summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/libraries/Session/Session.php2
-rw-r--r--system/libraries/Session/Session_driver.php17
-rw-r--r--system/libraries/Session/drivers/Session_database_driver.php26
-rw-r--r--system/libraries/Session/drivers/Session_files_driver.php18
-rw-r--r--system/libraries/Session/drivers/Session_memcached_driver.php19
-rw-r--r--system/libraries/Session/drivers/Session_redis_driver.php18
6 files changed, 99 insertions, 1 deletions
diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php
index 26bc4f486..04855f65a 100644
--- a/system/libraries/Session/Session.php
+++ b/system/libraries/Session/Session.php
@@ -585,7 +585,7 @@ class CI_Session {
// ------------------------------------------------------------------------
/**
- * Unmark flash
+ * Unmark temp
*
* @param mixed $key Session data key(s)
* @return void
diff --git a/system/libraries/Session/Session_driver.php b/system/libraries/Session/Session_driver.php
index e0030889c..6ed365959 100644
--- a/system/libraries/Session/Session_driver.php
+++ b/system/libraries/Session/Session_driver.php
@@ -113,6 +113,23 @@ abstract class CI_Session_driver implements SessionHandlerInterface {
// ------------------------------------------------------------------------
/**
+ * PHP 5.x validate ID
+ *
+ * Enforces session.use_strict_mode on PHP 5.x (7+ does it by itself)
+ *
+ * @return void
+ */
+ public function php5_validate_id()
+ {
+ if (PHP_VERSION_ID < 70000 && isset($_COOKIE[$this->_config['cookie_name']]) && ! $this->validateId($_COOKIE[$this->_config['cookie_name']]))
+ {
+ unset($_COOKIE[$this->_config['cookie_name']]);
+ }
+ }
+
+ // ------------------------------------------------------------------------
+
+ /**
* Cookie destroy
*
* Internal method to force removal of a cookie by the client
diff --git a/system/libraries/Session/drivers/Session_database_driver.php b/system/libraries/Session/drivers/Session_database_driver.php
index 72c043c4e..1a0514b53 100644
--- a/system/libraries/Session/drivers/Session_database_driver.php
+++ b/system/libraries/Session/drivers/Session_database_driver.php
@@ -133,6 +133,8 @@ class CI_Session_database_driver extends CI_Session_driver implements SessionHan
return $this->_fail();
}
+ $this->php5_validate_id();
+
return $this->_success;
}
@@ -340,6 +342,30 @@ class CI_Session_database_driver extends CI_Session_driver implements SessionHan
: $this->_fail();
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Validate ID
+ *
+ * Checks whether a session ID record exists server-side,
+ * to enforce session.use_strict_mode.
+ *
+ * @param string $id
+ * @return bool
+ */
+ public function validateId($id)
+ {
+ // Prevent previous QB calls from messing with our queries
+ $this->_db->reset_query();
+
+ $this->_db->select('1')->from($this->_config['save_path'])->where('id', $id);
+ empty($this->_config['match_ip']) OR $this->_db->where('ip_address', $_SERVER['REMOTE_ADDR']);
+ $result = $this->_db->get();
+ empty($result) OR $result = $result->row();
+
+ return ! empty($result);
+ }
+
// ------------------------------------------------------------------------
/**
diff --git a/system/libraries/Session/drivers/Session_files_driver.php b/system/libraries/Session/drivers/Session_files_driver.php
index 92c5ebc03..4a86ec9d6 100644
--- a/system/libraries/Session/drivers/Session_files_driver.php
+++ b/system/libraries/Session/drivers/Session_files_driver.php
@@ -148,6 +148,8 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle
.$name // we'll use the session cookie name as a prefix to avoid collisions
.($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : '');
+ $this->php5_validate_id();
+
return $this->_success;
}
@@ -392,6 +394,22 @@ class CI_Session_files_driver extends CI_Session_driver implements SessionHandle
// --------------------------------------------------------------------
/**
+ * Validate ID
+ *
+ * Checks whether a session ID record exists server-side,
+ * to enforce session.use_strict_mode.
+ *
+ * @param string $id
+ * @return bool
+ */
+ public function validateId($id)
+ {
+ return is_file($this->_file_path.$id);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
* Byte-safe strlen()
*
* @param string $str
diff --git a/system/libraries/Session/drivers/Session_memcached_driver.php b/system/libraries/Session/drivers/Session_memcached_driver.php
index d9506ba7e..efc084d8b 100644
--- a/system/libraries/Session/drivers/Session_memcached_driver.php
+++ b/system/libraries/Session/drivers/Session_memcached_driver.php
@@ -145,6 +145,8 @@ class CI_Session_memcached_driver extends CI_Session_driver implements SessionHa
return $this->_fail();
}
+ $this->php5_validate_id();
+
return $this->_success;
}
@@ -290,6 +292,23 @@ class CI_Session_memcached_driver extends CI_Session_driver implements SessionHa
return $this->_success;
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Validate ID
+ *
+ * Checks whether a session ID record exists server-side,
+ * to enforce session.use_strict_mode.
+ *
+ * @param string $id
+ * @return bool
+ */
+ public function validateId($id)
+ {
+ $this->_memcached-get($this->_key_prefix.$id);
+ return ($this->_memcached->getResultCode() === Memcached::RES_SUCCESS);
+ }
+
// ------------------------------------------------------------------------
/**
diff --git a/system/libraries/Session/drivers/Session_redis_driver.php b/system/libraries/Session/drivers/Session_redis_driver.php
index 0fee40e3a..0562301b2 100644
--- a/system/libraries/Session/drivers/Session_redis_driver.php
+++ b/system/libraries/Session/drivers/Session_redis_driver.php
@@ -177,6 +177,8 @@ class CI_Session_redis_driver extends CI_Session_driver implements SessionHandle
log_message('error', 'Session: Unable to connect to Redis with the configured settings.');
}
+ $this->php5_validate_id();
+
return $this->_fail();
}
@@ -334,6 +336,22 @@ class CI_Session_redis_driver extends CI_Session_driver implements SessionHandle
return $this->_success;
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Validate ID
+ *
+ * Checks whether a session ID record exists server-side,
+ * to enforce session.use_strict_mode.
+ *
+ * @param string $id
+ * @return bool
+ */
+ public function validateId($id)
+ {
+ return (bool) $this->_redis->exists($this->_key_prefix.$id);
+ }
+
// ------------------------------------------------------------------------
/**