Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(dev/drupal#163) Session erroneously getting set to NULL on change #21403

Merged
merged 1 commit into from
Sep 30, 2021
Merged

(dev/drupal#163) Session erroneously getting set to NULL on change #21403

merged 1 commit into from
Sep 30, 2021

Conversation

GValFr35
Copy link

@GValFr35 GValFr35 commented Sep 8, 2021
edited
Loading

Session erroneously getting set to NULL on change (Drupal user login)

Overview

In some cases (ie drupal login / user impersonation (masquerade) / login with externalAuth...), the session id change and CiviCRM remove all the data from $_SESSION, included data out of 'CiviCRM' scope.

Before

  • Session values set before sign in are lost once authenticated. (tested with Drupal 9)
  • Signing in using an external auth provider does not work (tested on Drupal 9 with CAS module).

After

  • Session values out of 'CiviCRM' scope are remains. (D7 8 9)
  • Signing in works correctly with external provider (CAS). (D7 8 9)
  • Masquerading still works. (tested D7 8 9)

Technical Details

This issue is a consequence of previous PR from (dev/drupal#98) that managed to fix CRM_Core_Session::_session reference issue. When masquerading with Drupal 7, the $_SESSION change and the CRM_Core_Session::_session doesn't refer the new $_SESSION array.
This PR purposes are:

  • Ensures that session values ​​outside of "CiviCRM" scope are not removed by CiviCRM.
  • Ensures that CRM_Core_Session::_session is still a valid reference to $_SESSION.

@civibot
Copy link

civibot bot commented Sep 8, 2021

(Standard links)

@civibot civibot bot added the master label Sep 8, 2021
@civicrm-builder
Copy link

Can one of the admins verify this patch?

mlutfy
mlutfy reviewed Sep 8, 2021
View reviewed changes
CRM/Core/Session.php
@@ -171,9 +163,9 @@ public function reset($all = 1) {
unset($this->_session[$this->_key]);
}
else {
$this->_session = [];
$this->_session[$this->_key] = [];
unset($this->_session);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

won't this unset nuke the $_SESSION, because $this->_session is a reference to that variable?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

Short Example:
$a = 1;
$b = &$a;
$b++;

echo $a; // display 2
echo $b; // display 2

unset($b);
echo $a; // still display 2
echo $b; // undefined

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh - right, make sense, merci :)

@mlutfy
Copy link
Member

mlutfy commented Sep 8, 2021

jenkins, test this please

@mlutfy
Copy link
Member

mlutfy commented Sep 8, 2021

add to whitelist

@mlutfy
Copy link
Member

mlutfy commented Sep 8, 2021

unfortunately there are very few tests on sessions (phpunit/CRM/Core/SessionTest.php)

@mlutfy
Copy link
Member

mlutfy commented Sep 8, 2021

Test error:


