From: Masahiro Chiba Date: Sun, 13 Dec 2009 03:35:23 +0000 (+0800) Subject: check wrong format request session_id X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FWeb-Session.git;a=commitdiff_plain;h=56b9910ade55c45aba166efd202fa5f517b965f1 check wrong format request session_id --- diff --git a/lib/Plack/Session/State.pm b/lib/Plack/Session/State.pm index 10a1368..d8fe1db 100644 --- a/lib/Plack/Session/State.pm +++ b/lib/Plack/Session/State.pm @@ -7,6 +7,7 @@ use Digest::SHA1 (); use Plack::Util::Accessor qw[ session_key sid_generator + sid_checker ]; sub new { @@ -17,6 +18,7 @@ sub new { $params{'sid_generator'} ||= sub { Digest::SHA1::sha1_hex(rand() . $$ . {} . time) }; + $params{'sid_checker'} ||= qr/\A[0-9a-f]{40}\Z/; bless { %params } => $class; } @@ -37,16 +39,36 @@ sub check_expired { return $id; } +sub check_request_session_id { + my ($self, $request) = @_; + + my $reqest_session_id = $self->get_request_session_id($request); + my $sid_checker = $self->sid_checker; + + defined $reqest_session_id && $reqest_session_id =~ m{$sid_checker}; +} + sub get_session_id { my ($self, $request) = @_; - $self->extract( $request ) + ( + $self->check_request_session_id($request) + && + $self->extract( $request ) + ) || $self->generate( $request ) } +sub get_request_session_id { + my ($self, $request ) = @_; + + $request->param( $self->session_key ); +} + sub extract { my ($self, $request) = @_; - $self->check_expired( $request->param( $self->session_key ) ); + + $self->check_expired( $self->get_request_session_id($request) ); } sub generate { @@ -104,7 +126,7 @@ L for an example of this. =item B -The C<%params> can include I and I, +The C<%params> can include I, I and I however in both cases a default will be provided for you. =item B @@ -117,6 +139,10 @@ This is a CODE ref used to generate unique session ids, by default it will generate a SHA1 using fairly sufficient entropy. If you are concerned or interested, just read the source. +=item B + +This is a regex used to check requested session id, + =back =head2 Session ID Managment diff --git a/lib/Plack/Session/State/Cookie.pm b/lib/Plack/Session/State/Cookie.pm index e723d8e..12631d4 100644 --- a/lib/Plack/Session/State/Cookie.pm +++ b/lib/Plack/Session/State/Cookie.pm @@ -17,9 +17,14 @@ sub expire_session_id { $self->expires( 0 ); } +sub get_request_session_id { + my ($self, $request ) = @_; + ($request->cookie( $self->session_key ) || return )->value; +} + sub extract { my ($self, $request) = @_; - $self->check_expired( ( $request->cookie( $self->session_key ) || return )->value ); + $self->check_expired( $self->get_request_session_id($request) || return ); } sub finalize { diff --git a/t/003_basic_w_file_store.t b/t/003_basic_w_file_store.t index e5f6817..1801df0 100644 --- a/t/003_basic_w_file_store.t +++ b/t/003_basic_w_file_store.t @@ -37,6 +37,6 @@ t::lib::TestSession::run_all_tests( }, ); -unlink $_ foreach glob( File::Spec->catdir($TMP, '*') ); +#unlink $_ foreach glob( File::Spec->catdir($TMP, '*') ); done_testing; diff --git a/t/lib/TestSession.pm b/t/lib/TestSession.pm index d642d9e..3f6371b 100644 --- a/t/lib/TestSession.pm +++ b/t/lib/TestSession.pm @@ -227,6 +227,36 @@ sub run_all_tests { $response_test->( $resp, $sids[1] ); } + + { + # wrong format session_id + my $r = $request_creator->({ plack_session => '../wrong' }); + + my $s = Plack::Session->new( + state => $state, + store => $storage, + request => $r, + ); + + + isnt('../wrong' => $s->id, '... regenerate session id'); + + ok(!$s->get('foo'), '... no value stored for foo in session'); + + lives_ok { + $s->set( foo => 'baz' ); + } '... set the value successfully'; + + is($s->get('foo'), 'baz', '... got the foo value back successfully from session'); + + my $resp = $r->new_response; + + lives_ok { + $s->finalize( $resp ); + } '... finalized session successfully'; + + $response_test->( $resp, $s ); + } } -1; \ No newline at end of file +1;