From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/include/rcube_session.php |   80 +++++++++++++++++++++++++---------------
 1 files changed, 50 insertions(+), 30 deletions(-)

diff --git a/program/include/rcube_session.php b/program/include/rcube_session.php
index 0a67480..3e3becb 100644
--- a/program/include/rcube_session.php
+++ b/program/include/rcube_session.php
@@ -52,10 +52,11 @@
    */
   public function __construct($db, $config)
   {
-    $this->db = $db;
-    $this->start = microtime(true);
-    $this->ip = $_SERVER['REMOTE_ADDR'];
+    $this->db      = $db;
+    $this->start   = microtime(true);
+    $this->ip      = $_SERVER['REMOTE_ADDR'];
     $this->logging = $config->get('log_session', false);
+    $this->mc_debug = $config->get('memcache_debug', false);
 
     $lifetime = $config->get('session_lifetime', 1) * 60;
     $this->set_lifetime($lifetime);
@@ -126,10 +127,10 @@
   public function db_read($key)
   {
     $sql_result = $this->db->query(
-      "SELECT vars, ip, changed FROM ".get_table_name('session')." WHERE sess_id = ?",
-      $key);
+      "SELECT vars, ip, changed FROM ".get_table_name('session')
+      ." WHERE sess_id = ?", $key);
 
-    if ($sql_arr = $this->db->fetch_assoc($sql_result)) {
+    if ($sql_result && ($sql_arr = $this->db->fetch_assoc($sql_result))) {
       $this->changed = strtotime($sql_arr['changed']);
       $this->ip      = $sql_arr['ip'];
       $this->vars    = base64_decode($sql_arr['vars']);
@@ -156,10 +157,15 @@
     $ts = microtime(true);
     $now = $this->db->fromunixtime((int)$ts);
 
+    // no session row in DB (db_read() returns false)
+    if (!$this->key) {
+      $oldvars = false;
+    }
     // use internal data from read() for fast requests (up to 0.5 sec.)
-    if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) {
+    else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) {
       $oldvars = $this->vars;
-    } else { // else read data again from DB
+    }
+    else { // else read data again from DB
       $oldvars = $this->db_read($key);
     }
 
@@ -193,8 +199,6 @@
    */
   private function _fixvars($vars, $oldvars)
   {
-    $ts = microtime(true);
-
     if ($oldvars !== false) {
       $a_oldvars = $this->unserialize($oldvars);
       if (is_array($a_oldvars)) {
@@ -256,8 +260,9 @@
    */
   public function mc_read($key)
   {
-    if ($value = $this->memcache->get($key)) {
-      $arr = unserialize($value);
+    $value = $this->memcache->get($key);
+    if ($this->mc_debug) write_log('memcache', "get($key): " . strlen($value));
+    if ($value && ($arr = unserialize($value))) {
       $this->changed = $arr['changed'];
       $this->ip      = $arr['ip'];
       $this->vars    = $arr['vars'];
@@ -282,16 +287,26 @@
   {
     $ts = microtime(true);
 
+    // no session data in cache (mc_read() returns false)
+    if (!$this->key)
+      $oldvars = false;
     // use internal data for fast requests (up to 0.5 sec.)
-    if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5))
+    else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5))
       $oldvars = $this->vars;
     else // else read data again
       $oldvars = $this->mc_read($key);
 
     $newvars = $oldvars !== false ? $this->_fixvars($vars, $oldvars) : $vars;
     
-    if ($newvars !== $oldvars || $ts - $this->changed > $this->lifetime / 2)
-      return $this->memcache->set($key, serialize(array('changed' => time(), 'ip' => $this->ip, 'vars' => $newvars)), MEMCACHE_COMPRESSED, $this->lifetime);
+    if ($newvars !== $oldvars || $ts - $this->changed > $this->lifetime / 2) {
+      $value = serialize(array('changed' => time(), 'ip' => $this->ip, 'vars' => $newvars));
+      $ret = $this->memcache->set($key, $value, MEMCACHE_COMPRESSED, $this->lifetime);
+      if ($this->mc_debug) {
+        write_log('memcache', "set($key): " . strlen($value) . ": " . ($ret ? 'OK' : 'ERR'));
+        write_log('memcache', "... get($key): " . strlen($this->memcache->get($key)));
+      }
+      return $ret;
+    }
     
     return true;
   }
@@ -304,7 +319,10 @@
    */
   public function mc_destroy($key)
   {
-    return $this->memcache->delete($key);
+    // #1488592: use 2nd argument
+    $ret = $this->memcache->delete($key, 0);
+    if ($this->mc_debug) write_log('memcache', "delete($key): " . ($ret ? 'OK' : 'ERR'));
+    return $ret;
   }
 
 
@@ -314,20 +332,7 @@
   public function gc()
   {
     foreach ($this->gc_handlers as $fct)
-      $fct();
-  }
-
-
-  /**
-   * Cleanup session data before saving
-   */
-  public function cleanup()
-  {
-    // current compose information is stored in $_SESSION['compose'], move it to $_SESSION['compose_data']
-    if ($_SESSION['compose']) {
-      $_SESSION['compose_data'][$_SESSION['compose']['id']] = $_SESSION['compose'];
-      $this->remove('compose');
-    }
+      call_user_func($fct);
   }
 
 
@@ -388,6 +393,21 @@
 
 
   /**
+   * Re-read session data from storage backend
+   */
+  public function reload()
+  {
+    if ($this->key && $this->memcache)
+      $data = $this->mc_read($this->key);
+    else if ($this->key)
+      $data = $this->db_read($this->key);
+
+    if ($data)
+     session_decode($data);
+  }
+
+
+  /**
    * Serialize session data
    */
   private function serialize($vars)

--
Gitblit v1.9.1