Item13563: Change CGI::Session to use Storable

==== DO NOT APPLY THIS CHANGE WITHOUT READING THIS NOTE ==== This patch changes the format of the working/tmp/cgisess_* files. They are changing from a portable format based upon Data::Dumper to the Perl "Storable" format. You MUST remove all cgisess_* files from the working/tmp directory after applying this change. Users will lose their sessions and need to log in again to Foswiki. This change is needed to prevent corrupted user identity for users with any character in the range from 0x7f - 0xff. For example users with the Umlat in their user name.
foswiki · Jul 29, 2015 · 8eeffef · 8eeffef
1 parent 8056fc0
commit 8eeffef
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 19 deletions.
diff --git a/core/data/System/ReleaseNotes02x00.txt b/core/data/System/ReleaseNotes02x00.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1438012719" format="1.1"  version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1438198562" format="1.1"  version="1"}%
 %META:TOPICPARENT{name="ReleaseHistory"}%
 ---+!! Foswiki Release 2.0.1 RC1 
 
@@ -57,6 +57,22 @@ Foswiki 2.0 is shipped with the following: ( __New to Foswiki 2.0__ )
    * *Compatibility support* - TWikiCompatibilityPlugin
 </noautolink>
 #Release02x00Changes
+
+---++ Important changes in 2.0.1
+
+Foswiki 2.0.1 has changed how the =working/tmp/cgisess_*= files are stored.
+This is needed to better accommodate user names with international
+characters. If old files exist and users still have a matching session cookie,
+then their access attempts will fail with a 500 internal server error.
+
+<div class="foswikiHelp">%X% *ACTION REQUIRED:*  After applying the changes in
+Foswiki 2.0.1, *you must delete all =cgisess_*= files from the =working/tmp= directory.* </div>
+
+If you are unable to access the server to do this, users will have to clear
+their cookies to gain access to Foswiki.
+
+This change addresses [[%BUGS%/Item13563][Item13563]]
+
 ---++ Changes in requirements
 
 <div class='foswikiHelp'>

diff --git a/core/lib/Foswiki/LoginManager.pm b/core/lib/Foswiki/LoginManager.pm
@@ -54,6 +54,7 @@ use Assert;
 use Error qw( :try );
 
 use Foswiki::Sandbox ();
+use CGI::Session     ();
 
 BEGIN {
     if ( $Foswiki::cfg{UseLocale} ) {
@@ -74,6 +75,8 @@ our %readOnlySK = ( %secretSK, AUTHUSER => 1, SUDOFROMAUTHUSER => 1 );
 
 use constant TRACE => $Foswiki::cfg{Trace}{LoginManager} || 0;
 
+use constant CGIDRIVER => 'driver:File;serializer:Storable';
+
 # GusestSessions should default to enabled, since much of Foswiki depends on
 # having a valid session.
 my $guestSessions =
@@ -1095,8 +1098,11 @@ sub _loadCreateCGISession {
         oct(777) - ( ( $Foswiki::cfg{Session}{filePermission} + 0 ) ) &
           oct(777) );
 
-    my $newsess = Foswiki::LoginManager::Session->new(
-        undef, $sid,
+    my $newsess;
+
+    $newsess = Foswiki::LoginManager::Session->new(
+        CGIDRIVER,
+        $sid,
         {
             Directory => $sessionDir,
             UMask     => $Foswiki::cfg{Session}{filePermission}
@@ -1562,32 +1568,34 @@ sub removeUserSessions {
     ASSERT($user) if DEBUG;
 
     my $msg = '';
+    CGI::Session->find(
+        CGIDRIVER,
+        sub { purge_user( @_, $user, $msg ) },
+        {
+            Directory => "$Foswiki::cfg{WorkingDir}/tmp",
+            UMask     => $Foswiki::cfg{Session}{filePermission},
+        }
+    );
 
-    opendir( my $tmpdir, "$Foswiki::cfg{WorkingDir}/tmp" ) || return '';
-    foreach my $fn ( grep( /^cgisess_/, readdir($tmpdir) ) ) {
-        my ($file) = $fn =~ m/^(cgisess_.*)$/;
-
-        open my $sessfile, '<', "$Foswiki::cfg{WorkingDir}/tmp/$file"
-          or next;
-        while (<$sessfile>) {
-            if (m/'AUTHUSER' => '$user'/) {
-                close $sessfile;
-                unlink "$Foswiki::cfg{WorkingDir}/tmp/$file";
-                $msg .= $file . ', ';
-                last;
-            }
+    sub purge_user {
+
+        #my ($session, $user, $msg) = @_;
+        next if $_[0]->is_empty;    # <-- already expired?!
+        if ( $_[0]->param('AUTHUSER') && $_[0]->param('AUTHUSER') eq $_[1] ) {
+            $_[2] .= 'cgisess_' . $_[0]->id() . ',';
+            $_[0]->delete();
+            $_[0]->flush()
+              ;    # Recommended practice says use flush() after delete().
         }
-        close $sessfile if $sessfile;
     }
-    closedir $tmpdir;
     return $msg;
 }
 
 1;
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 
-Copyright (C) 2008-2014 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2015 Foswiki Contributors. Foswiki Contributors
 are listed in the AUTHORS file in the root of this distribution.
 NOTE: Please extend that file, not this notice.