Internal::start() - Code Metrics - Inspection of "Move ini_set calls before a new session is started" - owncloud/core - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#32298)

by Thomas

created 2018-08-10 12:27 UTC

Internal::start() A

↳ Parent: Internal

Complexity

Conditions	4
Paths	5

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	4
nc	5
nop	0
dl	0
loc	30
rs	9.44
c	0
b	0
f	0

<?php
/**
 * @author cetra3 <[email protected]>
 * @author Christoph Wurst <[email protected]>
 * @author Lukas Reschke <[email protected]>
 * @author Morris Jobke <[email protected]>
 * @author Phil Davis <[email protected]>
 * @author Robin Appelman <[email protected]>
 * @author Thomas Müller <[email protected]>
 *
 * @copyright Copyright (c) 2018, ownCloud GmbH
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */

namespace OC\Session;

use OCP\Session\Exceptions\SessionNotAvailableException;

/**
 * Class Internal
 *
 * wrap php's internal session handling into the Session interface
 *
 * @package OC\Session
 */
class Internal extends Session {
	/**
	 * @param string $name
	 * @throws \Exception
	 */
	public function __construct($name) {
		\session_name($name);
		\set_error_handler([$this, 'trapError']);
		try {
			$this->start();
		} catch (\Exception $e) {
			\setcookie(\session_name(), null, -1, \OC::$WEBROOT ? : '/');
		}
		\restore_error_handler();
		if (!isset($_SESSION)) {
			throw new \Exception('Failed to start session');
		}
	}

	/**
	 * @param string $key
	 * @param integer $value
	 */
	public function set($key, $value) {
		$this->validateSession();
		$_SESSION[$key] = $value;
	}

	/**
	 * @param string $key
	 * @return mixed
	 */
	public function get($key) {
		if (!$this->exists($key)) {
			return null;
		}
		return $_SESSION[$key];
	}

	/**
	 * @param string $key
	 * @return bool
	 */
	public function exists($key) {
		return isset($_SESSION[$key]);
	}

	/**
	 * @param string $key
	 */
	public function remove($key) {
		if (isset($_SESSION[$key])) {
			unset($_SESSION[$key]);
		}
	}

	public function clear() {
		\session_unset();
		$this->regenerateId();
		@\session_destroy();
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
		@\session_start();
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
		$_SESSION = [];
	}

	public function close() {
		\session_write_close();
		parent::close();
	}

	/**
	 * Wrapper around session_regenerate_id
	 *
	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
	 * @return void
	 */
	public function regenerateId($deleteOldSession = true) {
		@\session_regenerate_id($deleteOldSession);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
	}

	/**
	 * Wrapper around session_id
	 *
	 * @return string
	 * @throws SessionNotAvailableException
	 * @since 9.1.0
	 */
	public function getId() {
		$id = @\session_id();
		if ($id === '') {
			throw new SessionNotAvailableException();
		}
		return $id;
	}

	/**
	 * @throws \Exception
	 */
	public function reopen() {
		throw new \Exception('The session cannot be reopened - reopen() is ony to be used in unit testing.');
	}

	/**
	 * @param int $errorNumber
	 * @param string $errorString
	 * @throws \ErrorException
	 */
	public function trapError($errorNumber, $errorString) {
		throw new \ErrorException($errorString);
	}

	/**
	 * @throws \Exception
	 */
	private function validateSession() {
		if ($this->sessionClosed) {
			throw new SessionNotAvailableException('Session has been closed - no further changes to the session are allowed');
		}
	}

	private function start(): void {
		if ($this->getId() === '') {
			// prevents javascript from accessing php session cookies
			\ini_set('session.cookie_httponly', true);

			// set the cookie path to the ownCloud directory
			$cookie_path = \OC::$WEBROOT ? : '/';
			\ini_set('session.cookie_path', $cookie_path);

			\ini_set('display_errors', 0);
			\ini_set('log_errors', 1);

			\ini_set('max_execution_time', 3600);
			\ini_set('max_input_time', 3600);

			//try to set the maximum filesize to 10G
			\ini_set('upload_max_filesize', '10G');
			\ini_set('post_max_size', '10G');
			\ini_set('file_uploads', '50');

			if (\OC::$server->getRequest()->getServerProtocol() === 'https') {
				\ini_set('session.cookie_secure', true);
			}

			//try to set the session lifetime
			$sessionLifeTime = \OC::getSessionLifeTime();
			@\ini_set('gc_maxlifetime', (string)$sessionLifeTime);
		}
		\session_start();
	}
}


