[Session] limiting :key for GET_LOCK to 64 chars #27250
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fabpot
requested changes
May 14, 2018
| @@ -674,14 +674,17 @@ private function doAdvisoryLock(string $sessionId) | |||
| { | |||
| switch ($this->driver) { | |||
| case 'mysql': | |||
| // MySQL 5.7.5 and later enforces a maximum length on lock names of 64 characters. Previously, no limit was enforced. | |||
| $lockId = \substr($sessionId, 0, 64); | |||
There was a problem hiding this comment.
I'd recommend to hash the session id instead (or doing something similar) as keeping just the first 64 chars could lead to conflicts depending on how the session id is generated.
There was a problem hiding this comment.
The session id is just a random string. So hashing that does not reduce the likeliness of collisions compared to just using the first 64 bytes.
There was a problem hiding this comment.
@fabian, @Tobion is right, session_id is just a random string, which is result of http://php.net/manual/en/session.configuration.php#ini.session.hash-function and by default it's md5
Tobion
reviewed
May 14, 2018
| @@ -833,7 +836,7 @@ private function getUpdateStatement($sessionId, $sessionData, $maxlifetime) | |||
| /** | |||
| * Returns a merge/upsert (i.e. insert or update) statement when supported by the database for writing session data. | |||
| */ | |||
| private function getMergeStatement(string $sessionId, string $data, int$maxlifetime): ?\PDOStatement | |||
| private function getMergeStatement(string $sessionId, string $data, int $maxlifetime): ?\PDOStatement | |||
There was a problem hiding this comment.
This has already been fixed in 4f3afd5 and will be merge upwards in later branches automatically. So please remove this change.
There was a problem hiding this comment.
Will rebase branch
|
To me this is a bugfix and should be opened against 2.7 branch. |
|
@Tobion agree, let's rebase on 2.7 |
1555e16 to
4e057b8
Compare
oleg-andreyev
added a commit
to oleg-andreyev/symfony
that referenced
this pull request
May 14, 2018
…ySQL 5.7.5 and later
4e057b8 to
d7d4e41
Compare
oleg-andreyev
added a commit
to oleg-andreyev/symfony
that referenced
this pull request
May 14, 2018
…ySQL 5.7.5 and later
…ySQL 5.7.5 and later
4c52bc6 to
9cda96b
Compare
nicolas-grekas
approved these changes
May 14, 2018
Tobion
approved these changes
May 14, 2018
fabpot
approved these changes
May 15, 2018
|
Thank you @oleg-andreyev. |
fabpot
added a commit
that referenced
this pull request
May 15, 2018
…reyev) This PR was merged into the 2.7 branch. Discussion ---------- [Session] limiting :key for GET_LOCK to 64 chars | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT > MySQL 5.7.5 and later enforces a maximum length on lock names of 64 characters. Previously, no limit was enforced. Cases: - `session_id` is set by developers manually - `session.sid_length` is configured Ref.: - https://dev.mysql.com/doc/refman/5.7/en/miscellaneous-functions.html#function_get-lock - http://php.net/manual/en/session.configuration.php#ini.session.sid-length Other issues: - go-sql-driver/mysql#385 - stefangabos/Zebra_Session#16 Commits ------- 9cda96b #27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later
nicolas-grekas
added a commit
that referenced
this pull request
May 15, 2018
* 2.7: [Security] Fix logout #27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors Suppress warnings when open_basedir is non-empty
nicolas-grekas
added a commit
that referenced
this pull request
May 16, 2018
* 2.8: [Security] Fix logout #27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors Suppress warnings when open_basedir is non-empty
nicolas-grekas
added a commit
that referenced
this pull request
May 16, 2018
* 3.4: fix merge [Security] Fix logout Cleanup 2 tests for the HttpException classes #27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Config] Fix tests when path contains UTF chars [DI] Shared services should not be inlined in non-shared ones [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Cache][Lock] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors [DI] Display previous error messages when throwing unused bindings Suppress warnings when open_basedir is non-empty
nicolas-grekas
added a commit
that referenced
this pull request
May 16, 2018
* 4.0: (21 commits) [PropertyInfo] fix resolving parent|self type hints fixed CS fix merge [Security] Fix logout Cleanup 2 tests for the HttpException classes #27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Config] Fix tests when path contains UTF chars [DI] Shared services should not be inlined in non-shared ones [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Cache][Lock] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors fixed CS fixed CS fixed CS [FrameworkBundle] Fix cache:clear on vagrant [HttpKernel] Handle NoConfigurationException "onKernelException()" Fix misses calculation when calling getItems [DI] Display previous error messages when throwing unused bindings Fixed return type ...
nicolas-grekas
added a commit
that referenced
this pull request
May 16, 2018
* 4.1: (22 commits) Fix CS [PropertyInfo] fix resolving parent|self type hints fixed CS fix merge [Security] Fix logout Cleanup 2 tests for the HttpException classes #27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Config] Fix tests when path contains UTF chars [DI] Shared services should not be inlined in non-shared ones [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Cache][Lock] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors fixed CS fixed CS fixed CS [FrameworkBundle] Fix cache:clear on vagrant [HttpKernel] Handle NoConfigurationException "onKernelException()" Fix misses calculation when calling getItems [DI] Display previous error messages when throwing unused bindings ...
This was referenced May 21, 2018
Merged
Merged
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cases:
session_idis set by developers manuallysession.sid_lengthis configuredRef.:
Other issues: