From: Tim Düsterhus Date: Wed, 18 Aug 2021 07:44:07 +0000 (+0200) Subject: Fix unpacking of the sessionId X-Git-Tag: 5.4.5_RC_1~38^2~1 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3f2cf3b4d439d79d404312f4bf3362d980101f4a;p=GitHub%2FWoltLab%2FWCF.git Fix unpacking of the sessionId As documented by PHP's reference documentation: > The "a" code now retains trailing NULL bytes. > The "A" code now strips all trailing ASCII whitespace (spaces, tabs, > newlines, carriage returns, and NULL bytes). Previously, with the 'A' code, sessionIds ending in ASCII whitespace would be incorrectly unpacked, missing their trailing bytes. This ultimately resulted in the session not being found and the user being logged out. Five of the 256 possible characters exhibited this bug, making this fail in roughly 2% of the cases. However this likely was not noticable by the typical user. Once they have a non-affected sessionId, this Id is not going to change. What the user might've noticed is a login not working, despite showing a success message, because they sessionId change after a successful login handed out an affected sessionId. But then the user would likely try again, succeeding this time and writing off the incident as a fluke. Test script to reproduce the issue: