Merge branch '4.4' into 5.4

nicolas-grekas · nicolas-grekas · commit 1a010a5f2888 · 2022-05-17T17:07:29.000+02:00
* 4.4:
  [HttpClient] Add missing HttpOptions::setMaxDuration()
  [HttpFoundation] [Session] Overwrite invalid session id
diff --git a/src/Symfony/Component/HttpClient/HttpOptions.php b/src/Symfony/Component/HttpClient/HttpOptions.php
@@ -197,6 +197,16 @@ public function setTimeout(float $timeout)
         return $this;
     }
 
+    /**
+     * @return $this
+     */
+    public function setMaxDuration(float $maxDuration)
+    {
+        $this->options['max_duration'] = $maxDuration;
+
+        return $this;
+    }
+
     /**
      * @return $this
      */
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php b/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
@@ -145,6 +145,12 @@ public function start()
             throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
         }
 
+        $sessionId = $_COOKIE[session_name()] ?? null;
+        if ($sessionId && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {
+            // the session ID in the header is invalid, create a new one
+            session_id(session_create_id());
+        }
+
         // ok to try and start the session
         if (!session_start()) {
             throw new \RuntimeException('Failed to start the session.');
diff --git a/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php b/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php
@@ -286,4 +286,13 @@ public function testGetBagsOnceSessionStartedIsIgnored()
 
         $this->assertEquals($storage->getBag('flashes'), $bag);
     }
+
+    public function testRegenerateInvalidSessionId()
+    {
+        $_COOKIE[session_name()] = '&~[';
+        $started = (new NativeSessionStorage())->start();
+
+        $this->assertTrue($started);
+        $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -286,4 +286,13 @@ public function testGetBagsOnceSessionStartedIsIgnored()`
`286`	`286`
`287`	`287`	`$this->assertEquals($storage->getBag('flashes'), $bag);`
`288`	`288`	`}`
	`289`	`+`
	`290`	`+ public function testRegenerateInvalidSessionId()`
	`291`	`+ {`
	`292`	`+ $_COOKIE[session_name()] = '&~[';`
	`293`	`+ $started = (new NativeSessionStorage())->start();`
	`294`	`+`
	`295`	`+ $this->assertTrue($started);`
	`296`	`+ $this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());`
	`297`	`+ }`
`289`	`298`	`}`