diff options
| author | Dries Buytaert <dries@buytaert.net> | 2010-11-05 19:05:02 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2010-11-05 19:05:02 +0000 |
| commit | e920fe34ef16d30af0f4fb8e33b565e572ab30c8 (patch) | |
| tree | 9282e247144413df5d94ddfa4863a02a9514672b /includes/session.inc | |
| parent | 5f550ab80ca279706fd1681920e45172ab23748b (diff) | |
| download | brdo-e920fe34ef16d30af0f4fb8e33b565e572ab30c8.tar.gz brdo-e920fe34ef16d30af0f4fb8e33b565e572ab30c8.tar.bz2 | |
- Patch #575280 by mfb, carlos8f, chx, bleen18: impersonation when an https session exists.
Diffstat (limited to 'includes/session.inc')
| -rw-r--r-- | includes/session.inc | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/includes/session.inc b/includes/session.inc index 412db118a..c23c23e1c 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -88,7 +88,10 @@ function _drupal_session_read($sid) { // a HTTPS session or we are about to log in so we check the sessions table // for an anonymous session with the non-HTTPS-only cookie. if ($is_https) { - $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchObject(); + // Ensure that an empty secure session ID cannot be selected. + if ($sid) { + $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchObject(); + } if (!$user) { if (isset($_COOKIE[$insecure_session_name])) { $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array( @@ -180,21 +183,23 @@ function _drupal_session_write($sid, $value) { 'timestamp' => REQUEST_TIME, ); - // The "secure pages" setting allows a site to simultaneously use both - // secure and insecure session cookies. If enabled and both cookies are - // presented then use both keys. If not enabled but on HTTPS then use the - // PHP session id as 'ssid'. If on HTTP then use the PHP session id as - // 'sid'. + // Use the session ID as 'sid' and an empty string as 'ssid' by default. + // _drupal_session_read() does not allow empty strings so that's a safe + // default. + $key = array('sid' => $sid, 'ssid' => ''); + // On HTTPS connections, use the session ID as both 'sid' and 'ssid'. if ($is_https) { $key['ssid'] = $sid; - $insecure_session_name = substr(session_name(), 1); - if (variable_get('https', FALSE) && isset($_COOKIE[$insecure_session_name])) { - $key['sid'] = $_COOKIE[$insecure_session_name]; + // The "secure pages" setting allows a site to simultaneously use both + // secure and insecure session cookies. If enabled and both cookies are + // presented then use both keys. + if (variable_get('https', FALSE)) { + $insecure_session_name = substr(session_name(), 1); + if (isset($_COOKIE[$insecure_session_name])) { + $key['sid'] = $_COOKIE[$insecure_session_name]; + } } } - else { - $key['sid'] = $sid; - } db_merge('sessions') ->key($key) |