PHP Notice:  Undefined variable: _SESSION in /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Session.php on line 125
PHP Stack trace:
PHP   1. {main}() /home/jenkins/bknix-dfl/bin/cv:0
PHP   2. require() /home/jenkins/bknix-dfl/bin/cv:14
PHP   3. Civi\Cv\Application::main() phar:///home/jenkins/bknix-dfl/bin/cv/bin/cv:27
PHP   4. Civi\Cv\Application->run() phar:///home/jenkins/bknix-dfl/bin/cv/src/Application.php:15
PHP   5. Civi\Cv\Application->doRun() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Application.php:124
PHP   6. Civi\Cv\Application->doRun() phar:///home/jenkins/bknix-dfl/bin/cv/src/Application.php:46
PHP   7. Civi\Cv\Application->doRunCommand() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Application.php:193
PHP   8. Civi\Cv\Command\EvalCommand->run() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Application.php:850
PHP   9. Civi\Cv\Command\EvalCommand->execute() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Command/Command.php:257
PHP  10. Civi\Cv\Command\EvalCommand->boot() phar:///home/jenkins/bknix-dfl/bin/cv/src/Command/EvalCommand.php:44
PHP  11. call_user_func:{phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:39}() phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:39
PHP  12. Civi\Cv\Command\EvalCommand->_boot_full() phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:39
PHP  13. Civi\Cv\Bootstrap->boot() phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:93
PHP  14. CRM_Core_Config::singleton() phar:///home/jenkins/bknix-dfl/bin/cv/src/Bootstrap.php:230
PHP  15. Civi\Core\Container::boot() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Config.php:93
PHP  16. CRM_Core_Config::isUpgradeMode() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/Civi/Core/Container.php:566
PHP  17. CRM_Core_Session->get() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Config.php:410
PHP  18. CRM_Core_Session->createScope() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Session.php:262
PHP  19. CRM_Core_Session->initialize() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Session.php:180
/home/jenkins/bknix-dfl/bin/civi-test-run: line 276: pushd: $'\nNotice: Undefined variable: _SESSION in /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Session.php on line 125\n\nCall Stack:\n    0.0006     421744   1. {main}() /home/jenkins/bknix-dfl/bin/cv:0\n    0.0113    1042472   2. require(\'phar:///home/jenkins/bknix-dfl/bin/cv/bin/cv\') /home/jenkins/bknix-dfl/bin/cv:14\n    0.0136    1644160   3. Civi\\Cv\\Application::main() phar:///home/jenkins/bknix-dfl/bin/cv/bin/cv:27\n    0.0270    3474904   4. Civi\\Cv\\Application->run() phar:///home/jenkins/bknix-dfl/bin/cv/src/Application.php:15\n    0.0285    3738856   5. Civi\\Cv\\Application->doRun() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Application.php:124\n    0.0286    3738856   6. Civi\\Cv\\Application->doRun() phar:///home/jenkins/bknix-dfl/bin/cv/src/Application.php:46\n    0.0286    3738856   7. Civi\\Cv\\Application->doRunCommand() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Application.php:193\n    0.0287    3738856   8. Civi\\Cv\\Command\\EvalCommand->run() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Application.php:850\n    0.0288    3741024   9. Civi\\Cv\\Command\\EvalCommand->execute() phar:///home/jenkins/bknix-dfl/bin/cv/vendor/symfony/console/Command/Command.php:257\n    0.0288    3741024  10. Civi\\Cv\\Command\\EvalCommand->boot() phar:///home/jenkins/bknix-dfl/bin/cv/src/Command/EvalCommand.php:44\n    0.0289    3741472  11. call_user_func:{phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:39}() phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:39\n    0.0289    3741472  12. Civi\\Cv\\Command\\EvalCommand->_boot_full() phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:39\n    0.0293    3960736  13. Civi\\Cv\\Bootstrap->boot() phar:///home/jenkins/bknix-dfl/bin/cv/src/Util/BootTrait.php:93\n    0.0418    5016632  14. CRM_Core_Config::singleton() phar:///home/jenkins/bknix-dfl/bin/cv/src/Bootstrap.php:230\n    0.0442    5541184  15. Civi\\Core\\Container::boot() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Config.php:93\n    0.0453    5698712  16. CRM_Core_Config::isUpgradeMode() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/Civi/Core/Container.php:566\n    0.0457    5754088  17. CRM_Core_Session->get() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Config.php:410\n    0.0457    5754088  18. CRM_Core_Session->createScope() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Session.php:262\n    0.0457    5754088  19. CRM_Core_Session->initialize() /home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/CRM/Core/Session.php:180\n\n/home/jenkins/bknix-dfl/build/core-21403-85k9u/web/sites/all/modules/civicrm/': No such file or directory

@seamuslee001
Copy link
Contributor

Just noting that we should check that dev/drupal#98 is still fixed as per this PR 9b41879 which added in the session_id handing

@Valfr35
Ensures that session values ​​outer of "CiviCRM" scope are not altere…
1fa3e6a 
…d by the CRM.

Ensures that CRM_Core_Session::_session is still a valid reference to $_SESSION.
@GValFr35 GValFr35 force-pushed the fix-session-reference-5.40 branch from bd83880 to 1fa3e6a Compare September 9, 2021 08:15
@elisseck
Copy link
Contributor

elisseck commented Sep 9, 2021

Just noting that we should check that dev/drupal#98 is still fixed as per this PR 9b41879 which added in the session_id handing

I wasn't able to easily test d7 yet - but FWIW I was able to masquerade correctly in Drupal 9.1.12 and Masquerade 8.x-2.0-beta4 both before and after this commit, however this does resolve our D9/Commerce checkout-with-login issue.

@mlutfy mlutfy added the merge ready PR will be merged after a few days if there are no objections label Sep 18, 2021
@mlutfy
Copy link
Member

mlutfy commented Sep 18, 2021

Looks like merge-ready, based on @elisseck's review. (looks safe to merge in a few days, unless there are objections)

@demeritcowboy
Copy link
Contributor

Jenkins retest this please.
Just checking since 11 days is enormous in this 5.43 cycle.

My only thoughts on this one might be that maybe it allows a malicious module/extension to access non-civi parts of the anonymous session that haven't been cleared which might be from another person previously using the browser. But (a) that's generally true, and is why people are encouraged to close their browser when done on shared machines, and (b) are shared machines even still a thing.

@demeritcowboy demeritcowboy added merge on pass and removed merge ready PR will be merged after a few days if there are no objections labels Sep 29, 2021
@demeritcowboy
Copy link
Contributor

Jenkins retest this please.

@demeritcowboy demeritcowboy merged commit b2fb9ff into civicrm:master Sep 30, 2021
@sunilpawar sunilpawar mentioned this pull request Jan 13, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlutfy mlutfy mlutfy left review comments

Assignees
No one assigned
Labels
master merge on pass
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@GValFr35 @civicrm-builder @mlutfy @seamuslee001 @elisseck @demeritcowboy @Valfr35