PdoSessionHandler: advisory lock for pgsql not safe for session.sid_bits_per_character > 4 #24095
Comments
fabpot
added a commit
that referenced
this issue
Sep 29, 2017
This PR was merged into the 2.7 branch.
Discussion
----------
PdoSessionHandler: fix advisory lock for pgsql
when session.sid_bits per_character > 4 the session id can contain non-hex-characters which will be ignored by hexdec. this can potentially result in collisions on the lock key from different sessions, e.g. the session ids `aagh` and `aaij` would have the same pgsql lock because `hexdec('aagh') === hexdec('aaij')`
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | #24095
| License | MIT
| Doc PR |
Commits
-------
0f0a6e8 PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When ini session.sid_bits_per_character > 4, the session id can contain non-hex-characters which will be ignored by
hexdecinhttps://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php#L586 making the lock key vulnerable to collisions. So somebody else could block your session. The same problem applies to the old
session.hash_bits_per_charactersetting.So we need a different algorithm to transform the session id to an integer.
The text was updated successfully, but these errors were encountered: