Changeset 4275 in subversion


Ignore:
Timestamp:
Nov 27, 2010 8:59:05 AM (2 years ago)
Author:
thomasb
Message:

Save session data with bas64 ecoding to make it more robust against garbage data (#1487136)

Location:
trunk/roundcubemail
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/roundcubemail/CHANGELOG

    r4274 r4275  
    22=========================== 
    33 
     4- Make session data storage more robust against garbage session data (#1487136) 
    45- Config option for autocomplete on login screen 
    56- Allow plugin templates to include local files (#1487133) 

  • trunk/roundcubemail/program/include/rcube_session.php

    r4066 r4275  
    8282    if ($sql_arr = $this->db->fetch_assoc($sql_result)) { 
    8383      $this->changed = $sql_arr['changed']; 
    84       $this->vars = $sql_arr['vars']; 
    85       $this->ip = $sql_arr['ip']; 
    86       $this->key = $key;  
    87  
    88       if (!empty($sql_arr['vars'])) 
    89         return $sql_arr['vars']; 
     84      $this->ip      = $sql_arr['ip']; 
     85      $this->vars    = base64_decode($sql_arr['vars']); 
     86      $this->key     = $key; 
     87 
     88      if (!empty($this->vars)) 
     89        return $this->vars; 
    9090    } 
    9191 
     
    108108 
    109109    if ($oldvars !== false) { 
    110       $a_oldvars = $this->unserialize($oldvars);  
    111       foreach ((array)$this->unsets as $k) 
    112         unset($a_oldvars[$k]); 
    113  
    114       $newvars = $this->serialize(array_merge( 
    115         (array)$a_oldvars, (array)$this->unserialize($vars))); 
     110      $a_oldvars = $this->unserialize($oldvars); 
     111      if (is_array($a_oldvars)) { 
     112        foreach ((array)$this->unsets as $k) 
     113          unset($a_oldvars[$k]); 
     114 
     115        $newvars = $this->serialize(array_merge( 
     116          (array)$a_oldvars, (array)$this->unserialize($vars))); 
     117      } 
     118      else 
     119        $newvars = $vars; 
    116120 
    117121      if (!$this->lifetime) { 
     
    119123      } 
    120124      else if ($this->keep_alive>0) { 
    121         $timeout = min($this->lifetime * 0.5, 
    122                   $this->lifetime - $this->keep_alive); 
     125        $timeout = min($this->lifetime * 0.5, $this->lifetime - $this->keep_alive); 
    123126      } else { 
    124127        $timeout = 0; 
     
    129132          sprintf("UPDATE %s SET vars = ?, changed = %s WHERE sess_id = ?", 
    130133            get_table_name('session'), $now), 
    131           $newvars, $key); 
     134          base64_encode($newvars), $key); 
    132135      } 
    133136    } 
     
    137140          "VALUES (?, ?, ?, %s, %s)", 
    138141          get_table_name('session'), $now, $now), 
    139         $key, $vars, (string)$_SERVER['REMOTE_ADDR']); 
     142        $key, base64_encode($vars), (string)$_SERVER['REMOTE_ADDR']); 
    140143    } 
    141144 
Note: See TracChangeset for help on using the changeset viewer.