From ed1d212ae2daea5e4bd043417610177093e99f19 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 16 Jan 2016 03:03:51 -0500
Subject: [PATCH] Improved SVG cleanup code
---
program/lib/Roundcube/rcube_session.php | 153 ++++++++++++++++++++++++++++++++------------------
1 files changed, 98 insertions(+), 55 deletions(-)
diff --git a/program/lib/Roundcube/rcube_session.php b/program/lib/Roundcube/rcube_session.php
index 08a9dc3..f0c012c 100644
--- a/program/lib/Roundcube/rcube_session.php
+++ b/program/lib/Roundcube/rcube_session.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2014, The Roundcube Dev Team |
@@ -15,6 +15,7 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
| Author: Aleksander Machniak <alec@alec.pl> |
+ | Author: Cor Bosman <cor@roundcu.be> |
+-----------------------------------------------------------------------+
*/
@@ -28,21 +29,23 @@
*/
abstract class rcube_session
{
+ protected $config;
protected $key;
protected $ip;
protected $changed;
protected $start;
- protected $time_diff = 0;
- protected $reloaded = false;
- protected $appends = array();
- protected $unsets = array();
- protected $gc_handlers = array();
- protected $cookiename = 'roundcube_sessauth';
protected $vars;
protected $now;
- protected $secret = '';
- protected $ip_check = false;
- protected $logging = false;
+ protected $time_diff = 0;
+ protected $reloaded = false;
+ protected $appends = array();
+ protected $unsets = array();
+ protected $gc_enabled = 0;
+ protected $gc_handlers = array();
+ protected $cookiename = 'roundcube_sessauth';
+ protected $ip_check = false;
+ protected $logging = false;
+
/**
* Blocks session data from being written to database.
@@ -50,7 +53,49 @@
* @var boolean
*/
public $nowrite = false;
-
+
+ /**
+ * Factory, returns driver-specific instance of the class
+ *
+ * @param object $config
+ * @return Object rcube_session
+ */
+ public static function factory($config)
+ {
+ // get session storage driver
+ $storage = $config->get('session_storage', 'db');
+
+ // class name for this storage
+ $class = "rcube_session_" . $storage;
+
+ // try to instantiate class
+ if (class_exists($class)) {
+ return new $class($config);
+ }
+
+ // no storage found, raise error
+ rcube::raise_error(array('code' => 604, 'type' => 'session',
+ 'line' => __LINE__, 'file' => __FILE__,
+ 'message' => "Failed to find session driver. Check session_storage config option"),
+ true, true);
+ }
+
+ /**
+ * @param Object $config
+ */
+ public function __construct($config)
+ {
+ $this->config = $config;
+
+ // set ip check
+ $this->set_ip_check($this->config->get('ip_check'));
+
+ // set cookie name
+ if ($this->config->get('session_auth_name')) {
+ $this->set_cookiename($this->config->get('session_auth_name'));
+ }
+ }
+
/**
* register session handler
*/
@@ -69,17 +114,16 @@
);
}
-
/**
* Wrapper for session_start()
*/
- public function start($config)
+ public function start()
{
$this->start = microtime(true);
$this->ip = rcube_utils::remote_addr();
- $this->logging = $config->get('log_session', false);
+ $this->logging = $this->config->get('log_session', false);
- $lifetime = $config->get('session_lifetime', 1) * 60;
+ $lifetime = $this->config->get('session_lifetime', 1) * 60;
$this->set_lifetime($lifetime);
session_start();
@@ -95,24 +139,25 @@
abstract function write($key, $vars);
abstract function update($key, $newvars, $oldvars);
-
/**
* session write handler. This calls the implementation methods for write/update after some initial checks.
*
* @param $key
* @param $vars
+ *
* @return bool
*/
public function sess_write($key, $vars)
{
- if ($this->nowrite)
+ if ($this->nowrite) {
return true;
+ }
// check cache
$oldvars = $this->get_cache($key);
// if there are cached vars, update store, else insert new data
- if ($oldvars !== null) {
+ if ($oldvars) {
$newvars = $this->_fixvars($vars, $oldvars);
return $this->update($key, $newvars, $oldvars);
}
@@ -120,7 +165,6 @@
return $this->write($key, $vars);
}
}
-
/**
* Wrapper for session_write_close()
@@ -175,7 +219,9 @@
{
// move gc execution to the script shutdown function
// see rcube::shutdown() and rcube_session::write_close()
- return $this->gc_enabled = $maxlifetime;
+ $this->gc_enabled = $maxlifetime;
+
+ return true;
}
/**
@@ -194,25 +240,17 @@
$this->gc_handlers[] = $func;
}
-
/**
* Garbage collector handler to run on script shutdown
*/
protected function gc_shutdown()
{
if ($this->gc_enabled) {
- // just delete all expired sessions
- if ($this->storage == 'db') {
- $this->db->query("DELETE FROM {$this->table_name}"
- . " WHERE `changed` < " . $this->db->now(-$this->gc_enabled));
- }
-
foreach ($this->gc_handlers as $fct) {
call_user_func($fct);
}
}
}
-
/**
* Generate and set new session id
@@ -231,10 +269,11 @@
}
/**
- * see if we have vars of this key already cached, and if so, return them.
