[Svn] r4275 - in trunk/roundcubemail: . program/include

trac at roundcube.net trac at roundcube.net
Sat Nov 27 14:59:05 CET 2010


Author: thomasb
Date: 2010-11-27 07:59:05 -0600 (Sat, 27 Nov 2010)
New Revision: 4275

Modified:
   trunk/roundcubemail/CHANGELOG
   trunk/roundcubemail/program/include/rcube_session.php
Log:
Save session data with bas64 ecoding to make it more robust against garbage data (#1487136)

Modified: trunk/roundcubemail/CHANGELOG
===================================================================
--- trunk/roundcubemail/CHANGELOG	2010-11-26 12:41:16 UTC (rev 4274)
+++ trunk/roundcubemail/CHANGELOG	2010-11-27 13:59:05 UTC (rev 4275)
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Make session data storage more robust against garbage session data (#1487136)
 - Config option for autocomplete on login screen
 - Allow plugin templates to include local files (#1487133)
 - List groups in address detail view and allow to subscribe/unsubscribe from there (#1486753)

Modified: trunk/roundcubemail/program/include/rcube_session.php
===================================================================
--- trunk/roundcubemail/program/include/rcube_session.php	2010-11-26 12:41:16 UTC (rev 4274)
+++ trunk/roundcubemail/program/include/rcube_session.php	2010-11-27 13:59:05 UTC (rev 4275)
@@ -81,12 +81,12 @@
 
     if ($sql_arr = $this->db->fetch_assoc($sql_result)) {
       $this->changed = $sql_arr['changed'];
-      $this->vars = $sql_arr['vars'];
-      $this->ip = $sql_arr['ip'];
-      $this->key = $key; 
+      $this->ip      = $sql_arr['ip'];
+      $this->vars    = base64_decode($sql_arr['vars']);
+      $this->key     = $key;
 
-      if (!empty($sql_arr['vars']))
-        return $sql_arr['vars'];
+      if (!empty($this->vars))
+        return $this->vars;
     }
 
     return false;
@@ -107,19 +107,22 @@
     }
 
     if ($oldvars !== false) {
-      $a_oldvars = $this->unserialize($oldvars); 
-      foreach ((array)$this->unsets as $k)
-        unset($a_oldvars[$k]);
+      $a_oldvars = $this->unserialize($oldvars);
+      if (is_array($a_oldvars)) {
+        foreach ((array)$this->unsets as $k)
+          unset($a_oldvars[$k]);
 
-      $newvars = $this->serialize(array_merge(
-        (array)$a_oldvars, (array)$this->unserialize($vars)));
+        $newvars = $this->serialize(array_merge(
+          (array)$a_oldvars, (array)$this->unserialize($vars)));
+      }
+      else
+        $newvars = $vars;
 
       if (!$this->lifetime) {
         $timeout = 600;
       }
       else if ($this->keep_alive>0) {
-        $timeout = min($this->lifetime * 0.5,
-		  $this->lifetime - $this->keep_alive);
+        $timeout = min($this->lifetime * 0.5, $this->lifetime - $this->keep_alive);
       } else {
         $timeout = 0;
       }
@@ -128,7 +131,7 @@
         $this->db->query(
           sprintf("UPDATE %s SET vars = ?, changed = %s WHERE sess_id = ?",
             get_table_name('session'), $now),
-          $newvars, $key);
+          base64_encode($newvars), $key);
       }
     }
     else {
@@ -136,7 +139,7 @@
         sprintf("INSERT INTO %s (sess_id, vars, ip, created, changed) ".
           "VALUES (?, ?, ?, %s, %s)",
           get_table_name('session'), $now, $now),
-        $key, $vars, (string)$_SERVER['REMOTE_ADDR']);
+        $key, base64_encode($vars), (string)$_SERVER['REMOTE_ADDR']);
     }
 
     $this->unsets = array();

_______________________________________________
http://lists.roundcube.net/mailman/listinfo/svn



More information about the Svn mailing list