From a3f0ffe6415e85f0955701d25d85482355545f41 Mon Sep 17 00:00:00 2001 From: "jaimepc@gmail.com" Date: Tue, 4 Feb 2014 15:09:35 +0000 Subject: [PATCH] Fix memory leak in session serialization (issue #594) git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3356 44740490-163a-0410-bde0-09ae8108e29a --- lib/SimpleSAML/Memcache.php | 2 +- lib/SimpleSAML/Session.php | 184 ++++++++++++++++++++++-------------- 2 files changed, 115 insertions(+), 71 deletions(-) diff --git a/lib/SimpleSAML/Memcache.php b/lib/SimpleSAML/Memcache.php index 11cf3b58..87431682 100644 --- a/lib/SimpleSAML/Memcache.php +++ b/lib/SimpleSAML/Memcache.php @@ -46,7 +46,7 @@ class SimpleSAML_Memcache { continue; } - /* Deserialize the object. */ + /* Unserialize the object. */ $info = unserialize($serializedInfo); /* diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php index 404b5481..bd79616b 100644 --- a/lib/SimpleSAML/Session.php +++ b/lib/SimpleSAML/Session.php @@ -12,7 +12,7 @@ * @package simpleSAMLphp * @version $Id$ */ -class SimpleSAML_Session { +class SimpleSAML_Session implements Serializable { /** * This is a timeout value for setData, which indicates that the data should be deleted @@ -95,7 +95,7 @@ class SimpleSAML_Session { /** - * This is an array of objects which will autoexpire after a set time. It is used + * This is an array of objects which will expire automatically after a set time. It is used * where one needs to store some information - for example a logout request, but doesn't * want it to be stored forever. * @@ -159,7 +159,7 @@ class SimpleSAML_Session { /** - * private constructor restricts instantiaton to getInstance() + * Private constructor that restricts instantiation to getInstance(). */ private function __construct($transient = FALSE) { @@ -188,6 +188,43 @@ class SimpleSAML_Session { } } + /** + * Serialize this session into a string that can be stored. + * + * @return string The serialized session. + */ + public function serialize() { + return serialize(get_object_vars(self::$instance)); + } + + + /** + * Restore a previously serialized session into the current instance of the session. If no session exists + * already, a new one will be created. + * + * @param string $data A session previously serialized. + */ + public function unserialize($data) { + /* Check if we already have initialized the singleton. */ + if (!isset(self::$instance)) { + /* Create a new one. */ + self::$instance = new SimpleSAML_Session(); + } + + /* Populate it with the unserialized values. */ + $data = unserialize($data); + if (is_array($data)) { + foreach ($data as $k => $v) { + $this->$k = $v; + } + } + + /* TODO: Remove for version 1.8. */ + if ($this->authData === NULL) { + $this->upgradeAuthData(); + } + } + /** * Upgrade this session object to use the $authData property. @@ -244,22 +281,10 @@ class SimpleSAML_Session { /** - * This function is called after this class has been deserialized. - */ - public function __wakeup() { - $this->addShutdownFunction(); - - /* TODO: Remove for version 1.8. */ - if ($this->authData === NULL) { - $this->upgradeAuthData(); - } - } - - - /** - * Retrieves the current session. Will create a new session if there isn't a session. + * Retrieves the current session. Will create a new one if there is none. * - * @return The current session. + * @throws Exception If unable to initialize the session. + * @return SimpleSAML_Session The current session. */ public static function getInstance() { @@ -335,7 +360,7 @@ class SimpleSAML_Session { /** * Retrieve if session is transient. * - * @return boolean The session transient flag. + * @return boolean The session transient flag. */ public function isTransient() { return $this->transient; @@ -345,6 +370,8 @@ class SimpleSAML_Session { /** * Get a unique ID that will be permanent for this session. * Used for debugging and tracing log files related to a session. + * + * @return string The unique ID. */ public function getTrackID() { return $this->trackid; @@ -352,7 +379,9 @@ class SimpleSAML_Session { /** - * Who authorized this session. could be in example saml2, shib13, login,login-admin etc. + * Who authorized this session. Could be for example 'saml2', 'shib13', 'login', 'login-admin' etc. + * + * @return string Who authorized this session. */ public function getAuthority() { return $this->authority; @@ -364,25 +393,28 @@ class SimpleSAML_Session { * The complete request is not stored, instead the values that will be needed later * are stored in an assoc array. * - * @param $protocol saml2 or shib13 - * @param $requestid The request id used