Merge commit 'fcfbf01dba9c932dbb66abffa8f65bf1c7a15081'

[confetti] / cgilite / session.sh

diff --git a/cgilite/session.sh b/cgilite/session.sh
new file mode 100755 (executable)
index 0000000..b9cef4d
--- /dev/null
+++ b/cgilite/session.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+
+[ -n "$include_session" ] && return 0
+include_session="$0"
+
+if ! which uuencode >/dev/null; then
+  uuencode() { busybox uuencode "$@"; }
+fi
+if ! which sha256sum >/dev/null; then
+  sha256sum() { busybox sha256sum "$@"; }
+fi
+
+_DATE="$(date +%s)"
+SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+
+server_key(){
+  IDFILE="${IDFILE:-${_DATA:-.}/serverkey}"
+  if [ "$(stat -c %s "$IDFILE")" -ne 512 ] || ! cat "$IDFILE"; then
+    dd count=1 bs=512 if=/dev/urandom \
+    | tee "$IDFILE"
+  fi 2>&-
+}
+
+slopecode(){
+  # 6-Bit Code that retains sort order of input data, while beeing safe to use
+  # in ascii transmissions, unix file names, HTTP URLs, and HTML attributes
+
+  uuencode -m - | sed '
+    1d;$d; 
+    y;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;0123456789:=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz;
+  '
+}
+
+session_mac(){
+  local info
+  [ $# -eq 0 ] && info="$(cat)" || info="$*"
+
+  if which openssl >/dev/null; then
+    printf %s "$info" |openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode
+  else
+    { printf %s "$info"; server_key; } |sha256sum |cut -d\  -f1
+  fi
+}
+
+randomid(){
+  dd bs=12 count=1 if=/dev/urandom 2>&- \
+  | slopecode
+}
+
+timeid(){
+  d=$(($_DATE % 4294967296))
+  { printf "$(
+      printf \\%o \
+        $((d / 16777216 % 256)) \
+        $((d / 65536 % 256)) \
+        $((d / 256 % 256)) \
+        $((d % 256))
+    )"
+    dd bs=8 count=1 if=/dev/urandom 2>&-
+  } | slopecode
+}
+
+checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
+
+transid(){
+  # transaction ID to modify a given file
+  local file="$1"
+  session_mac "$(stat -c %F%i%n%N%s%Y "$file" 2>&-)" "$SESSION_ID"
+}
+
+update_session(){
+  local session sid time sig checksig
+
+  read -r sid time sig <<-END
+       $(POST session_key || COOKIE session)
+       END
+  
+  checksig="$(session_mac "$sid" "$time")"
+  
+  if ! [ "$checksig" = "$sig" \
+    -a "$time" -ge "$_DATE" \
+    -a "$(printf %s "$sid" |checkid)" ] 2>&-
+  then
+    debug "Setting up new session"
+    sid="$(randomid)"
+  fi
+
+  time=$(( $_DATE + $SESSION_TIMEOUT ))
+  sig="$(session_mac "$sid" "$time")"
+  printf %s\\n "${sid} ${time} ${sig}"
+}
+
+SESSION_KEY="$(update_session)"
+SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
+SESSION_ID="${SESSION_KEY%% *}"
+
+SESSION_BIND() {
+  local key="$1" value="$2"
+  SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")"
+}
+
+SESSION_VAR() {
+  local key="$1"
+  local value sig
+  value="$(COOKIE "$key")"
+  sig="${value##* }" value="${value% *}"
+  if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then
+    printf %s\\n "$value"
+  else
+    return 1
+  fi
+}