diff options
Diffstat (limited to 'includes/GlobalFunctions.php')
-rw-r--r-- | includes/GlobalFunctions.php | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 3424211f..8ed79c40 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -3065,6 +3065,33 @@ function wfHttpOnlySafe() { } /** + * Override session_id before session startup if php's built-in + * session generation code is not secure. + */ +function wfFixSessionID() { + // If the cookie or session id is already set we already have a session and should abort + if ( isset( $_COOKIE[ session_name() ] ) || session_id() ) { + return; + } + + // PHP's built-in session entropy is enabled if: + // - entropy_file is set or you're on Windows with php 5.3.3+ + // - AND entropy_length is > 0 + // We treat it as disabled if it doesn't have an entropy length of at least 32 + $entropyEnabled = ( + ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) ) + || ini_get( 'session.entropy_file' ) + ) + && intval( ini_get( 'session.entropy_length' ) ) >= 32; + + // If built-in entropy is not enabled or not sufficient override php's built in session id generation code + if ( !$entropyEnabled ) { + wfDebug( __METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n" ); + session_id( MWCryptRand::generateHex( 32 ) ); + } +} + +/** * Initialise php session * * @param $sessionId Bool @@ -3103,6 +3130,8 @@ function wfSetupSession( $sessionId = false ) { session_cache_limiter( 'private, must-revalidate' ); if ( $sessionId ) { session_id( $sessionId ); + } else { + wfFixSessionID(); } wfSuppressWarnings(); session_start(); |