as a key to lookup the cache. + * @param string $protocol saml2 or shib13 + * @param string $requestid The request id used as a key to lookup the cache. * - * @return Returns an assoc array of cached variables associated with the + * @return array Returns an assoc array of cached variables associated with the * authentication request. */ public function getAuthnRequest($protocol, $requestid) { - SimpleSAML_Logger::debug('Library - Session: Get authnrequest from cache ' . $protocol . ' time:' . time() . ' id: '. $requestid ); + SimpleSAML_Logger::debug('Library - Session: Get authnrequest from cache ' . $protocol . ' time:' . time() . + ' id: '. $requestid ); $type = 'AuthnRequest-' . $protocol; $authnRequest = $this->getData($type, $requestid); if($authnRequest === NULL) { /* - * Could not find requested ID. Throw an error. Could be that it is never set, or that it is deleted due to age. + * Could not find requested ID. Throw an error. Could be that it is never set, or that it is deleted + * due to age. */ - throw new Exception('Could not find cached version of authentication request with ID ' . $requestid . ' (' . $protocol . ')'); + throw new Exception('Could not find cached version of authentication request with ID ' . $requestid . + ' (' . $protocol . ')'); } return $authnRequest; @@ -392,13 +424,14 @@ class SimpleSAML_Session { /** * This method sets a cached assoc array to the authentication request cache storage. * - * @param $protocol saml2 or shib13 - * @param $requestid The request id used as a key to lookup the cache. - * @param $cache The assoc array that will be stored. + * @param string $protocol 'saml2' or 'shib13' + * @param string $requestid The request id used as a key to lookup the cache. + * @param array $cache The assoc array that will be stored. */ public function setAuthnRequest($protocol, $requestid, array $cache) { - SimpleSAML_Logger::debug('Library - Session: Set authnrequest ' . $protocol . ' time:' . time() . ' size:' . count($cache) . ' id: '. $requestid ); + SimpleSAML_Logger::debug('Library - Session: Set authnrequest ' . $protocol . ' time:' . time() . ' size:' . + count($cache) . ' id: '. $requestid ); $type = 'AuthnRequest-' . $protocol; $this->setData($type, $requestid, $cache); @@ -408,7 +441,7 @@ class SimpleSAML_Session { /** * Set the IdP we are authenticated against. * - * @param string|NULL $idp Our current IdP, or NULL if we aren't authenticated with an IdP. + * @param string|NULL $idp Our current IdP, or NULL if we aren't authenticated with an IdP. */ public function setIdP($idp) { assert('is_string($idp) || is_null($idp)'); @@ -428,7 +461,7 @@ class SimpleSAML_Session { /** * Retrieve the IdP we are currently authenticated against. * - * @return string|NULL Our current IdP, or NULL if we aren't authenticated with an IdP. + * @return string|NULL Our current IdP, or NULL if we aren't authenticated with an IdP. */ public function getIdP() { if (!isset($this->authData[$this->authority]['saml:sp:IdP'])) { @@ -441,7 +474,7 @@ class SimpleSAML_Session { /** * Set the SessionIndex we received from our IdP. * - * @param string|NULL $sessionindex Our SessionIndex. + * @param string|NULL $sessionindex Our SessionIndex. */ public function setSessionIndex($sessionindex) { assert('is_string($sessionindex) || is_null($sessionindex)'); @@ -460,7 +493,7 @@ class SimpleSAML_Session { /** * Retrieve our SessionIndex. * - * @return string|NULL Our SessionIndex. + * @return string|NULL Our SessionIndex. */ public function getSessionIndex() { if (!isset($this->authData[$this->authority]['saml:sp:SessionIndex'])) { @@ -473,7 +506,7 @@ class SimpleSAML_Session { /** * Set our current NameID. * - * @param array|NULL $nameid The NameID we received from the IdP + * @param array|NULL $nameid The NameID we received from the IdP */ public function setNameID($nameid) { assert('is_array($nameid) || is_null($nameid)'); @@ -505,7 +538,7 @@ class SimpleSAML_Session { /** * Set remember me expire time. * - * @param int $expire Unix timestamp when remember me session cookies expire. + * @param int $expire Unix timestamp when remember me session cookies expire. */ public function setRememberMeExpire($expire = NULL) { assert('is_int($expire) || is_null($expire)'); @@ -543,7 +576,8 @@ class SimpleSAML_Session { if ($this->authToken !