Update Composer packages
This commit is contained in:
Paul Nicoué
parent
9252d9ce90
commit
134266af8a
176 changed files with 7930 additions and 2262 deletions
|
|
@ -10,6 +10,7 @@ use Kirby\Exception\NotFoundException;
|
|||
use Kirby\Http\Cookie;
|
||||
use Kirby\Http\Url;
|
||||
use Kirby\Toolkit\Str;
|
||||
use Kirby\Toolkit\SymmetricCrypto;
|
||||
use Throwable;
|
||||
|
||||
/**
|
||||
|
|
@ -38,7 +39,7 @@ class Session
|
|||
protected $lastActivity;
|
||||
protected $renewable;
|
||||
protected $data;
|
||||
protected $newSession;
|
||||
protected array|null $newSession;
|
||||
|
||||
// temporary state flags
|
||||
protected $updatingLastActivity = false;
|
||||
|
|
@ -348,15 +349,27 @@ class Session
|
|||
}
|
||||
|
||||
// collect all data
|
||||
if ($this->newSession) {
|
||||
if (isset($this->newSession) === true) {
|
||||
// the token has changed
|
||||
// we are writing to the old session: it only gets the reference to the new session
|
||||
// and a shortened expiry time (30 second grace period)
|
||||
$data = [
|
||||
'startTime' => $this->startTime(),
|
||||
'expiryTime' => time() + 30,
|
||||
'newSession' => $this->newSession
|
||||
'newSession' => $this->newSession[0]
|
||||
];
|
||||
|
||||
// include the token key for the new session if we
|
||||
// have access to the PHP `sodium` extension;
|
||||
// otherwise (if no encryption is possible), the token key
|
||||
// is omitted, which makes the new session read-only
|
||||
// when accessed through the old session
|
||||
if ($crypto = $this->crypto()) {
|
||||
// encrypt the new token key with the old token key
|
||||
// so that attackers with read access to the session file
|
||||
// (e.g. via directory traversal) cannot impersonate the new session
|
||||
$data['newSessionKey'] = $crypto->encrypt($this->newSession[1]);
|
||||
}
|
||||
} else {
|
||||
$data = [
|
||||
'startTime' => $this->startTime(),
|
||||
|
|
@ -446,7 +459,7 @@ class Session
|
|||
|
||||
// mark the old session as moved if there is one
|
||||
if ($this->tokenExpiry !== null) {
|
||||
$this->newSession = $tokenExpiry . '.' . $tokenId;
|
||||
$this->newSession = [$tokenExpiry . '.' . $tokenId, $tokenKey];
|
||||
$this->commit();
|
||||
|
||||
// we are now in the context of the new session
|
||||
|
|
@ -536,7 +549,7 @@ class Session
|
|||
}
|
||||
|
||||
// don't allow writing for read-only sessions
|
||||
// (only the case for moved sessions)
|
||||
// (only the case for moved sessions when the PHP `sodium` extension is not available)
|
||||
/**
|
||||
* @todo This check gets flagged by Psalm for unknown reasons
|
||||
* @psalm-suppress ParadoxicalCondition
|
||||
|
|
@ -555,6 +568,22 @@ class Session
|
|||
$this->writeMode = true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a symmetric crypto instance based on the
|
||||
* token key of the session
|
||||
*/
|
||||
protected function crypto(): SymmetricCrypto|null
|
||||
{
|
||||
if (
|
||||
$this->tokenKey === null ||
|
||||
SymmetricCrypto::isAvailable() === false
|
||||
) {
|
||||
return null; // @codeCoverageIgnore
|
||||
}
|
||||
|
||||
return new SymmetricCrypto(secretKey: hex2bin($this->tokenKey));
|
||||
}
|
||||
|
||||
/**
|
||||
* Parses a token string into its parts and sets them as instance vars
|
||||
*
|
||||
|
|
@ -698,6 +727,20 @@ class Session
|
|||
|
||||
// follow to the new session if there is one
|
||||
if (isset($data['newSession'])) {
|
||||
// decrypt the token key if provided and we have access to
|
||||
// the PHP `sodium` extension for decryption
|
||||
if (
|
||||
isset($data['newSessionKey']) === true &&
|
||||
$crypto = $this->crypto()
|
||||
) {
|
||||
$tokenKey = $crypto->decrypt($data['newSessionKey']);
|
||||
|
||||
$this->parseToken($data['newSession'] . '.' . $tokenKey);
|
||||
$this->init();
|
||||
return;
|
||||
}
|
||||
|
||||
// otherwise initialize without the token key (read-only mode)
|
||||
$this->parseToken($data['newSession'], true);
|
||||
$this->init();
|
||||
return;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue