Commit 9b52ab38 authored by Christian Kuhn's avatar Christian Kuhn
Browse files

[TASK] Drop non hashed session fallback

The security fix related to better hashed sessions
had fallbacks to deal with existing non hashed sessions.
This was for a smooth transition in security patch
level releases. The patch drops these fallbacks in master.

Resolves: #93140
Releases: master
Change-Id: I68172fd26619d93068fc6a2490134bfb9b8a204e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67223

Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent 11e16238
......@@ -327,9 +327,8 @@ class BackendUserController extends ActionController
*/
protected function terminateBackendUserSessionAction(BackendUser $backendUser, $sessionId)
{
// terminating value of persisted session ID (probably hashed value)
// terminating value of persisted session ID
$success = $this->backendUserSessionRepository->terminateSessionByIdentifier($sessionId);
if ($success) {
$this->addFlashMessage(LocalizationUtility::translate('LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:terminateSessionSuccess', 'beuser') ?? '');
}
......
......@@ -92,28 +92,15 @@ class DatabaseSessionBackend implements SessionBackendInterface, HashableSession
public function get(string $sessionId): array
{
$query = $this->getQueryBuilder();
$query->select('*')
->from($this->configuration['table'])
->where($query->expr()->eq('ses_id', $query->createNamedParameter($this->hash($sessionId), \PDO::PARAM_STR)));
$result = $query->execute()->fetch();
if (!is_array($result)) {
// Check for a non-hashed-version, will be removed in TYPO3 v11
$query = $this->getQueryBuilder();
$result = $query->select('*')
->from($this->configuration['table'])
->where($query->expr()->eq('ses_id', $query->createNamedParameter($sessionId, \PDO::PARAM_STR)))
->execute()
->fetch();
if (!is_array($result)) {
throw new SessionNotFoundException(
'The session with identifier ' . $sessionId . ' was not found ',
1481885483
);
}
throw new SessionNotFoundException(
'The session with identifier ' . $sessionId . ' was not found ',
1481885483
);
}
return $result;
}
......@@ -195,13 +182,6 @@ class DatabaseSessionBackend implements SessionBackendInterface, HashableSession
['ses_id' => $hashedSessionId],
['ses_data' => \PDO::PARAM_LOB]
);
// Migrate old session data as well to remove old entries and promote them to migrated entries
$this->getConnection()->update(
$this->configuration['table'],
$sessionData,
['ses_id' => $sessionId],
['ses_data' => \PDO::PARAM_LOB]
);
} catch (DBALException $e) {
throw new SessionNotUpdatedException(
'Session with id ' . $sessionId . ' could not be updated: ' . $e->getMessage(),
......
......@@ -142,14 +142,6 @@ class RedisSessionBackend implements SessionBackendInterface, HashableSessionBac
return $decodedValue;
}
}
// Fallback to the non-hashed-value, will be removed in TYPO3 v11
$rawData = $this->redis->get($this->getSessionKeyName($sessionId));
if ($rawData !== false) {
$decodedValue = json_decode($rawData, true);
if (is_array($decodedValue)) {
return $decodedValue;
}
}
throw new SessionNotFoundException('Session could not be fetched from redis', 1481885583);
}
......@@ -163,11 +155,7 @@ class RedisSessionBackend implements SessionBackendInterface, HashableSessionBac
public function remove(string $sessionId): bool
{
$this->initializeConnection();
$status = $this->redis->del($this->getSessionKeyName($this->hash($sessionId))) >= 1;
// Checking for non-hashed-identifier, will be removed in TYPO3 v11
$statusLegacy = $this->redis->del($this->getSessionKeyName($sessionId)) >= 1;
return $status || $statusLegacy;
return $this->redis->del($this->getSessionKeyName($this->hash($sessionId))) >= 1;
}
/**
......
......@@ -164,31 +164,6 @@ class RedisSessionBackendTest extends FunctionalTestCase
self::assertSame($expectedMergedData, $fetchedRecord);
}
/**
* @test
* @covers SessionBackendInterface::update
*/
public function nonHashedSessionIdsAreUpdated()
{
$testSessionRecord = $this->testSessionRecord;
$testSessionRecord['ses_tstamp'] = 1;
// simulate old session record by directly inserting it into redis
$this->redis->set(
'typo3_ses_default_' . sha1($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . '_randomSessionId',
json_encode($testSessionRecord),
['nx']
);
$updateData = [
'ses_data' => serialize(['foo' => 'baz', 'idontwantto' => 'set the world on fire']),
'ses_tstamp' => $GLOBALS['EXEC_TIME']
];
$expectedMergedData = array_merge($testSessionRecord, $updateData);
$this->subject->update('randomSessionId', $updateData);
$fetchedRecord = $this->subject->get('randomSessionId');
self::assertSame($expectedMergedData, $fetchedRecord);
}
/**
* @test
* @covers SessionBackendInterface::set
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment