-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(session): Make session encryption more robust #47396
base: master
Are you sure you want to change the base?
Conversation
[skipci] Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
use function session_encode; | ||
use function strlen; | ||
|
||
class CryptoSessionHandler extends SessionHandler { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately writing unit tests is not an option for a session handler because PHP sessions have so many side effects. E.g. an actual session has to be opened to test read/write, but you can't close and re-open the session because opening a session sets a header, and setting headers is not possible once any kind of output was written 🫠
Discovered server/lib/private/Session/CryptoWrapper.php Lines 27 to 28 in 32d76b0
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
if ($encryptedData === '') { | ||
return ''; | ||
} | ||
return $this->crypto->decrypt($encryptedData, $passphrase); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: catch decryption error, log and continue with empty session data
…-passphraze-handling
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
…-passphraze-handling
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Summary
Move encryption/decryption from a wrapper class to a PHP session handler.
TODO
\OCP\ISession::getId
clearingExecutionContexts
session key not clearingHow to test - new session
There will be a cookie named like the instanceid of your setup. The value is a combination of a shorter string,
|
and a longer string. The short string is the internal session ID. If you look into the local session file or Redis the session data will be encrypted binary data.How to test - upgrade
There will be a cookie named like the instanceid of your setup and a oc_sessionPassphrase cookie. The first cookie will have a relatively short string. f you look into the local session file or Redis the session data will not be encrypted. You should see one key
encrypted_session_data
with an encrypted value.The cookies will stay the same. But the session file changes. You will no longer see the
encrypted_session_data
because all session data is encrypted.Nextcloud continues to work like before.
Checklist