== NULL) { $globalConfig = SimpleSAML_Configuration::getInstance(); - $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken'), $this->authToken, $params); + $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename', + 'SimpleSAMLAuthToken'), $this->authToken, $params); } } @@ -553,8 +587,8 @@ class SimpleSAML_Session { * * If the user already has logged in, the user will be logged out first. * - * @param string $authority The authority the user logged in with. - * @param array|NULL $data The authentication data for this authority. + * @param string $authority The authority the user logged in with. + * @param array|NULL $data The authentication data for this authority. */ public function doLogin($authority, array $data = NULL) { assert('is_string($authority)'); @@ -593,10 +627,13 @@ class SimpleSAML_Session { $this->authToken = SimpleSAML_Utilities::generateID(); $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler(); - if (!$this->transient && (!empty($data['RememberMe']) || $this->rememberMeExpire) && $globalConfig->getBoolean('session.rememberme.enable', FALSE)) { - $this->setRememberMeExpire(); + if (!$this->transient && (!empty($data['RememberMe']) || $this->rememberMeExpire) && + $globalConfig->getBoolean('session.rememberme.enable', FALSE)) { + + $this->setRememberMeExpire(); } else { - $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken'), $this->authToken); + $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename', + 'SimpleSAMLAuthToken'), $this->authToken); } } @@ -606,7 +643,7 @@ class SimpleSAML_Session { * * This function will call any registered logout handlers before marking the user as logged out. * - * @param string|NULL $authority The authentication source we are logging out of. + * @param string|NULL $authority The authentication source we are logging out of. */ public function doLogout($authority = NULL) { @@ -646,8 +683,8 @@ class SimpleSAML_Session { /** * Set the lifetime for authentication source. * - * @param string $authority The authentication source we are setting expire time for. - * @param int $expire The number of seconds authentication source is valid. + * @param string $authority The authentication source we are setting expire time for. + * @param int $expire The number of seconds authentication source is valid. */ public function setAuthorityExpire($authority, $expire = NULL) { assert('isset($this->authData[$authority])'); @@ -667,7 +704,7 @@ class SimpleSAML_Session { /** * Set the lifetime of our current authentication session. * - * @param int $duration The number of seconds this authentication session is valid. + * @param int $duration The number of seconds this authentication session is valid. */ public function setSessionDuration($duration) { assert('is_int($duration)'); @@ -692,7 +729,8 @@ class SimpleSAML_Session { assert('is_string($authority)'); if (!isset($this->authData[$authority])) { - SimpleSAML_Logger::debug('Session: '. var_export($authority, TRUE) .' not valid because we are not authenticated.'); + SimpleSAML_Logger::debug('Session: '. var_export($authority, TRUE) . + ' not valid because we are not authenticated.'); return FALSE; } @@ -710,7 +748,7 @@ class SimpleSAML_Session { /** * If the user is authenticated, how much time is left of the session. * - * @return int The number of seconds until the session expires. + * @return int The number of seconds until the session expires. */ public function remainingTime() { @@ -726,7 +764,7 @@ class SimpleSAML_Session { /** * Is the user authenticated. This function does not check the session duration. * - * @return bool TRUE if the user is authenticated, FALSE otherwise. + * @return bool TRUE if the user is authenticated, FALSE otherwise. */ public function isAuthenticated() { return isset($this->authData[$this->authority]); @@ -736,7 +774,7 @@ class SimpleSAML_Session { /** * Retrieve the time the user was authenticated. * - * @return int|NULL The timestamp for when the user was authenticated. NULL if the user hasn't authenticated. + * @return int|NULL The timestamp for when the user was authenticated. NULL if the user hasn't authenticated. */ public function getAuthnInstant() { @@ -793,8 +831,8 @@ class SimpleSAML_Session { /** * Set the values of a single attribute. * - * @param string $name The name of the attribute. - * @param array $value The values of the attribute. + * @param string $name The name of the attribute. + * @param array $value The values of the attribute. */ public function setAttribute($name, $value) { assert('isset($this->authData[$this->authority])'); @@ -807,7 +845,7 @@ class SimpleSAML_Session { /** * Calculates the size of the session object after serialization * - * @return The size of the session measured in bytes. + * @return int The size of the session measured in bytes. */ public function getSize() { $s = serialize($this); @@ -818,8 +856,9 @@ class SimpleSAML_Session { /** * This function registers a logout handler. * - * @param $classname The class which contains the logout handler. - * @param $functionname The logout handler function. + * @param string $classname The class which contains the logout handler. + * @param string $functionname The logout handler function. + * @throws Exception If the handler is not a valid function or method. */ public function registerLogoutHandler($classname, $functionname) { assert('isset($this->authData[$this->authority])'); @@ -840,7 +879,8 @@ class SimpleSAML_Session { /** * This function calls all registered logout handlers. * - * @param string $authority The authentication source we are logging out from. + * @param string $authority The authentication source we are logging out from. + * @throws Exception If the handler is not a valid function or method. */ private function callLogoutHandlers($authority) { assert('is_string($authority)'); @@ -957,17 +997,20 @@ class SimpleSAML_Session { * The timeout value can be SimpleSAML_Session::DATA_TIMEOUT_LOGOUT, which indicates * that the data should be deleted on logout (and not before). * - * @param $type The type of the data. This is checked when retrieving data from the store. - * @param $id The identifier of the data. - * @param $data The data. - * @param $timeout The number of seconds this data should be stored after its last access. - * This parameter is optional. The default value is set in 'session.datastore.timeout', - * and the default is 4 hours. + * @param string $type The type of the data. This is checked when retrieving data from the store. + * @param string $id The identifier of the data. + * @param mixed $data The data. + * @param int|NULL $timeout The number of seconds this data should be stored after its last access. + * This parameter is optional. The default value is set in 'session.datastore.timeout', + * and the default is 4 hours. + * @throws Exception If the data couldn't be stored. + * */ public function setData($type, $id, $data, $timeout = NULL) { assert('is_string($type)'); assert('is_string($id)'); - assert('is_int($timeout) || is_null($timeout) || $timeout === self::DATA_TIMEOUT_LOGOUT || $timeout === self::DATA_TIMEOUT_SESSION_END'); + assert('is_int($timeout) || is_null($timeout) || $timeout === self::DATA_TIMEOUT_LOGOUT ||'. + ' $timeout === self::DATA_TIMEOUT_SESSION_END'); /* Clean out old data. */ $this->expireData(); @@ -1027,9 +1070,9 @@ class SimpleSAML_Session { * Note that this will not change when the data stored in the data store will expire. If that is required, * the data should be written back with setData. * - * @param $type The type of the data. This must match the type used when adding the data. - * @param $id The identifier of the data. Can be NULL, in which case NULL will be returned. - * @return The data of the given type with the given id or NULL if the data doesn't exist in the data store. + * @param string $type The type of the data. This must match the type used when adding the data. + * @param string|NULL $id The identifier of the data. Can be NULL, in which case NULL will be returned. + * @return mixed The data of the given type with the given id or NULL if the data doesn't exist in the data store. */ public function getData($type, $id) { assert('is_string($type)'); @@ -1066,8 +1109,8 @@ class SimpleSAML_Session { * * An empty array will be returned if no data of the given type is found. * - * @param $type The type of the data. - * @return An associative array with all data of the given type. + * @param string $type The type of the data. + * @return array An associative array with all data of the given type. */ public function getDataOfType($type) { assert('is_string($type)'); @@ -1137,7 +1180,8 @@ class SimpleSAML_Session { $globalConfig = SimpleSAML_Configuration::getInstance(); if ($session->authToken !== NULL) { - $authTokenCookieName = $globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken'); + $authTokenCookieName = $globalConfig->getString('session.authtoken.cookiename', + 'SimpleSAMLAuthToken'); if (!isset($_COOKIE[$authTokenCookieName])) { SimpleSAML_Logger::warning('Missing AuthToken cookie.'); return NULL; @@ -1369,7 +1413,7 @@ class SimpleSAML_Session { * This function is just for backwards-compatibility. New code should * use the SimpleSAML_IdP::getAssociations()-function. * - * @return array Array of SAML 2 entitiyIDs. + * @return array Array of SAML 2 entityIDs. * @deprecated Will be removed in the future. */ public function get_sp_list() {