Changeset 1779

Timestamp:

01/21/2008 01:34:23 PM (12 months ago)

Author:

Geert

Message:

• Session names should only contain alphanumeric characters with at least one letter (check the manual: http://php.net/session_name). This is now required, otherwise a session.invalid_session_name exception will be thrown. Translators!
  
• The httponly parameter of the session_set_cookie_params() function is only supported by PHP 5.2 and up. Built in a version check.
  
• Kohana::$user_agent is now set by the user_agent() method of the Input library.
  

Location:

trunk/system

Files:

• config/session.php (modified) (1 diff)
• core/Kohana.php (modified) (2 diffs)
• i18n/en_US/session.php (modified) (1 diff)
• i18n/nl_NL/session.php (modified) (1 diff)
• libraries/Input.php (modified) (1 diff)
• libraries/Session.php (modified) (9 diffs)

trunk/system/config/session.php

@@ -14 +14 @@
 /**
  * Default session name.
+ * It should contain only alphanumeric characters and at least one letter should be present.
  */
-$config['name'] = 'kohana_session';
+$config['name'] = 'kohanasession';
 
 /**

trunk/system/core/Kohana.php

@@ -55 +55 @@
                 $ER = error_reporting(0);
 
-                // Set the user agent
-                self::$user_agent = trim($_SERVER['HTTP_USER_AGENT']);
-
                 if (function_exists('date_default_timezone_set'))
                 {
@@ -100 +97 @@
                 // Set locale information
                 setlocale(LC_ALL, Config::item('locale.language').'.UTF-8');
+
+                // Set the user agent
+                self::$user_agent = Input::instance()->user_agent();
 
                 // Enable Kohana routing

trunk/system/i18n/en_US/session.php

@@ -5 +5 @@
         'no_table'                        => 'The configured session table, %s, was not found.',
         'driver_not_supported'            => 'The requested Session driver, %s, was not found.',
-        'driver_must_implement_interface' => 'Session drivers must implement the Session_Driver interface.'
+        'driver_must_implement_interface' => 'Session drivers must implement the Session_Driver interface.',
+        'invalid_session_name'            => 'The session_name, %s, is invalid. It should contain only alphanumeric characters and at least one letter should be present.',
 );

trunk/system/i18n/nl_NL/session.php

@@ -5 +5 @@
         'no_table'                        => 'De session tabel, %s, werd niet gevonden.',
         'driver_not_supported'            => 'De opgevraagde session driver, %s, werd niet gevonden.',
-        'driver_must_implement_interface' => 'Session drivers moeten de Session_Driver interface implementeren.'
+        'driver_must_implement_interface' => 'Session drivers moeten de Session_Driver interface implementeren.',
+        'invalid_session_name'            => 'De session naam, %s, is ongeldig. Hij mag alleen maar bestaan uit alfanumerieke karakters en moet minstens één letter bevatten.',
 );

trunk/system/libraries/Input.php

@@ -318 +318 @@
                         return $this->user_agent;
 
-                $this->user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : FALSE;
+                $this->user_agent = (isset($_SERVER['HTTP_USER_AGENT'])) ? trim($_SERVER['HTTP_USER_AGENT']) : FALSE;
 
                 return $this->user_agent;

trunk/system/libraries/Session.php

@@ -119 +119 @@
 
                 // Set the session cookie parameters
-                session_set_cookie_params
-                (
-                        self::$config['expiration'],
-                        Config::item('cookie.path'),
-                        Config::item('cookie.domain'),
-                        Config::item('cookie.secure'),
-                        Config::item('cookie.httponly')
-                );
+                // Note: the httponly parameter was added in PHP 5.2.0
+                if (version_compare(PHP_VERSION, '5.2.0', '>='))
+                {
+                        session_set_cookie_params
+                        (
+                                self::$config['expiration'],
+                                Config::item('cookie.path'),
+                                Config::item('cookie.domain'),
+                                Config::item('cookie.secure'),
+                                Config::item('cookie.httponly')
+                        );
+                }
+                else
+                {
+                        session_set_cookie_params
+                        (
+                                self::$config['expiration'],
+                                Config::item('cookie.path'),
+                                Config::item('cookie.domain'),
+                                Config::item('cookie.secure')
+                        );
+                }
 
                 if (self::$config['driver'] != 'native')
@@ -142 +156 @@
                 }
 
-                // Set the session name
+                // Set the session name after having checked it
+                if ( ! ctype_alnum(self::$config['name']) OR ctype_digit(self::$config['name']))
+                        throw new Kohana_Exception('session.invalid_session_name', self::$config['name']);
+
                 session_name(self::$config['name']);
 
@@ -154 +171 @@
                 if ( ! isset($_SESSION['_kf_flash_']))
                 {
-                        $_SESSION['user_agent'] = Kohana::$user_agent;
+                        $_SESSION['user_agent'] = $this->input->user_agent();
                         $_SESSION['ip_address'] = $this->input->ip_address();
                         $_SESSION['_kf_flash_'] = array();
@@ -179 +196 @@
                                                 if ($_SESSION[$valid] !== $this->input->$valid())
                                                 {
-                                                        session_unset();
                                                         return $this->create();
                                                 }
@@ -225 +241 @@
                 {
                         // Pass the regenerating off to the driver in case it wants to do anything special
-                        // The new id is returned
                         $_SESSION['session_id'] = self::$driver->regenerate();
                 }
@@ -244 +259 @@
                         session_unset();
 
-                        // Write the session
+                        // Destroy the session
                         return session_destroy();
                 }
@@ -287 +302 @@
         public function set_flash($keys, $val = FALSE)
         {
-                if ($keys == FALSE)
-                        return;
+                if (empty($keys))
+                        return FALSE;
 
                 if ( ! is_array($keys))
@@ -336 +351 @@
         public function get($key = FALSE, $default = FALSE)
         {
-                if ($key == FALSE)
+                if (empty($key))
                         return $_SESSION;
 
-                $result = isset($_SESSION[$key]) ? $_SESSION[$key] : Kohana::key_string($key, $_SESSION);
+                $result = (isset($_SESSION[$key])) ? $_SESSION[$key] : Kohana::key_string($key, $_SESSION);
 
                 return ($result === NULL) ? $default : $result;
@@ -381 +396 @@
                 foreach((array) $keys as $key)
                 {
-                        if(isset(self::$protect[$key]))
+                        if (isset(self::$protect[$key]))
                                 continue;