Merge pull request #1020 from nextcloud/backport/1014/stable19

[stable19] Harden check when using token from memcache
author: Julius Härtl <jus@bitgrid.net> 2020-09-07 08:55:21 +0300
committer: GitHub <noreply@github.com> 2020-09-07 08:55:21 +0300
commit: 953e679d63de634544e4de095e770a39ed8b42d8 (patch)
tree: 255b892b03d5bbdaa4b98f67239d4996e7855438
parent: 1572f7b83b1a27b1bc2555ba4218112619daa9a9 (diff)
parent: eb82bb030d47f42b74eeb1f64eecf7bb156725d4 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/Service/SessionService.php b/lib/Service/SessionService.php
index d02d2ad0b..16d1fcabb 100644
--- a/lib/Service/SessionService.php
+++ b/lib/Service/SessionService.php
@@ -152,7 +152,14 @@ class SessionService {
 
 		$data = $this->cache->get($token);
 		if ($data !== null) {
-			return Session::fromRow(json_decode($data, true));
+			$session = Session::fromRow(json_decode($data, true));
+			if ($session->getId() !== $sessionId || $session->getDocumentId() !== $documentId) {
+				$this->cache->remove($token);
+				$this->session = false;
+				return false;
+			}
+
+			return $session;
 		}
 
 		try {
author	Julius Härtl <jus@bitgrid.net>	2020-09-07 08:55:21 +0300
committer	GitHub <noreply@github.com>	2020-09-07 08:55:21 +0300
commit	953e679d63de634544e4de095e770a39ed8b42d8 (patch)
tree	255b892b03d5bbdaa4b98f67239d4996e7855438
parent	1572f7b83b1a27b1bc2555ba4218112619daa9a9 (diff)
parent	eb82bb030d47f42b74eeb1f64eecf7bb156725d4 (diff)