summaryrefslogtreecommitdiffstats
path: root/system/libraries/Session
diff options
context:
space:
mode:
authorBrennan Thompson <brenjt@gmail.com>2014-02-14 20:03:57 +0100
committerBrennan Thompson <brenjt@gmail.com>2014-02-14 20:03:57 +0100
commit6949f95f6e21980f36095490bf38fc8a172dbc0f (patch)
treeb3141f390acd0051396cda6a3da51c1f98384cca /system/libraries/Session
parent68a02a01a086bbb1b8128ea2744439de84873d11 (diff)
parent81f036753272391360ba5b64e6dd93c4101a8733 (diff)
Merge remote-tracking branch 'upstream/develop' into develop
Conflicts: system/helpers/form_helper.php
Diffstat (limited to 'system/libraries/Session')
-rw-r--r--system/libraries/Session/Session.php109
-rw-r--r--system/libraries/Session/drivers/Session_cookie.php185
-rw-r--r--system/libraries/Session/drivers/Session_native.php2
3 files changed, 127 insertions, 169 deletions
diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php
index 659a0269e..905352bb3 100644
--- a/system/libraries/Session/Session.php
+++ b/system/libraries/Session/Session.php
@@ -18,7 +18,7 @@
*
* @package CodeIgniter
* @author EllisLab Dev Team
- * @copyright Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/)
+ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
* @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
* @link http://codeigniter.com
* @since Version 2.0
@@ -102,10 +102,10 @@ class CI_Session extends CI_Driver_Library {
*/
public function __construct(array $params = array())
{
- $CI =& get_instance();
+ $_config =& get_instance()->config;
// No sessions under CLI
- if ($CI->input->is_cli_request())
+ if (is_cli())
{
return;
}
@@ -113,7 +113,7 @@ class CI_Session extends CI_Driver_Library {
log_message('debug', 'CI_Session Class Initialized');
// Add possible extra entries to our valid drivers list
- $drivers = isset($params['sess_valid_drivers']) ? $params['sess_valid_drivers'] : $CI->config->item('sess_valid_drivers');
+ $drivers = isset($params['sess_valid_drivers']) ? $params['sess_valid_drivers'] : $_config->item('sess_valid_drivers');
if ( ! empty($drivers))
{
$drivers = array_map('strtolower', (array) $drivers);
@@ -121,7 +121,7 @@ class CI_Session extends CI_Driver_Library {
}
// Get driver to load
- $driver = isset($params['sess_driver']) ? $params['sess_driver'] : $CI->config->item('sess_driver');
+ $driver = isset($params['sess_driver']) ? $params['sess_driver'] : $_config->item('sess_driver');
if ( ! $driver)
{
log_message('debug', "Session: No driver name is configured, defaulting to 'cookie'.");
@@ -238,9 +238,14 @@ class CI_Session extends CI_Driver_Library {
* @param string Item key
* @return string Item value or NULL if not found
*/
- public function userdata($item)
+ public function userdata($item = NULL)
{
- return isset($this->userdata[$item]) ? $this->userdata[$item] : NULL;
+ if (isset($item))
+ {
+ return isset($this->userdata[$item]) ? $this->userdata[$item] : NULL;
+ }
+
+ return isset($this->userdata) ? $this->userdata : array();
}
// ------------------------------------------------------------------------
@@ -248,35 +253,12 @@ class CI_Session extends CI_Driver_Library {
/**
* Fetch all session data
*
+ * @deprecated 3.0.0 Use userdata() with no parameters instead
* @return array User data array
*/
public function all_userdata()
{
- return isset($this->userdata) ? $this->userdata : NULL;
- }
-
- // ------------------------------------------------------------------------
-
- /**
- * Fetch all flashdata
- *
- * @return array Flash data array
- */
- public function all_flashdata()
- {
- $out = array();
-
- // loop through all userdata
- foreach ($this->all_userdata() as $key => $val)
- {
- // if it contains flashdata, add it
- if (strpos($key, self::FLASHDATA_KEY.self::FLASHDATA_OLD) !== FALSE)
- {
- $key = str_replace(self::FLASHDATA_KEY.self::FLASHDATA_OLD, '', $key);
- $out[$key] = $val;
- }
- }
- return $out;
+ return isset($this->userdata) ? $this->userdata : array();
}
// ------------------------------------------------------------------------
@@ -288,7 +270,7 @@ class CI_Session extends CI_Driver_Library {
* @param string Item value or empty string
* @return void
*/
- public function set_userdata($newdata = array(), $newval = '')
+ public function set_userdata($newdata, $newval = '')
{
// Wrap params as array if singular
if (is_string($newdata))
@@ -317,7 +299,7 @@ class CI_Session extends CI_Driver_Library {
* @param mixed Item name or array of item names
* @return void
*/
- public function unset_userdata($newdata = array())
+ public function unset_userdata($newdata)
{
// Wrap single name as array
if (is_string($newdata))
@@ -360,7 +342,7 @@ class CI_Session extends CI_Driver_Library {
* @param string Item value or empty string
* @return void
*/
- public function set_flashdata($newdata = array(), $newval = '')
+ public function set_flashdata($newdata, $newval = '')
{
// Wrap item as array if singular
if (is_string($newdata))
@@ -417,11 +399,25 @@ class CI_Session extends CI_Driver_Library {
* @param string Item key
* @return string
*/
- public function flashdata($key)
+ public function flashdata($key = NULL)
{
- // Prepend key and retrieve value
- $flashdata_key = self::FLASHDATA_KEY.self::FLASHDATA_OLD.$key;
- return $this->userdata($flashdata_key);
+ if (isset($key))
+ {
+ return $this->userdata(self::FLASHDATA_KEY.self::FLASHDATA_OLD.$key);
+ }
+
+ // Get our flashdata items from userdata
+ $out = array();
+ foreach ($this->userdata() as $key => $val)
+ {
+ if (strpos($key, self::FLASHDATA_KEY.self::FLASHDATA_OLD) !== FALSE)
+ {
+ $key = str_replace(self::FLASHDATA_KEY.self::FLASHDATA_OLD, '', $key);
+ $out[$key] = $val;
+ }
+ }
+
+ return $out;
}
// ------------------------------------------------------------------------
@@ -434,7 +430,7 @@ class CI_Session extends CI_Driver_Library {
* @param int Item lifetime in seconds or 0 for default
* @return void
*/
- public function set_tempdata($newdata = array(), $newval = '', $expire = 0)
+ public function set_tempdata($newdata, $newval = '', $expire = 0)
{
// Set expiration time
$expire = time() + ($expire ? $expire : self::TEMP_EXP_DEF);
@@ -475,7 +471,7 @@ class CI_Session extends CI_Driver_Library {
* @param mixed Item name or array of item names
* @return void
*/
- public function unset_tempdata($newdata = array())
+ public function unset_tempdata($newdata)
{
// Get expirations list
$expirations = $this->userdata(self::EXPIRATION_KEY);
@@ -514,11 +510,25 @@ class CI_Session extends CI_Driver_Library {
* @param string Item key
* @return string
*/
- public function tempdata($key)
+ public function tempdata($key = NULL)
{
- // Prepend key and return value
- $tempdata_key = self::FLASHDATA_KEY.self::FLASHDATA_EXP.$key;
- return $this->userdata($tempdata_key);
+ if (isset($key))
+ {
+ return $this->userdata(self::FLASHDATA_KEY.self::FLASHDATA_EXP.$key);
+ }
+
+ // Get our tempdata items from userdata
+ $out = array();
+ foreach ($this->userdata() as $key => $val)
+ {
+ if (strpos($key, self::FLASHDATA_KEY.self::FLASHDATA_EXP) !== FALSE)
+ {
+ $key = str_replace(self::FLASHDATA_KEY.self::FLASHDATA_EXP, '', $key);
+ $out[$key] = $val;
+ }
+ }
+
+ return $out;
}
// ------------------------------------------------------------------------
@@ -531,13 +541,12 @@ class CI_Session extends CI_Driver_Library {
*/
protected function _flashdata_mark()
{
- foreach ($this->all_userdata() as $name => $value)
+ foreach ($this->userdata() as $name => $value)
{
$parts = explode(self::FLASHDATA_NEW, $name);
if (count($parts) === 2)
{
- $new_name = self::FLASHDATA_KEY.self::FLASHDATA_OLD.$parts[1];
- $this->set_userdata($new_name, $value);
+ $this->set_userdata(self::FLASHDATA_KEY.self::FLASHDATA_OLD.$parts[1], $value);
$this->unset_userdata($name);
}
}
@@ -552,7 +561,7 @@ class CI_Session extends CI_Driver_Library {
*/
protected function _flashdata_sweep()
{
- $userdata = $this->all_userdata();
+ $userdata = $this->userdata();
foreach (array_keys($userdata) as $key)
{
if (strpos($key, self::FLASHDATA_OLD))
@@ -581,7 +590,7 @@ class CI_Session extends CI_Driver_Library {
// Unset expired elements
$now = time();
- $userdata = $this->all_userdata();
+ $userdata = $this->userdata();
foreach (array_keys($userdata) as $key)
{
if (strpos($key, self::FLASHDATA_EXP) && $expirations[$key] < $now)
diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php
index d3d22d03a..566c40bd8 100644
--- a/system/libraries/Session/drivers/Session_cookie.php
+++ b/system/libraries/Session/drivers/Session_cookie.php
@@ -18,7 +18,7 @@
*
* @package CodeIgniter
* @author EllisLab Dev Team
- * @copyright Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/)
+ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
* @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
* @link http://codeigniter.com
* @since Version 1.0
@@ -165,6 +165,8 @@ class CI_Session_cookie extends CI_Session_driver {
*/
public $now;
+ // ------------------------------------------------------------------------
+
/**
* Default userdata keys
*
@@ -185,6 +187,15 @@ class CI_Session_cookie extends CI_Session_driver {
protected $data_dirty = FALSE;
/**
+ * Standardize newlines flag
+ *
+ * @var bool
+ */
+ protected $_standardize_newlines;
+
+ // ------------------------------------------------------------------------
+
+ /**
* Initialize session driver object
*
* @return void
@@ -209,9 +220,11 @@ class CI_Session_cookie extends CI_Session_driver {
'sess_time_to_update',
'time_reference',
'cookie_prefix',
- 'encryption_key'
+ 'encryption_key',
);
+ $this->_standardize_newlines = (bool) config_item('standardize_newlines');
+
foreach ($prefs as $key)
{
$this->$key = isset($this->_parent->params[$key])
@@ -227,7 +240,7 @@ class CI_Session_cookie extends CI_Session_driver {
// Do we need encryption? If so, load the encryption class
if ($this->sess_encrypt_cookie === TRUE)
{
- $this->CI->load->library('encrypt');
+ $this->CI->load->library('encryption');
}
// Check for database
@@ -370,34 +383,45 @@ class CI_Session_cookie extends CI_Session_driver {
return FALSE;
}
- $len = strlen($session) - 40;
-
- if ($len < 0)
+ if ($this->sess_encrypt_cookie === TRUE)
{
- log_message('debug', 'The session cookie was not signed.');
- return FALSE;
+ $session = $this->CI->encryption->decrypt($session);
+ if ($session === FALSE)
+ {
+ log_message('error', 'Session: Unable to decrypt the session cookie, possibly due to a HMAC mismatch.');
+ return FALSE;
+ }
}
+ else
+ {
+ if (($len = strlen($session) - 40) <= 0)
+ {
+ log_message('error', 'Session: The session cookie was not signed.');
+ return FALSE;
+ }
- // Check cookie authentication
- $hmac = substr($session, $len);
- $session = substr($session, 0, $len);
+ // Check cookie authentication
+ $hmac = substr($session, $len);
+ $session = substr($session, 0, $len);
- if ($hmac !== hash_hmac('sha1', $session, $this->encryption_key))
- {
- log_message('error', 'The session cookie data did not match what was expected.');
- $this->sess_destroy();
- return FALSE;
- }
+ // Time-attack-safe comparison
+ $hmac_check = hash_hmac('sha1', $session, $this->encryption_key);
+ $diff = 0;
+ for ($i = 0; $i < 40; $i++)
+ {
+ $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]);
+ }
- // Check for encryption
- if ($this->sess_encrypt_cookie === TRUE)
- {
- // Decrypt the cookie data
- $session = $this->CI->encrypt->decode($session);
+ if ($diff !== 0)
+ {
+ log_message('error', 'Session: HMAC mismatch. The session cookie data did not match what was expected.');
+ $this->sess_destroy();
+ return FALSE;
+ }
}
// Unserialize the session array
- $session = $this->_unserialize($session);
+ $session = @unserialize($session);
// Is the session data we unserialized an array with the correct format?
if ( ! is_array($session) OR ! isset($session['session_id'], $session['ip_address'], $session['user_agent'], $session['last_activity']))
@@ -472,7 +496,7 @@ class CI_Session_cookie extends CI_Session_driver {
$row = $query->row();
if ( ! empty($row->user_data))
{
- $custom_data = $this->_unserialize($row->user_data);
+ $custom_data = unserialize(trim($row->user_data));
if (is_array($custom_data))
{
@@ -608,7 +632,7 @@ class CI_Session_cookie extends CI_Session_driver {
if ( ! empty($userdata))
{
// Serialize the custom data array so we can store it
- $set['user_data'] = $this->_serialize($userdata);
+ $set['user_data'] = serialize($userdata);
}
// Reset query builder values.
@@ -695,16 +719,28 @@ class CI_Session_cookie extends CI_Session_driver {
? array_intersect_key($this->userdata, $this->defaults)
: $this->userdata;
+ // The Input class will do this and since we use HMAC verification,
+ // unless we standardize here as well, the hash won't match.
+ if ($this->_standardize_newlines)
+ {
+ foreach (array_keys($this->userdata) as $key)
+ {
+ $this->userdata[$key] = preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $this->userdata[$key]);
+ }
+ }
+
// Serialize the userdata for the cookie
- $cookie_data = $this->_serialize($cookie_data);
+ $cookie_data = serialize($cookie_data);
if ($this->sess_encrypt_cookie === TRUE)
{
- $cookie_data = $this->CI->encrypt->encode($cookie_data);
+ $cookie_data = $this->CI->encryption->encrypt($cookie_data);
+ }
+ else
+ {
+ // Require message authentication
+ $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
}
-
- // Require message authentication
- $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
$expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();
@@ -737,93 +773,6 @@ class CI_Session_cookie extends CI_Session_driver {
// ------------------------------------------------------------------------
/**
- * Serialize an array
- *
- * This function first converts any slashes found in the array to a temporary
- * marker, so when it gets unserialized the slashes will be preserved
- *
- * @param mixed Data to serialize
- * @return string Serialized data
- */
- protected function _serialize($data)
- {
- if (is_array($data))
- {
- array_walk_recursive($data, array(&$this, '_escape_slashes'));
- }
- elseif (is_string($data))
- {
- $data = str_replace('\\', '{{slash}}', $data);
- }
-
- return serialize($data);
- }
-
- // ------------------------------------------------------------------------
-
- /**
- * Escape slashes
- *
- * This function converts any slashes found into a temporary marker
- *
- * @param string Value
- * @param string Key
- * @return void
- */
- protected function _escape_slashes(&$val, $key)
- {
- if (is_string($val))
- {
- $val = str_replace('\\', '{{slash}}', $val);
- }
- }
-
- // ------------------------------------------------------------------------
-
- /**
- * Unserialize
- *
- * This function unserializes a data string, then converts any
- * temporary slash markers back to actual slashes
- *
- * @param mixed Data to unserialize
- * @return mixed Unserialized data
- */
- protected function _unserialize($data)
- {
- $data = @unserialize(trim($data));
-
- if (is_array($data))
- {
- array_walk_recursive($data, array(&$this, '_unescape_slashes'));
- return $data;
- }
-
- return is_string($data) ? str_replace('{{slash}}', '\\', $data) : $data;
- }
-
- // ------------------------------------------------------------------------
-
- /**
- * Unescape slashes
- *
- * This function converts any slash markers back into actual slashes
- *
- * @param string Value
- * @param string Key
- * @return void
- */
- protected function _unescape_slashes(&$val, $key)
- {
- if (is_string($val))
- {
- $val = str_replace('{{slash}}', '\\', $val);
- }
- }
-
- // ------------------------------------------------------------------------
-
- /**
* Garbage collection
*
* This deletes expired session rows from database
@@ -841,7 +790,7 @@ class CI_Session_cookie extends CI_Session_driver {
$probability = ini_get('session.gc_probability');
$divisor = ini_get('session.gc_divisor');
- if ((mt_rand(0, $divisor) / $divisor) < $probability)
+ if (mt_rand(1, $divisor) <= $probability)
{
$expire = $this->now - $this->sess_expiration;
$this->CI->db->delete($this->sess_table_name, 'last_activity < '.$expire);
diff --git a/system/libraries/Session/drivers/Session_native.php b/system/libraries/Session/drivers/Session_native.php
index c237ad059..4104652b8 100644
--- a/system/libraries/Session/drivers/Session_native.php
+++ b/system/libraries/Session/drivers/Session_native.php
@@ -18,7 +18,7 @@
*
* @package CodeIgniter
* @author EllisLab Dev Team
- * @copyright Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/)
+ * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
* @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
* @link http://codeigniter.com
* @since Version 1.0