opensourcemirror
/
dokuwiki
mirror of https://github.com/splitbrain/dokuwiki.git
1
0
Fork 0
Code Issues Releases Wiki Activity

adjust session ID check to specification 

The documentation says sessionIDs are between 22 and 256 chars long. A
quick test only showed 26 chars in common configurations, but this
should cover all possibilities.
This commit is contained in:
Andreas Gohr 2017-03-01 10:03:11 +01:00 committed by Andreas Gohr
parent 6eb3cdf688
commit 924e477e18
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inc/init.php
View File

@ -232,6 +232,7 @@ mail_setup();
* Makes sure the passed session cookie is valid, invalid ones are ignored an a new session ID is issued
*
* @link http://stackoverflow.com/a/33024310/172068
* @link http://php.net/manual/en/session.configuration.php#ini.session.sid-length
*/
function init_session() {
global $conf;
@ -239,7 +240,7 @@ function init_session() {
session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true);
// make sure the session cookie contains a valid session ID
if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[DOKU_SESSION_NAME])) {
if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{22,256}$/', $_COOKIE[DOKU_SESSION_NAME])) {
unset($_COOKIE[DOKU_SESSION_NAME]);
}