/rcube_session.php
@@ -40,11 +40,12 @@
protected $reloaded = false;
protected $appends = array();
protected $unsets = array();
+ protected $gc_enabled = 0;
protected $gc_handlers = array();
protected $cookiename = 'roundcube_sessauth';
- protected $secret = '';
protected $ip_check = false;
protected $logging = false;
+
/**
* Blocks session data from being written to database.
@@ -85,9 +86,6 @@
public function __construct($config)
{
$this->config = $config;
-
- // set secret
- $this->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME']));
// set ip check
$this->set_ip_check($this->config->get('ip_check'));
@@ -159,7 +157,7 @@
$oldvars = $this->get_cache($key);
// if there are cached vars, update store, else insert new data
- if ($oldvars !== null) {
+ if ($oldvars) {
$newvars = $this->_fixvars($vars, $oldvars);
return $this->update($key, $newvars, $oldvars);
}
@@ -221,7 +219,9 @@
{
// move gc execution to the script shutdown function
// see rcube::shutdown() and rcube_session::write_close()
- return $this->gc_enabled = $maxlifetime;
+ $this->gc_enabled = $maxlifetime;
+
+ return true;
}
/**
@@ -269,10 +269,11 @@
}
/**
- * see if we have vars of this key already cached, and if so, return them.
+ * See if we have vars of this key already cached, and if so, return them.
*
- * @param $key
- * @return null|array
+ * @param string $key Session ID
+ *
+ * @return string
*/
protected function get_cache($key)
{
@@ -287,11 +288,14 @@
else { // else read data again
$cache = $this->read($key);
}
+
return $cache;
}
/**
* Append the given value to the certain node in the session data array
+ *
+ * Warning: Do not use if you already modified $_SESSION in the same request (#1490608)
*
* @param string Path denoting the session variable where to append the value
* @param string Key name under which to append the new value (use null for appending to an indexed list)
@@ -319,8 +323,9 @@
$this->appends[] = $path;
// when overwriting a previously unset variable
- if ($this->unsets[$path])
+ if ($this->unsets[$path]) {
unset($this->unsets[$path]);
+ }
}
/**
@@ -376,7 +381,7 @@
$node[$k] = $value;
}
- if($this->key) {
+ if ($this->key) {
$data = $this->read($this->key);
}
@@ -398,7 +403,6 @@
}
}
}
-
}
/**
@@ -557,9 +561,19 @@
/**
* Setter for cookie encryption secret
*/
- function set_secret($secret)
+ function set_secret($secret = null)
{
- $this->secret = $secret;
+ // generate random hash and store in session
+ if (!$secret) {
+ if (!empty($_SESSION['auth_secret'])) {
+ $secret = $_SESSION['auth_secret'];
+ }
+ else {
+ $secret = rcube_utils::random_bytes(strlen($this->key));
+ }
+ }
+
+ $_SESSION['auth_secret'] = $secret;
}
/**
@@ -620,7 +634,7 @@
/**
* Set session authentication cookie
*/
- function set_auth_cookie()
+ public function set_auth_cookie()
{
$this->cookie = $this->_mkcookie($this->now);
rcube_utils::setcookie($this->cookiename, $this->cookie, 0);
@@ -628,15 +642,19 @@
}
/**
- * Create session cookie from session data
+ * Create session cookie for specified time slot.
*
* @param int Time slot to use
+ *
* @return string
*/
- function _mkcookie($timeslot)
+ protected function _mkcookie($timeslot)
{
- $auth_string = "$this->key,$this->secret,$timeslot";
- return "S" . (function_exists('sha1') ? sha1($auth_string) : md5($auth_string));
+ // make sure the secret key exists
+ $this->set_secret();
+
+ // no need to hash this, it's just a random string
+ return $_SESSION['auth_secret'] . '-' . $timeslot;
}
/**
--
Gitblit v1.9.1