aboutsummaryrefslogtreecommitdiff
path: root/srcs/phpmyadmin/libraries/classes/Session.php
diff options
context:
space:
mode:
authorCharles Cabergs <me@cacharle.xyz>2020-07-27 10:05:23 +0200
committerCharles Cabergs <me@cacharle.xyz>2020-07-27 10:05:23 +0200
commit5bf66662a9bdd62c5bccab15e607cd95cfb8fcab (patch)
tree39a1a4629749056191c05dfd899f931701b7acf3 /srcs/phpmyadmin/libraries/classes/Session.php
parent5afd237bbd22028b85532b8c0b3fcead49a00764 (diff)
downloadft_server-5bf66662a9bdd62c5bccab15e607cd95cfb8fcab.tar.gz
ft_server-5bf66662a9bdd62c5bccab15e607cd95cfb8fcab.tar.bz2
ft_server-5bf66662a9bdd62c5bccab15e607cd95cfb8fcab.zip
Removed wordpress and phpmyadmin, my server doesn't handle it well and it brings shame on my famillyHEADmaster
Diffstat (limited to 'srcs/phpmyadmin/libraries/classes/Session.php')
-rw-r--r--srcs/phpmyadmin/libraries/classes/Session.php234
1 files changed, 0 insertions, 234 deletions
diff --git a/srcs/phpmyadmin/libraries/classes/Session.php b/srcs/phpmyadmin/libraries/classes/Session.php
deleted file mode 100644
index 0d43a48..0000000
--- a/srcs/phpmyadmin/libraries/classes/Session.php
+++ /dev/null
@@ -1,234 +0,0 @@
-<?php
-/* vim: set expandtab sw=4 ts=4 sts=4: */
-/**
- * Session handling
- *
- * @package PhpMyAdmin
- *
- * @see https://www.php.net/manual/en/features.sessions.php
- */
-declare(strict_types=1);
-
-namespace PhpMyAdmin;
-
-use PhpMyAdmin\Config;
-use PhpMyAdmin\Core;
-use PhpMyAdmin\ErrorHandler;
-use PhpMyAdmin\Util;
-
-/**
- * Session class
- *
- * @package PhpMyAdmin
- */
-class Session
-{
- /**
- * Generates PMA_token session variable.
- *
- * @return void
- */
- private static function generateToken()
- {
- $_SESSION[' PMA_token '] = Util::generateRandom(16, true);
- $_SESSION[' HMAC_secret '] = Util::generateRandom(16);
-
- /**
- * Check if token is properly generated (the generation can fail, for example
- * due to missing /dev/random for openssl).
- */
- if (empty($_SESSION[' PMA_token '])) {
- Core::fatalError(
- 'Failed to generate random CSRF token!'
- );
- }
- }
-
- /**
- * tries to secure session from hijacking and fixation
- * should be called before login and after successful login
- * (only required if sensitive information stored in session)
- *
- * @return void
- */
- public static function secure()
- {
- // prevent session fixation and XSS
- if (session_status() === PHP_SESSION_ACTIVE && ! defined('TESTSUITE')) {
- session_regenerate_id(true);
- }
- // continue with empty session
- session_unset();
- self::generateToken();
- }
-
- /**
- * Session failed function
- *
- * @param array $errors PhpMyAdmin\ErrorHandler array
- *
- * @return void
- */
- private static function sessionFailed(array $errors)
- {
- $messages = [];
- foreach ($errors as $error) {
- /*
- * Remove path from open() in error message to avoid path disclossure
- *
- * This can happen with PHP 5 when nonexisting session ID is provided,
- * since PHP 7, session existence is checked first.
- *
- * This error can also happen in case of session backed error (eg.
- * read only filesystem) on any PHP version.
- *
- * The message string is currently hardcoded in PHP, so hopefully it
- * will not change in future.
- */
- $messages[] = preg_replace(
- '/open\(.*, O_RDWR\)/',
- 'open(SESSION_FILE, O_RDWR)',
- htmlspecialchars($error->getMessage())
- );
- }
-
- /*
- * Session initialization is done before selecting language, so we
- * can not use translations here.
- */
- Core::fatalError(
- 'Error during session start; please check your PHP and/or '
- . 'webserver log file and configure your PHP '
- . 'installation properly. Also ensure that cookies are enabled '
- . 'in your browser.'
- . '<br><br>'
- . implode('<br><br>', $messages)
- );
- }
-
- /**
- * Set up session
- *
- * @param Config $config Configuration handler
- * @param ErrorHandler $errorHandler Error handler
- * @return void
- */
- public static function setUp(Config $config, ErrorHandler $errorHandler)
- {
- // verify if PHP supports session, die if it does not
- if (! function_exists('session_name')) {
- Core::warnMissingExtension('session', true);
- } elseif (! empty(ini_get('session.auto_start'))
- && session_name() != 'phpMyAdmin'
- && ! empty(session_id())) {
- // Do not delete the existing non empty session, it might be used by
- // other applications; instead just close it.
- if (empty($_SESSION)) {
- // Ignore errors as this might have been destroyed in other
- // request meanwhile
- @session_destroy();
- } elseif (function_exists('session_abort')) {
- // PHP 5.6 and newer
- session_abort();
- } else {
- session_write_close();
- }
- }
-
- // session cookie settings
- session_set_cookie_params(
- 0,
- $config->getRootPath(),
- '',
- $config->isHttps(),
- true
- );
-
- // cookies are safer (use ini_set() in case this function is disabled)
- ini_set('session.use_cookies', 'true');
-
- // optionally set session_save_path
- $path = $config->get('SessionSavePath');
- if (! empty($path)) {
- session_save_path($path);
- // We can not do this unconditionally as this would break
- // any more complex setup (eg. cluster), see
- // https://github.com/phpmyadmin/phpmyadmin/issues/8346
- ini_set('session.save_handler', 'files');
- }
-
- // use cookies only
- ini_set('session.use_only_cookies', '1');
- // strict session mode (do not accept random string as session ID)
- ini_set('session.use_strict_mode', '1');
- // make the session cookie HttpOnly
- ini_set('session.cookie_httponly', '1');
- // do not force transparent session ids
- ini_set('session.use_trans_sid', '0');
-
- // delete session/cookies when browser is closed
- ini_set('session.cookie_lifetime', '0');
-
- // some pages (e.g. stylesheet) may be cached on clients, but not in shared
- // proxy servers
- session_cache_limiter('private');
-
- $httpCookieName = $config->getCookieName('phpMyAdmin');
- @session_name($httpCookieName);
-
- // Restore correct sesion ID (it might have been reset by auto started session
- if ($config->issetCookie('phpMyAdmin')) {
- session_id($config->getCookie('phpMyAdmin'));
- }
-
- // on first start of session we check for errors
- // f.e. session dir cannot be accessed - session file not created
- $orig_error_count = $errorHandler->countErrors(false);
-
- $session_result = session_start();
-
- if ($session_result !== true
- || $orig_error_count != $errorHandler->countErrors(false)
- ) {
- setcookie($httpCookieName, '', 1);
- $errors = $errorHandler->sliceErrors($orig_error_count);
- self::sessionFailed($errors);
- }
- unset($orig_error_count, $session_result);
-
- /**
- * Disable setting of session cookies for further session_start() calls.
- */
- if (session_status() !== PHP_SESSION_ACTIVE) {
- ini_set('session.use_cookies', 'true');
- }
-
- /**
- * Token which is used for authenticating access queries.
- * (we use "space PMA_token space" to prevent overwriting)
- */
- if (empty($_SESSION[' PMA_token '])) {
- self::generateToken();
-
- /**
- * Check for disk space on session storage by trying to write it.
- *
- * This seems to be most reliable approach to test if sessions are working,
- * otherwise the check would fail with custom session backends.
- */
- $orig_error_count = $errorHandler->countErrors();
- session_write_close();
- if ($errorHandler->countErrors() > $orig_error_count) {
- $errors = $errorHandler->sliceErrors($orig_error_count);
- self::sessionFailed($errors);
- }
- session_start();
- if (empty($_SESSION[' PMA_token '])) {
- Core::fatalError(
- 'Failed to store CSRF token in session! ' .
- 'Probably sessions are not working properly.'
- );
- }
- }
- }
-}
generated by cgit (git 2.34.1) at 2026-05-16 02:37:35 +0000