Merge pull request #32298 from owncloud/bugfi/fix-ini_set

Move ini_set calls before a new session is started
owncloud · Aug 31, 2018 · 35751f9 · 35751f9
2 parents 6b653fb + 194b9c5
commit 35751f9
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 12 deletions.
diff --git a/lib/base.php b/lib/base.php
@@ -408,13 +408,6 @@ private static function printUpgradePage() {
 	}
 
 	public static function initSession() {
-		// prevents javascript from accessing php session cookies
-		\ini_set('session.cookie_httponly', true);
-
-		// set the cookie path to the ownCloud directory
-		$cookie_path = OC::$WEBROOT ? : '/';
-		\ini_set('session.cookie_path', $cookie_path);
-
 		// Let the session name be changed in the initSession Hook
 		$sessionName = OC_Util::getInstanceId();
 
@@ -593,9 +586,6 @@ public static function init() {
 		self::checkInstalled();
 
 		OC_Response::addSecurityHeaders();
-		if (self::$server->getRequest()->getServerProtocol() === 'https') {
-			\ini_set('session.cookie_secure', true);
-		}
 
 		if (!\defined('OC_CONSOLE')) {
 			$errors = OC_Util::checkServer(\OC::$server->getConfig());

diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
@@ -27,6 +27,7 @@
 
 namespace OC\Session;
 
+use OC\AppFramework\Http\Request;
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 /**
@@ -45,19 +46,20 @@ public function __construct($name) {
 		\session_name($name);
 		\set_error_handler([$this, 'trapError']);
 		try {
-			\session_start();
+			$this->start();
 		} catch (\Exception $e) {
 			\setcookie(\session_name(), null, -1, \OC::$WEBROOT ? : '/');
 		}
 		\restore_error_handler();
-		if (!isset($_SESSION)) {
+		if ($_SESSION === null) {
 			throw new \Exception('Failed to start session');
 		}
 	}
 
 	/**
 	 * @param string $key
 	 * @param integer $value
+	 * @throws \Exception
 	 */
 	public function set($key, $value) {
 		$this->validateSession();
@@ -154,4 +156,40 @@ private function validateSession() {
 			throw new SessionNotAvailableException('Session has been closed - no further changes to the session are allowed');
 		}
 	}
+
+	private function start(): void {
+		if (@\session_id() === '') {
+			// prevents javascript from accessing php session cookies
+			\ini_set('session.cookie_httponly', true);
+
+			// set the cookie path to the ownCloud directory
+			$cookie_path = \OC::$WEBROOT ? : '/';
+			\ini_set('session.cookie_path', $cookie_path);
+
+			if ($this->getServerProtocol() === 'https') {
+				\ini_set('session.cookie_secure', true);
+			}
+		}
+		\session_start();
+	}
+
+	private function getServerProtocol() {
+		$req = new Request(
+			[
+				'get' => $_GET,
+				'post' => $_POST,
+				'files' => $_FILES,
+				'server' => $_SERVER,
+				'env' => $_ENV,
+				'cookies' => $_COOKIE,
+				'method' => $_SERVER['REQUEST_METHOD'] ?? null,
+				'urlParams' => [],
+			],
+			null,
+			\OC::$server->getConfig(),
+			null
+		);
+
+		return $req->getServerProtocol();
+	}
 }