+ * See if we have vars of this key already cached, and if so, return them.
*
- * @param $key
- * @return null|array
+ * @param string $key Session ID
+ *
+ * @return string
*/
protected function get_cache($key)
{
@@ -249,12 +288,14 @@
else { // else read data again
$cache = $this->read($key);
}
+
return $cache;
}
-
/**
* Append the given value to the certain node in the session data array
+ *
+ * Warning: Do not use if you already modified $_SESSION in the same request (#1490608)
*
* @param string Path denoting the session variable where to append the value
* @param string Key name under which to append the new value (use null for appending to an indexed list)
@@ -282,10 +323,10 @@
$this->appends[] = $path;
// when overwriting a previously unset variable
- if ($this->unsets[$path])
+ if ($this->unsets[$path]) {
unset($this->unsets[$path]);
+ }
}
-
/**
* Unset a session variable
@@ -314,18 +355,16 @@
return true;
}
-
/**
* Kill this session
*/
public function kill()
{
$this->vars = null;
- $this->ip = rcube_utils::remote_addr(); // update IP (might have changed)
+ $this->ip = rcube_utils::remote_addr(); // update IP (might have changed)
$this->destroy(session_id());
rcube_utils::setcookie($this->cookiename, '-del-', time() - 60);
}
-
/**
* Re-read session data from storage backend
@@ -342,7 +381,7 @@
$node[$k] = $value;
}
- if($this->key) {
+ if ($this->key) {
$data = $this->read($this->key);
}
@@ -364,7 +403,6 @@
}
}
}
-
}
/**
@@ -401,7 +439,6 @@
return $data;
}
-
/**
* Unserialize session data
@@ -501,7 +538,6 @@
return unserialize( 'a:' . $items . ':{' . $serialized . '}' );
}
-
/**
* Setter for session lifetime
*/
@@ -514,7 +550,6 @@
$this->now = $now - ($now % ($this->lifetime / 2));
}
-
/**
* Getter for remote IP saved with this session
*/
@@ -523,15 +558,23 @@
return $this->ip;
}
-
/**
* Setter for cookie encryption secret
*/
- function set_secret($secret)
+ function set_secret($secret = null)
{
- $this->secret = $secret;
- }
+ // generate random hash and store in session
+ if (!$secret) {
+ if (!empty($_SESSION['auth_secret'])) {
+ $secret = $_SESSION['auth_secret'];
+ }
+ else {
+ $secret = rcube_utils::random_bytes(strlen($this->key));
+ }
+ }
+ $_SESSION['auth_secret'] = $secret;
+ }
/**
* Enable/disable IP check
@@ -540,7 +583,6 @@
{
$this->ip_check = $check;
}
-
/**
* Setter for the cookie name used for session cookie
@@ -551,7 +593,6 @@
$this->cookiename = $cookiename;
}
}
-
/**
* Check session authentication cookie
@@ -590,28 +631,30 @@
return $result;
}
-
/**
* Set session authentication cookie
*/
- function set_auth_cookie()
+ public function set_auth_cookie()
{
$this->cookie = $this->_mkcookie($this->now);
rcube_utils::setcookie($this->cookiename, $this->cookie, 0);
$_COOKIE[$this->cookiename] = $this->cookie;
}
-
/**
- * Create session cookie from session data
+ * Create session cookie for specified time slot.
*
* @param int Time slot to use
+ *
* @return string
*/
- function _mkcookie($timeslot)
+ protected function _mkcookie($timeslot)
{
- $auth_string = "$this->key,$this->secret,$timeslot";
- return "S" . (function_exists('sha1') ? sha1($auth_string) : md5($auth_string));
+ // make sure the secret key exists
+ $this->set_secret();
+
+ // no need to hash this, it's just a random string
+ return $_SESSION['auth_secret'] . '-' . $timeslot;
}
/**
--
Gitblit v1.9.1