robin.thoni
/
docker-roundcube-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 10 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
2 Branches
Tree: e2fe05faab
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e2fe05faab'
${ noResults }
docker-roundcube-server/roundcube/roundcubemail-1.2.2/program/lib/Roundcube/rcube_session.php

rcube_session.php 19KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669 
  1. <?php

  2. 

  3. /**

  4.  +-----------------------------------------------------------------------+

  5.  | This file is part of the Roundcube Webmail client                     |

  6.  | Copyright (C) 2005-2014, The Roundcube Dev Team                       |

  7.  | Copyright (C) 2011, Kolab Systems AG                                  |

  8.  |                                                                       |

  9.  | Licensed under the GNU General Public License version 3 or            |

  10.  | any later version with exceptions for skins & plugins.                |

  11.  | See the README file for a full license statement.                     |

  12.  |                                                                       |

  13.  | PURPOSE:                                                              |

  14.  |   Provide database supported session management                       |

  15.  +-----------------------------------------------------------------------+

  16.  | Author: Thomas Bruederli <roundcube@gmail.com>                        |

  17.  | Author: Aleksander Machniak <alec@alec.pl>                            |

  18.  | Author: Cor Bosman <cor@roundcu.be>                                   |

  19.  +-----------------------------------------------------------------------+

  20. */

  21. 

  22. /**

  23.  * Abstract class to provide database supported session storage

  24.  *

  25.  * @package    Framework

  26.  * @subpackage Core

  27.  * @author     Thomas Bruederli <roundcube@gmail.com>

  28.  * @author     Aleksander Machniak <alec@alec.pl>

  29.  */

  30. abstract class rcube_session

  31. {

  32.     protected $config;

  33.     protected $key;

  34.     protected $ip;

  35.     protected $changed;

  36.     protected $start;

  37.     protected $vars;

  38.     protected $now;

  39.     protected $time_diff    = 0;

  40.     protected $reloaded     = false;

  41.     protected $appends      = array();

  42.     protected $unsets       = array();

  43.     protected $gc_enabled   = 0;

  44.     protected $gc_handlers  = array();

  45.     protected $cookiename   = 'roundcube_sessauth';

  46.     protected $ip_check     = false;

  47.     protected $logging      = false;

  48. 

  49. 

  50.     /**

  51.      * Blocks session data from being written to database.

  52.      * Can be used if write-race conditions are to be expected

  53.      * @var boolean

  54.      */

  55.     public $nowrite = false;

  56. 

  57.     /**

  58.      * Factory, returns driver-specific instance of the class

  59.      *

  60.      * @param object $config

  61.      * @return Object rcube_session

  62.      */

  63.     public static function factory($config)

  64.     {

  65.         // get session storage driver

  66.         $storage = $config->get('session_storage', 'db');

  67. 

  68.         // class name for this storage

  69.         $class = "rcube_session_" . $storage;

  70. 

  71.         // try to instantiate class

  72.         if (class_exists($class)) {

  73.             return new $class($config);

  74.         }

  75. 

  76.         // no storage found, raise error

  77.         rcube::raise_error(array('code' => 604, 'type' => 'session',

  78.                                'line' => __LINE__, 'file' => __FILE__,

  79.                                'message' => "Failed to find session driver. Check session_storage config option"),

  80.                            true, true);

  81.     }

  82. 

  83.     /**

  84.      * @param Object $config

  85.      */

  86.     public function __construct($config)

  87.     {

  88.         $this->config = $config;

  89. 

  90.         // set ip check

  91.         $this->set_ip_check($this->config->get('ip_check'));

  92. 

  93.         // set cookie name

  94.         if ($this->config->get('session_auth_name')) {

  95.             $this->set_cookiename($this->config->get('session_auth_name'));

  96.         }

  97.     }

  98. 

  99.     /**

  100.      * register session handler

  101.      */

  102.     public function register_session_handler()

  103.     {

  104.         ini_set('session.serialize_handler', 'php');

  105. 

  106.         // set custom functions for PHP session management

  107.         session_set_save_handler(

  108.             array($this, 'open'),

  109.             array($this, 'close'),

  110.             array($this, 'read'),

  111.             array($this, 'sess_write'),

  112.             array($this, 'destroy'),

  113.             array($this, 'gc')

  114.         );

  115.     }

  116. 

