From 5f40ce013d8dbeea9231e6b07c1d413068bf7363 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 4 May 2021 14:52:36 +0200 Subject: [PATCH] Suppress legacy session for ACP activity Even if the actual locations are hidden this might leak information about ACP activity. --- .../system/session/SessionHandler.class.php | 80 ++++++++++--------- 1 file changed, 42 insertions(+), 38 deletions(-) diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index 0452c34871..b1a744ed80 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -637,31 +637,33 @@ final class SessionHandler extends SingletonFactory $this->sessionID, ]); - // Fetch legacy session. - $condition = new PreparedStatementConditionBuilder(); - - if ($row['userID']) { - // The `userID IS NOT NULL` condition technically is redundant, but is added for - // clarity and consistency with the guest case below. - $condition->add('userID IS NOT NULL'); - $condition->add('userID = ?', [$row['userID']]); - } else { - $condition->add('userID IS NULL'); - $condition->add('(sessionID = ? OR spiderID = ?)', [ - $row['sessionID'], - $this->getSpiderID(UserUtil::getUserAgent()), - ]); - } + if (!$this->isACP) { + // Fetch legacy session. + $condition = new PreparedStatementConditionBuilder(); + + if ($row['userID']) { + // The `userID IS NOT NULL` condition technically is redundant, but is added for + // clarity and consistency with the guest case below. + $condition->add('userID IS NOT NULL'); + $condition->add('userID = ?', [$row['userID']]); + } else { + $condition->add('userID IS NULL'); + $condition->add('(sessionID = ? OR spiderID = ?)', [ + $row['sessionID'], + $this->getSpiderID(UserUtil::getUserAgent()), + ]); + } - $sql = "SELECT * - FROM wcf" . WCF_N . "_session - " . $condition; - $statement = WCF::getDB()->prepareStatement($sql); - $statement->execute($condition->getParameters()); - $this->legacySession = $statement->fetchSingleObject(LegacySession::class); + $sql = "SELECT * + FROM wcf" . WCF_N . "_session + " . $condition; + $statement = WCF::getDB()->prepareStatement($sql); + $statement->execute($condition->getParameters()); + $this->legacySession = $statement->fetchSingleObject(LegacySession::class); - if (!$this->legacySession) { - $this->legacySession = $this->createLegacySession(); + if (!$this->legacySession) { + $this->legacySession = $this->createLegacySession(); + } } return true; @@ -705,22 +707,24 @@ final class SessionHandler extends SingletonFactory // Maintain legacy session table for users online list. $this->legacySession = null; - // Try to find an existing spider session. Order by lastActivityTime to maintain a - // stable selection in case duplicates exist for some reason. - $spiderID = $this->getSpiderID(UserUtil::getUserAgent()); - if ($spiderID) { - $sql = "SELECT * - FROM wcf" . WCF_N . "_session - WHERE spiderID = ? - AND userID IS NULL - ORDER BY lastActivityTime DESC"; - $statement = WCF::getDB()->prepareStatement($sql); - $statement->execute([$spiderID]); - $this->legacySession = $statement->fetchSingleObject(LegacySession::class); - } + if (!$this->isACP) { + // Try to find an existing spider session. Order by lastActivityTime to maintain a + // stable selection in case duplicates exist for some reason. + $spiderID = $this->getSpiderID(UserUtil::getUserAgent()); + if ($spiderID) { + $sql = "SELECT * + FROM wcf" . WCF_N . "_session + WHERE spiderID = ? + AND userID IS NULL + ORDER BY lastActivityTime DESC"; + $statement = WCF::getDB()->prepareStatement($sql); + $statement->execute([$spiderID]); + $this->legacySession = $statement->fetchSingleObject(LegacySession::class); + } - if (!$this->legacySession) { - $this->legacySession = $this->createLegacySession(); + if (!$this->legacySession) { + $this->legacySession = $this->createLegacySession(); + } } } -- 2.20.1