1			<?php
2			/**
3			* @author cetra3 <[email protected]>
4			* @author Christoph Wurst <[email protected]>
5			* @author Lukas Reschke <[email protected]>
6			* @author Morris Jobke <[email protected]>
7			* @author Phil Davis <[email protected]>
8			* @author Robin Appelman <[email protected]>
9			* @author Thomas Müller <[email protected]>
10			*
11			* @copyright Copyright (c) 2018, ownCloud GmbH
12			* @license AGPL-3.0
13			*
14			* This code is free software: you can redistribute it and/or modify
15			* it under the terms of the GNU Affero General Public License, version 3,
16			* as published by the Free Software Foundation.
17			*
18			* This program is distributed in the hope that it will be useful,
19			* but WITHOUT ANY WARRANTY; without even the implied warranty of
20			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21			* GNU Affero General Public License for more details.
22			*
23			* You should have received a copy of the GNU Affero General Public License, version 3,
24			* along with this program. If not, see <http://www.gnu.org/licenses/>
25			*
26			*/
27
28			namespace OC\Session;
29
30			use OCP\Session\Exceptions\SessionNotAvailableException;
31
32			/**
33			* Class Internal
34			*
35			* wrap php's internal session handling into the Session interface
36			*
37			* @package OC\Session
38			*/
39			class Internal extends Session {
40			/**
41			* @param string $name
42			* @throws \Exception
43			*/
44			public function __construct($name) {
45			\session_name($name);
46			\set_error_handler([$this, 'trapError']);
47			try {
48			$this->start();
49			} catch (\Exception $e) {
50			\setcookie(\session_name(), null, -1, \OC::$WEBROOT ? : '/');
51			}
52			\restore_error_handler();
53			if (!isset($_SESSION)) {
54			throw new \Exception('Failed to start session');
55			}
56			}
57
58			/**
59			* @param string $key
60			* @param integer $value
61			*/
62			public function set($key, $value) {
63			$this->validateSession();
64			$_SESSION[$key] = $value;
65			}
66
67			/**
68			* @param string $key
69			* @return mixed
70			*/
71			public function get($key) {
72			if (!$this->exists($key)) {
73			return null;
74			}
75			return $_SESSION[$key];
76			}
77
78			/**
79			* @param string $key
80			* @return bool
81			*/
82			public function exists($key) {
83			return isset($_SESSION[$key]);
84			}
85
86			/**
87			* @param string $key
88			*/
89			public function remove($key) {
90			if (isset($_SESSION[$key])) {
91			unset($_SESSION[$key]);
92			}
93			}
94
95			public function clear() {
96			\session_unset();
97			$this->regenerateId();
98			@\session_destroy();
			0 ignored issues – show Security Best Practice introduced 2018-08-01 14:34 UTC by Report Bug Copy Issue Report It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
99			@\session_start();
			0 ignored issues – show Security Best Practice introduced 2018-04-19 19:57 UTC by Report Bug Copy Issue Report It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
100			$_SESSION = [];
101			}
102
103			public function close() {
104			\session_write_close();
105			parent::close();
106			}
107
108			/**
109			* Wrapper around session_regenerate_id
110			*
111			* @param bool $deleteOldSession Whether to delete the old associated session file or not.
112			* @return void
113			*/
114			public function regenerateId($deleteOldSession = true) {
115			@\session_regenerate_id($deleteOldSession);
			0 ignored issues – show Security Best Practice introduced 2016-04-15 05:57 UTC by Report Bug Copy Issue Report It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
116			}
117
118			/**
119			* Wrapper around session_id
120			*
121			* @return string
122			* @throws SessionNotAvailableException
123			* @since 9.1.0
124			*/
125			public function getId() {
126			$id = @\session_id();
127			if ($id === '') {
128			throw new SessionNotAvailableException();
129			}
130			return $id;
131			}
132
133			/**
134			* @throws \Exception
135			*/
136			public function reopen() {
137			throw new \Exception('The session cannot be reopened - reopen() is ony to be used in unit testing.');
138			}
139
140			/**
141			* @param int $errorNumber
142			* @param string $errorString
143			* @throws \ErrorException
144			*/
145			public function trapError($errorNumber, $errorString) {
146			throw new \ErrorException($errorString);
147			}
148
149			/**
150			* @throws \Exception
151			*/
152			private function validateSession() {
153			if ($this->sessionClosed) {
154			throw new SessionNotAvailableException('Session has been closed - no further changes to the session are allowed');
155			}
156			}
157
158			private function start(): void {
159			if ($this->getId() === '') {
160			// prevents javascript from accessing php session cookies
161			\ini_set('session.cookie_httponly', true);
162
163			// set the cookie path to the ownCloud directory
164			$cookie_path = \OC::$WEBROOT ? : '/';
165			\ini_set('session.cookie_path', $cookie_path);
166
167			\ini_set('display_errors', 0);
168			\ini_set('log_errors', 1);
169
170			\ini_set('max_execution_time', 3600);
171			\ini_set('max_input_time', 3600);
172
173			//try to set the maximum filesize to 10G
174			\ini_set('upload_max_filesize', '10G');
175			\ini_set('post_max_size', '10G');
176			\ini_set('file_uploads', '50');
177
178			if (\OC::$server->getRequest()->getServerProtocol() === 'https') {
179			\ini_set('session.cookie_secure', true);
180			}
181
182			//try to set the session lifetime
183			$sessionLifeTime = \OC::getSessionLifeTime();
184			@\ini_set('gc_maxlifetime', (string)$sessionLifeTime);
185			}
186			\session_start();
187			}
188			}
189

owncloud / core

Pull Request — master (#32298)

Internal::start() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like