  117.     /**

  118.      * Wrapper for session_start()

  119.      */

  120.     public function start()

  121.     {

  122.         $this->start   = microtime(true);

  123.         $this->ip      = rcube_utils::remote_addr();

  124.         $this->logging = $this->config->get('log_session', false);

  125. 

  126.         $lifetime = $this->config->get('session_lifetime', 1) * 60;

  127.         $this->set_lifetime($lifetime);

  128. 

  129.         session_start();

  130.     }

  131. 

  132.     /**

  133.      * Abstract methods should be implemented by driver classes

  134.      */

  135.     abstract function open($save_path, $session_name);

  136.     abstract function close();

  137.     abstract function destroy($key);

  138.     abstract function read($key);

  139.     abstract function write($key, $vars);

  140.     abstract function update($key, $newvars, $oldvars);

  141. 

  142.     /**

  143.      * session write handler. This calls the implementation methods for write/update after some initial checks.

  144.      *

  145.      * @param $key

  146.      * @param $vars

  147.      *

  148.      * @return bool

  149.      */

  150.     public function sess_write($key, $vars)

  151.     {

  152.         if ($this->nowrite) {

  153.             return true;

  154.         }

  155. 

  156.         // check cache

  157.         $oldvars = $this->get_cache($key);

  158. 

  159.         // if there are cached vars, update store, else insert new data

  160.         if ($oldvars) {

  161.             $newvars = $this->_fixvars($vars, $oldvars);

  162.             return $this->update($key, $newvars, $oldvars);

  163.         }

  164.         else {

  165.             return $this->write($key, $vars);

  166.         }

  167.     }

  168. 

  169.     /**

  170.      * Wrapper for session_write_close()

  171.      */

  172.     public function write_close()

  173.     {

  174.         session_write_close();

  175. 

  176.         // write_close() is called on script shutdown, see rcube::shutdown()

  177.         // execute cleanup functionality if enabled by session gc handler

  178.         // we do this after closing the session for better performance

  179.         $this->gc_shutdown();

  180.     }

  181. 

  182.     /**

  183.      * Merge vars with old vars and apply unsets

  184.      */

  185.     protected function _fixvars($vars, $oldvars)

  186.     {

  187.         if ($oldvars !== null) {

  188.             $a_oldvars = $this->unserialize($oldvars);

  189.             if (is_array($a_oldvars)) {

  190.                 // remove unset keys on oldvars

  191.                 foreach ((array)$this->unsets as $var) {

  192.                     if (isset($a_oldvars[$var])) {

  193.                         unset($a_oldvars[$var]);

  194.                     }

  195.                     else {

  196.                         $path = explode('.', $var);

  197.                         $k = array_pop($path);

  198.                         $node = &$this->get_node($path, $a_oldvars);

  199.                         unset($node[$k]);

  200.                     }

  201.                 }

  202. 

  203.                 $newvars = $this->serialize(array_merge(

  204.                     (array)$a_oldvars, (array)$this->unserialize($vars)));

  205.             }

  206.             else {

  207.                 $newvars = $vars;

  208.             }

  209.         }

  210. 

  211.         $this->unsets = array();

  212.         return $newvars;

  213.     }

  214. 

  215.     /**

  216.      * Execute registered garbage collector routines

  217.      */

  218.     public function gc($maxlifetime)

  219.     {

  220.         // move gc execution to the script shutdown function

  221.         // see rcube::shutdown() and rcube_session::write_close()

  222.         $this->gc_enabled = $maxlifetime;

  223. 

  224.         return true;

  225.     }

  226. 

  227.     /**

  228.      * Register additional garbage collector functions

  229.      *

  230.      * @param mixed Callback function

  231.      */

  232.     public function register_gc_handler($func)

  233.     {

  234.         foreach ($this->gc_handlers as $handler) {

  235.             if ($handler == $func) {

  236.                 return;

  237.             }

  238.         }

  239. 

  240.         $this->gc_handlers[] = $func;

  241.     }

  242. 

  243.     /**

  244.      * Garbage collector handler to run on script shutdown

  245.      */

  246.     protected function gc_shutdown()

  247.     {

  248.         if ($this->gc_enabled) {

  249.             foreach ($this->gc_handlers as $fct) {

  250.                 call_user_func($fct);

  251.             }

  252.         }

  253.     }

  254. 

  255.     /**

  256.      * Generate and set new session id

  257.      *

  258.      * @param boolean $destroy If enabled the current session will be destroyed

  259.      * @return bool

  260.      */

  261.     public function regenerate_id($destroy=true)

  262.     {

  263.         session_regenerate_id($destroy);

  264. 

  265.         $this->vars = null;

  266.         $this->key  = session_id();

  267. 

  268.         return true;

  269.     }

  270. 

  271.     /**

  272.      * See if we have vars of this key already cached, and if so, return them.

  273.      *

  274.      * @param string $key Session ID

  275.      *

  276.      * @return string

  277.      */

  278.     protected function get_cache($key)

  279.     {

  280.         // no session data in cache (read() returns false)

  281.         if (!$this->key) {

  282.             $cache = null;

  283.         }

  284.         // use internal data for fast requests (up to 0.5 sec.)

  285.         else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) {

  286.             $cache = $this->vars;

  287.         }

  288.         else { // else read data again

  289.             $cache = $this->read($key);

  290.         }

  291. 

  292.         return $cache;

  293.     }

  294. 

  295.     /**

  296.      * Append the given value to the certain node in the session data array

  297.      *

  298.      * Warning: Do not use if you already modified $_SESSION in the same request (#1490608)

  299.      *

  300.      * @param string Path denoting the session variable where to append the value

  301.      * @param string Key name under which to append the new value (use null for appending to an indexed list)

  302.      * @param mixed  Value to append to the session data array

  303.      */

  304.     public function append($path, $key, $value)

  305.     {

  306.         // re-read session data from DB because it might be outdated

  307.         if (!$this->reloaded && microtime(true) - $this->start > 0.5) {

  308.             $this->reload();

  309.             $this->reloaded = true;

  310.             $this->start = microtime(true);

  311.         }

  312. 

  313.         $node = &$this->get_node(explode('.', $path), $_SESSION);

  314. 

  315.         if ($key !== null) {

  316.             $node[$key] = $value;

  317.             $path .= '.' . $key;

  318.         }

  319.         else {

  320.             $node[] = $value;

  321.         }

  322. 

  323.         $this->appends[] = $path;

  324. 

  325.         // when overwriting a previously unset variable

  326.         if ($this->unsets[$path]) {

  327.             unset($this->unsets[$path]);

  328.         }

  329.     }

  330. 

  331.     /**

  332.      * Unset a session variable

  333.      *

  334.      * @param string Variable name (can be a path denoting a certain node in the session array, e.g. compose.attachments.5)

  335.      * @return boolean True on success

  336.      */

  337.     public function remove($var=null)

  338.     {

  339.         if (empty($var)) {

  340.             return $this->destroy(session_id());

  341.         }

  342. 

  343.         $this->unsets[] = $var;

  344. 

  345.         if (isset($_SESSION[$var])) {

  346.             unset($_SESSION[$var]);

  347.         }

  348.         else {

  349.             $path = explode('.', $var);

  350.             $key = array_pop($path);

  351.             $node = &$this->get_node($path, $_SESSION);

  352.             unset($node[$key]);

  353.         }

  354. 

  355.         return true;

  356.     }

  357. 

  358.     /**

  359.      * Kill this session

  360.      */

  361.     public function kill()

  362.     {

  363.         $this->vars = null;

  364.         $this->ip   = rcube_utils::remote_addr(); // update IP (might have changed)

  365.         $this->destroy(session_id());

  366.         rcube_utils::setcookie($this->cookiename, '-del-', time() - 60);

  367.     }

  368. 

  369.     /**

  370.      * Re-read session data from storage backend

  371.      */

  372.     public function reload()

  373.     {

  374.         // collect updated data from previous appends

  375.         $merge_data = array();

  376.         foreach ((array)$this->appends as $var) {

  377.             $path = explode('.', $var);

  378.             $value = $this->get_node($path, $_SESSION);

  379.             $k = array_pop($path);

  380.             $node = &$this->get_node($path, $merge_data);

  381.             $node[$k] = $value;

  382.         }

  383. 

  384.         if ($this->key) {

  385.             $data = $this->read($this->key);

  386.         }

  387. 

  388.         if ($data) {

  389.             session_decode($data);

  390. 

  391.             // apply appends and unsets to reloaded data

  392.             $_SESSION = array_merge_recursive($_SESSION, $merge_data);

  393. 

