bug symfony#46790 [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters (BrokenSourceCode)

nicolas-grekas · nicolas-grekas · commit bf46a8d9fb5b · 2022-06-30T17:05:45.000+02:00
This PR was squashed before being merged into the 4.4 branch. Discussion ---------- [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters | Q | A | ------------- | --- | Branch? |4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix symfony#46777 | License | MIT This PR is intended to improve the changes made in the PR symfony#46249 that doesn't check the max length of the session ID. To do this, I used the PHP ini directives below: - [`session.sid_length`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length) (must be an integer between `22` and `256`) - [`session.sid_bits_per_character`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-bits-per-character) (must be an integer such as `4`, `5` or `6`) Commits ------- 8487950 [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php b/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
@@ -153,7 +153,7 @@ public function start()
         }
 
         $sessionId = $_COOKIE[session_name()] ?? null;
-        if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {
+        if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,250}$/', $sessionId)) {
             // the session ID in the header is invalid, create a new one
             session_id(session_create_id());
         }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php b/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php
@@ -302,7 +302,7 @@ public function testRegenerateInvalidSessionIdForNativeFileSessionHandler()
         $started = $storage->start();
 
         $this->assertTrue($started);
-        $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
+        $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,250}$/', session_id());
         $storage->save();
 
         $_COOKIE[session_name()] = '&~[';
@@ -311,7 +311,7 @@ public function testRegenerateInvalidSessionIdForNativeFileSessionHandler()
         $started = $storage->start();
 
         $this->assertTrue($started);
-        $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
+        $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,250}$/', session_id());
         $storage->save();
 
         $_COOKIE[session_name()] = '&~[';

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ public function start()`
`153`	`153`	`}`
`154`	`154`
`155`	`155`	`$sessionId = $_COOKIE[session_name()] ?? null;`
`156`		`- if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {`
	`156`	`+ if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,250}$/', $sessionId)) {`
`157`	`157`	`// the session ID in the header is invalid, create a new one`
`158`	`158`	`session_id(session_create_id());`
`159`	`159`	`}`