From 3f2cf3b4d439d79d404312f4bf3362d980101f4a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Wed, 18 Aug 2021 09:44:07 +0200
Subject: [PATCH] Fix unpacking of the sessionId

As documented by PHP's reference documentation:

> The "a" code now retains trailing NULL bytes.
> The "A" code now strips all trailing ASCII whitespace (spaces, tabs,
> newlines, carriage returns, and NULL bytes).

Previously, with the 'A' code, sessionIds ending in ASCII whitespace would be
incorrectly unpacked, missing their trailing bytes. This ultimately resulted in
the session not being found and the user being logged out.

Five of the 256 possible characters exhibited this bug, making this fail in
roughly 2% of the cases.

However this likely was not noticable by the typical user. Once they have a
non-affected sessionId, this Id is not going to change. What the user might've
noticed is a login not working, despite showing a success message, because they
sessionId change after a successful login handed out an affected sessionId. But
then the user would likely try again, succeeding this time and writing off the
incident as a fluke.

Test script to reproduce the issue:

    <?php

    for ($i = 0; $i <= 255; $i++) {
        $string = "foo".chr($i);

        $packed = \pack(
            'CA4',
            1,
            $string
        );
        $unpacked1 = \unpack('Cversion/A4string', $packed);
        $unpacked2 = \unpack('Cversion/a4string', $packed);

        if ($unpacked1['string'] !== $string) {
            echo "$i: unpacked1\n";
        }
        if ($unpacked2['string'] !== $string) {
            echo "$i: unpacked2\n";
        }
    }
---
 .../install/files/lib/system/session/SessionHandler.class.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index 28d8c818f4..0cdeb4e337 100644
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -241,7 +241,7 @@ final class SessionHandler extends SingletonFactory
                     $length
                 ));
             }
-            $data = \unpack('Cversion/A20sessionId/Ctimestep', $value);
+            $data = \unpack('Cversion/a20sessionId/Ctimestep', $value);
             $data['sessionId'] = Hex::encode($data['sessionId']);
 
             return $data;
-- 
2.20.1