sanitizing and security

[cgilite] / session.sh

diff --git a/session.sh b/session.sh
index 60ae57734a6b1e659460139c7b1b497fae5d866b..ee5c4993a72df047fe0fc67b3c384f2b5733be48 100755 (executable)
--- a/session.sh
+++ b/session.sh
@@ -3,6 +3,9 @@
 [ -n "$include_session" ] && return 0
 include_session="$0"
 
+_DATE="$(date +%s)"
+SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+
 server_key(){
   IDFILE="${IDFILE:-${_DATA:-.}/serverkey}"
   if [ "$(stat -c %s "$IDFILE")" -ne 512 ] || ! cat "$IDFILE"; then
@@ -27,7 +30,7 @@ randomid(){
 }
 
 timeid(){
-  d=$(($(date +%s) % 4294967296))
+  d=$(($_DATE % 4294967296))
   { printf "$(
       printf \\%o \
         $((d / 16777216 % 256)) \
@@ -39,7 +42,16 @@ timeid(){
   } | slopecode
 }
 
-checkid(){ grep -m 1 -xE '[0-9a-zA-Z:_]{16}'; }
+checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
+
+transid(){
+  # transaction ID to modify a given file
+  local file="$1"
+  { stat -c %F%i%n%N%s%Y "$file" 2>&-
+    printf %s "$SESSION_ID"
+    server_key
+  } | sha256sum | cut -d\  -f1
+}
 
 update_session(){
   local session sid time sig serverkey checksig
@@ -51,17 +63,16 @@ update_session(){
   
   checksig="$(printf %s "$sid" "$time" "$serverkey" | sha256sum)"
   checksig="${checksig%% *}"
-  d=$(date +%s)
   
-  if [ "$checksig" != "$sig" \
-    -o "$time" -lt "$d" \
-    -o ! "$(printf %s "$sid" |checkid)" ] 2>&-
+  if ! [ "$checksig" = "$sig" \
+    -a "$time" -ge "$_DATE" \
+    -a "$(printf %s "$sid" |checkid)" ] 2>&-
   then
     debug Setting up new session
     sid="$(randomid)"
   fi
 
-  time=$(( $(date +%s) + 7200 ))
+  time=$(( $_DATE + $SESSION_TIMEOUT ))
   sig="$(printf %s "$sid" "$time" "$serverkey" |sha256sum)"
   sig="${sig%% *}"
   printf %s\\n "${sid}-${time}-${sig}"