shell bypass 403
<?php
/**
* Part of the Joomla Framework Session Package
*
* @copyright Copyright (C) 2005 - 2021 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE
*/
namespace Joomla\Session;
use Joomla\Event\DispatcherAwareInterface;
use Joomla\Event\DispatcherAwareTrait;
use Joomla\Event\DispatcherInterface;
/**
* Class for managing HTTP sessions
*
* Provides access to session-state values as well as session-level settings and lifetime management methods.
* Based on the standard PHP session handling mechanism it provides more advanced features such as expire timeouts.
*
* @since 1.0
*/
class Session implements SessionInterface, DispatcherAwareInterface
{
use DispatcherAwareTrait;
/**
* Internal session state.
*
* @var string
* @since 1.0
*/
protected $state = SessionState::INACTIVE;
/**
* Maximum age of unused session in seconds.
*
* @var integer
* @since 1.0
*/
protected $expire = 900;
/**
* The session store object.
*
* @var StorageInterface
* @since 1.0
*/
protected $store;
/**
* Container holding session validators.
*
* @var ValidatorInterface[]
* @since 2.0.0
*/
protected $sessionValidators = [];
/**
* Constructor
*
* @param ?StorageInterface $store A StorageInterface implementation.
* @param ?DispatcherInterface $dispatcher DispatcherInterface for the session to use.
* @param array $options Optional parameters. Supported keys include:
* - name: The session name
* - id: The session ID
* - expire: The session lifetime in seconds
*
* @since 1.0
*/
public function __construct(?StorageInterface $store = null, ?DispatcherInterface $dispatcher = null, array $options = [])
{
$this->store = $store ?: new Storage\NativeStorage(new Handler\FilesystemHandler());
if ($dispatcher) {
$this->setDispatcher($dispatcher);
}
$this->setOptions($options);
$this->setState(SessionState::INACTIVE);
}
/**
* Adds a validator to the session
*
* @param ValidatorInterface $validator The session validator
*
* @return void
*
* @since 2.0.0
*/
public function addValidator(ValidatorInterface $validator): void
{
$this->sessionValidators[] = $validator;
}
/**
* Get expiration time in seconds
*
* @return integer The session expiration time in seconds
*
* @since 1.0
*/
public function getExpire()
{
return $this->expire;
}
/**
* Get current state of session
*
* @return string The session state
*
* @since 1.0
*/
public function getState()
{
return $this->state;
}
/**
* Get a session token.
*
* Tokens are used to secure forms from spamming attacks. Once a token has been generated the system will check the request to see if
* it is present, if not it will invalidate the session.
*
* @param boolean $forceNew If true, forces a new token to be created
*
* @return string
*
* @since 1.0
*/
public function getToken($forceNew = false)
{
// Ensure the session token exists and create it if necessary
if (!$this->has('session.token') || $forceNew) {
$this->set('session.token', $this->createToken());
}
return $this->get('session.token');
}
/**
* Check if the session has the given token.
*
* @param string $token Hashed token to be verified
* @param boolean $forceExpire If true, expires the session
*
* @return boolean
*
* @since 1.0
*/
public function hasToken($token, $forceExpire = true)
{
$result = $this->get('session.token') === $token;
if (!$result && $forceExpire) {
$this->setState(SessionState::EXPIRED);
}
return $result;
}
/**
* Retrieve an external iterator.
*
* @return \ArrayIterator Return an ArrayIterator of $_SESSION.
*
* @since 1.0
*/
#[\ReturnTypeWillChange]
public function getIterator()
{
return new \ArrayIterator($this->all());
}
/**
* Get session name
*
* @return string The session name
*
* @since 1.0
*/
public function getName()
{
return $this->store->getName();
}
/**
* Set the session name
*
* @param string $name The session name
*
* @return $this
*
* @since 2.0.0
*/
public function setName(string $name)
{
$this->store->setName($name);
return $this;
}
/**
* Get session id
*
* @return string The session id
*
* @since 1.0
*/
public function getId()
{
return $this->store->getId();
}
/**
* Set the session ID
*
* @param string $id The session ID
*
* @return $this
*
* @since 2.0.0
*/
public function setId(string $id)
{
$this->store->setId($id);
return $this;
}
/**
* Check if the session is active
*
* @return boolean
*
* @since 1.0
*/
public function isActive()
{
if ($this->getState() === SessionState::ACTIVE) {
return $this->store->isActive();
}
return false;
}
/**
* Check whether this session is currently created
*
* @return boolean
*
* @since 1.0
*/
public function isNew()
{
$counter = $this->get('session.counter');
return $counter === 1;
}
/**
* Check if the session is started
*
* @return boolean
*
* @since 2.0.0
*/
public function isStarted(): bool
{
return $this->store->isStarted();
}
/**
* Get data from the session store
*
* @param string $name Name of a variable
* @param mixed $default Default value of a variable if not set
*
* @return mixed Value of a variable
*
* @since 1.0
*/
public function get($name, $default = null)
{
if (!$this->isActive()) {
$this->start();
}
return $this->store->get($name, $default);
}
/**
* Set data into the session store.
*
* @param string $name Name of a variable.
* @param mixed $value Value of a variable.
*
* @return mixed Old value of a variable.
*
* @since 1.0
*/
public function set($name, $value = null)
{
if (!$this->isActive()) {
$this->start();
}
return $this->store->set($name, $value);
}
/**
* Check whether data exists in the session store
*
* @param string $name Name of variable
*
* @return boolean True if the variable exists
*
* @since 1.0
*/
public function has($name)
{
if (!$this->isActive()) {
$this->start();
}
return $this->store->has($name);
}
/**
* Unset a variable from the session store
*
* @param string $name Name of variable
*
* @return mixed The value from session or NULL if not set
*
* @since 2.0.0
*/
public function remove(string $name)
{
if (!$this->isActive()) {
$this->start();
}
return $this->store->remove($name);
}
/**
* Clears all variables from the session store
*
* @return void
*
* @since 1.0
*/
public function clear()
{
if (!$this->isActive()) {
$this->start();
}
$this->store->clear();
}
/**
* Retrieves all variables from the session store
*
* @return array
*
* @since 2.0.0
*/
public function all(): array
{
if (!$this->isActive()) {
$this->start();
}
return $this->store->all();
}
/**
* Start a session.
*
* @return void
*
* @since 1.0
*/
public function start()
{
if ($this->isStarted()) {
return;
}
$this->store->start();
$this->setState(SessionState::ACTIVE);
// Initialise the session
$this->setCounter();
$this->setTimers();
// Perform security checks
if (!$this->validate()) {
// If the session isn't valid because it expired try to restart it or destroy it.
if ($this->getState() === SessionState::EXPIRED) {
$this->restart();
} else {
$this->destroy();
}
}
if ($this->dispatcher) {
if (!empty($this->dispatcher->getListeners('onAfterSessionStart'))) {
trigger_deprecation(
'joomla/session',
'2.0.0',
'The `onAfterSessionStart` event is deprecated and will be removed in 3.0, use the %s::START event instead.',
SessionEvents::class
);
// Dispatch deprecated event
$this->dispatcher->dispatch('onAfterSessionStart', new SessionEvent('onAfterSessionStart', $this));
}
// Dispatch new event
$this->dispatcher->dispatch(SessionEvents::START, new SessionEvent(SessionEvents::START, $this));
}
}
/**
* Frees all session variables and destroys all data registered to a session
*
* This method resets the $_SESSION variable and destroys all of the data associated
* with the current session in its storage (file or DB). It forces new session to be
* started after this method is called.
*
* @return boolean
*
* @see session_destroy()
* @see session_unset()
* @since 1.0
*/
public function destroy()
{
// Session was already destroyed
if ($this->getState() === SessionState::DESTROYED) {
return true;
}
$this->clear();
$this->fork(true);
$this->setState(SessionState::DESTROYED);
return true;
}
/**
* Restart an expired or locked session.
*
* @return boolean True on success
*
* @see destroy
* @since 1.0
*/
public function restart()
{
// Backup existing session data
$data = $this->all();
$this->destroy();
if ($this->getState() !== SessionState::DESTROYED) {
// @TODO :: generated error here
return false;
}
// Restart the session
$this->store->start();
$this->setState(SessionState::ACTIVE);
// Initialise the session
$this->setCounter();
$this->setTimers();
// Restore the data
foreach ($data as $key => $value) {
$this->set($key, $value);
}
// If the restarted session cannot be validated then it will be destroyed
if (!$this->validate(true)) {
$this->destroy();
}
if ($this->dispatcher) {
if (!empty($this->dispatcher->getListeners('onAfterSessionRestart'))) {
trigger_deprecation(
'joomla/session',
'2.0.0',
'The `onAfterSessionRestart` event is deprecated and will be removed in 3.0, use the %s::RESTART event instead.',
SessionEvents::class
);
// Dispatch deprecated event
$this->dispatcher->dispatch('onAfterSessionRestart', new SessionEvent('onAfterSessionRestart', $this));
}
// Dispatch new event
$this->dispatcher->dispatch(SessionEvents::RESTART, new SessionEvent(SessionEvents::RESTART, $this));
}
return true;
}
/**
* Create a new session and copy variables from the old one
*
* @param boolean $destroy Whether to delete the old session or leave it to garbage collection.
*
* @return boolean True on success
*
* @since 1.0
*/
public function fork($destroy = false)
{
$result = $this->store->regenerate($destroy);
if ($result) {
$this->setTimers();
}
return $result;
}
/**
* Writes session data and ends session
*
* Session data is usually stored after your script terminated without the need
* to call {@link Session::close()}, but as session data is locked to prevent concurrent
* writes only one script may operate on a session at any time. When using
* framesets together with sessions you will experience the frames loading one
* by one due to this locking. You can reduce the time needed to load all the
* frames by ending the session as soon as all changes to session variables are
* done.
*
* @return void
*
* @see session_write_close()
* @since 1.0
*/
public function close()
{
$this->store->close();
$this->setState(SessionState::CLOSED);
}
/**
* Perform session data garbage collection
*
* @return integer|boolean Number of deleted sessions on success or boolean false on failure or if the function is unsupported
*
* @see session_gc()
* @since 2.0.0
*/
public function gc()
{
if (!$this->isActive()) {
$this->start();
}
return $this->store->gc();
}
/**
* Aborts the current session
*
* @return boolean
*
* @see session_abort()
* @since 2.0.0
*/
public function abort(): bool
{
if (!$this->isActive()) {
return true;
}
return $this->store->abort();
}
/**
* Create a token string
*
* @return string
*
* @since 1.3.1
*/
protected function createToken(): string
{
/*
* We are returning a 32 character string.
* The bin2hex() function will double the length of the hexadecimal value returned by random_bytes(),
* so generate the token from a 16 byte random value
*/
return bin2hex(random_bytes(16));
}
/**
* Set counter of session usage
*
* @return boolean True on success
*
* @since 1.0
*/
protected function setCounter()
{
$counter = $this->get('session.counter', 0);
$counter++;
$this->set('session.counter', $counter);
return true;
}
/**
* Set the session expiration
*
* @param integer $expire Maximum age of unused session in seconds
*
* @return $this
*
* @since 1.3.0
*/
protected function setExpire($expire)
{
$this->expire = $expire;
return $this;
}
/**
* Set the session state
*
* @param string $state Internal state
*
* @return $this
*
* @since 1.3.0
*/
protected function setState($state)
{
$this->state = $state;
return $this;
}
/**
* Set the session timers
*
* @return boolean True on success
*
* @since 1.0
*/
protected function setTimers()
{
if (!$this->has('session.timer.start')) {
$start = time();
$this->set('session.timer.start', $start);
$this->set('session.timer.last', $start);
$this->set('session.timer.now', $start);
}
$this->set('session.timer.last', $this->get('session.timer.now'));
$this->set('session.timer.now', time());
return true;
}
/**
* Set additional session options
*
* @param array $options List of parameter
*
* @return boolean True on success
*
* @since 1.0
*/
protected function setOptions(array $options)
{
// Set name
if (isset($options['name'])) {
$this->setName($options['name']);
}
// Set id
if (isset($options['id'])) {
$this->setId($options['id']);
}
// Set expire time
if (isset($options['expire'])) {
$this->setExpire($options['expire']);
}
// Sync the session maxlifetime
if (!headers_sent()) {
ini_set('session.gc_maxlifetime', $this->getExpire());
}
return true;
}
/**
* Do some checks for security reasons
*
* If one check fails, session data has to be cleaned.
*
* @param boolean $restart Reactivate session
*
* @return boolean True on success
*
* @see http://shiflett.org/articles/the-truth-about-sessions
* @since 1.0
*/
protected function validate($restart = false)
{
// Allow to restart a session
if ($restart) {
$this->setState(SessionState::ACTIVE);
}
// Check if session has expired
if ($this->expire) {
$curTime = $this->get('session.timer.now', 0);
$maxTime = $this->get('session.timer.last', 0) + $this->expire;
// Empty session variables
if ($maxTime < $curTime) {
$this->setState(SessionState::EXPIRED);
return false;
}
}
try {
foreach ($this->sessionValidators as $validator) {
$validator->validate($restart);
}
} catch (Exception\InvalidSessionException $e) {
$this->setState(SessionState::ERROR);
return false;
}
return true;
}
}