  394.             foreach ((array)$this->unsets as $var) {

  395.                 if (isset($_SESSION[$var])) {

  396.                     unset($_SESSION[$var]);

  397.                 }

  398.                 else {

  399.                     $path = explode('.', $var);

  400.                     $k = array_pop($path);

  401.                     $node = &$this->get_node($path, $_SESSION);

  402.                     unset($node[$k]);

  403.                 }

  404.             }

  405.         }

  406.     }

  407. 

  408.     /**

  409.      * Returns a reference to the node in data array referenced by the given path.

  410.      * e.g. ['compose','attachments'] will return $_SESSION['compose']['attachments']

  411.      */

  412.     protected function &get_node($path, &$data_arr)

  413.     {

  414.         $node = &$data_arr;

  415.         if (!empty($path)) {

  416.             foreach ((array)$path as $key) {

  417.                 if (!isset($node[$key]))

  418.                     $node[$key] = array();

  419.                 $node = &$node[$key];

  420.             }

  421.         }

  422. 

  423.         return $node;

  424.     }

  425. 

  426.     /**

  427.      * Serialize session data

  428.      */

  429.     protected function serialize($vars)

  430.     {

  431.         $data = '';

  432.         if (is_array($vars)) {

  433.             foreach ($vars as $var=>$value)

  434.                 $data .= $var.'|'.serialize($value);

  435.         }

  436.         else {

  437.             $data = 'b:0;';

  438.         }

  439. 

  440.         return $data;

  441.     }

  442. 

  443.     /**

  444.      * Unserialize session data

  445.      * http://www.php.net/manual/en/function.session-decode.php#56106

  446.      */

  447.     protected function unserialize($str)

  448.     {

  449.         $str    = (string)$str;

  450.         $endptr = strlen($str);

  451.         $p      = 0;

  452. 

  453.         $serialized = '';

  454.         $items      = 0;

  455.         $level      = 0;

  456. 

  457.         while ($p < $endptr) {

  458.             $q = $p;

  459.             while ($str[$q] != '|')

  460.                 if (++$q >= $endptr)

  461.                     break 2;

  462. 

  463.             if ($str[$p] == '!') {

  464.                 $p++;

  465.                 $has_value = false;

  466.             }

  467.             else {

  468.                 $has_value = true;

  469.             }

  470. 

  471.             $name = substr($str, $p, $q - $p);

  472.             $q++;

  473. 

  474.             $serialized .= 's:' . strlen($name) . ':"' . $name . '";';

  475. 

  476.             if ($has_value) {

  477.                 for (;;) {

  478.                     $p = $q;

  479.                     switch (strtolower($str[$q])) {

  480.                     case 'n': // null

  481.                     case 'b': // boolean

  482.                     case 'i': // integer

  483.                     case 'd': // decimal

  484.                         do $q++;

  485.                         while ( ($q < $endptr) && ($str[$q] != ';') );

  486.                         $q++;

  487.                         $serialized .= substr($str, $p, $q - $p);

  488.                         if ($level == 0)

  489.                             break 2;

  490.                         break;

  491.                     case 'r': // reference

  492.                         $q+= 2;

  493.                         for ($id = ''; ($q < $endptr) && ($str[$q] != ';'); $q++)

  494.                             $id .= $str[$q];

  495.                         $q++;

  496.                         // increment pointer because of outer array

  497.                         $serialized .= 'R:' . ($id + 1) . ';';

  498.                         if ($level == 0)

  499.                             break 2;

  500.                         break;

  501.                     case 's': // string

  502.                         $q+=2;

  503.                         for ($length=''; ($q < $endptr) && ($str[$q] != ':'); $q++)

  504.                             $length .= $str[$q];

  505.                         $q+=2;

  506.                         $q+= (int)$length + 2;

  507.                         $serialized .= substr($str, $p, $q - $p);

  508.                         if ($level == 0)

  509.                             break 2;

  510.                         break;

  511.                     case 'a': // array

  512.                     case 'o': // object

  513.                         do $q++;

  514.                         while ($q < $endptr && $str[$q] != '{');

  515.                         $q++;

  516.                         $level++;

  517.                         $serialized .= substr($str, $p, $q - $p);

  518.                         break;

  519.                     case '}': // end of array|object

  520.                         $q++;

  521.                         $serialized .= substr($str, $p, $q - $p);

  522.                         if (--$level == 0)

  523.                             break 2;

  524.                         break;

  525.                     default:

  526.                         return false;

  527.                     }

  528.                 }

  529.             }

  530.             else {

  531.                 $serialized .= 'N;';

  532.                 $q += 2;

  533.             }

  534.             $items++;

  535.             $p = $q;

  536.         }

  537. 

  538.         return unserialize( 'a:' . $items . ':{' . $serialized . '}' );

  539.     }

  540. 

  541.     /**

  542.      * Setter for session lifetime

  543.      */

  544.     public function set_lifetime($lifetime)

  545.     {

  546.         $this->lifetime = max(120, $lifetime);

  547. 

  548.         // valid time range is now - 1/2 lifetime to now + 1/2 lifetime

  549.         $now = time();

  550.         $this->now = $now - ($now % ($this->lifetime / 2));

  551.     }

  552. 

  553.     /**

  554.      * Getter for remote IP saved with this session

  555.      */

  556.     public function get_ip()

  557.     {

  558.         return $this->ip;

  559.     }

  560. 

  561.     /**

  562.      * Setter for cookie encryption secret

  563.      */

  564.     function set_secret($secret = null)

  565.     {

  566.         // generate random hash and store in session

  567.         if (!$secret) {

  568.             if (!empty($_SESSION['auth_secret'])) {

  569.                 $secret = $_SESSION['auth_secret'];

  570.             }

  571.             else {

  572.                 $secret = rcube_utils::random_bytes(strlen($this->key));

  573.             }

  574.         }

  575. 

  576.         $_SESSION['auth_secret'] = $secret;

  577.     }

  578. 

  579.     /**

  580.      * Enable/disable IP check

  581.      */

  582.     function set_ip_check($check)

  583.     {

  584.         $this->ip_check = $check;

  585.     }

  586. 

  587.     /**

  588.      * Setter for the cookie name used for session cookie

  589.      */

  590.     function set_cookiename($cookiename)

  591.     {

  592.         if ($cookiename) {

  593.             $this->cookiename = $cookiename;

  594.         }

  595.     }

  596. 

  597.     /**

  598.      * Check session authentication cookie

  599.      *

  600.      * @return boolean True if valid, False if not

  601.      */

  602.     function check_auth()

  603.     {

  604.         $this->cookie = $_COOKIE[$this->cookiename];

  605.         $result = $this->ip_check ? rcube_utils::remote_addr() == $this->ip : true;

  606. 

  607.         if (!$result) {

  608.             $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . rcube_utils::remote_addr());

  609.         }

  610. 

  611.         if ($result && $this->_mkcookie($this->now) != $this->cookie) {

  612.             $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now));

  613.             $result = false;

  614. 

  615.             // Check if using id from a previous time slot

  616.             for ($i = 1; $i <= 2; $i++) {

  617.                 $prev = $this->now - ($this->lifetime / 2) * $i;

  618.                 if ($this->_mkcookie($prev) == $this->cookie) {

  619.                     $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie);

  620.                     $this->set_auth_cookie();

  621.                     $result = true;

  622.                 }

  623.             }

  624.         }

  625. 

  626.         if (!$result) {

  627.             $this->log("Session authentication failed for " . $this->key

  628.                 . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev));

  629.         }

  630. 

  631.         return $result;

  632.     }

  633. 

  634.     /**

  635.      * Set session authentication cookie

  636.      */

  637.     public function set_auth_cookie()

  638.     {

  639.         $this->cookie = $this->_mkcookie($this->now);

  640.         rcube_utils::setcookie($this->cookiename, $this->cookie, 0);

  641.         $_COOKIE[$this->cookiename] = $this->cookie;

  642.     }

  643. 

  644.     /**

  645.      * Create session cookie for specified time slot.

  646.      *

  647.      * @param int Time slot to use

  648.      *

  649.      * @return string

  650.      */

  651.     protected function _mkcookie($timeslot)

  652.     {

  653.         // make sure the secret key exists

  654.         $this->set_secret();

  655. 

  656.         // no need to hash this, it's just a random string

  657.         return $_SESSION['auth_secret'] . '-' . $timeslot;

  658.     }

  659. 

  660.     /**

  661.      * Writes debug information to the log

  662.      */

  663.     function log($line)

  664.     {

  665.         if ($this->logging) {

  666.             rcube::write_log('session', $line);

  667.         }

  668.     }

  669. }