Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Session] limiting :key for GET_LOCK to 64 chars#27250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Merged
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
fabpot requested changesMay 14, 2018
| switch ($this->driver) { | ||
| case'mysql': | ||
| // MySQL 5.7.5 and later enforces a maximum length on lock names of 64 characters. Previously, no limit was enforced. | ||
| $lockId =\substr($sessionId,0,64); |
Member
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'd recommend to hash the session id instead (or doing something similar) as keeping just the first 64 chars could lead to conflicts depending on how the session id is generated.
Contributor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The session id is just a random string. So hashing that does not reduce the likeliness of collisions compared to just using the first 64 bytes.
ContributorAuthor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@fabian,@Tobion is right, session_id is just a random string, which is result ofhttp://php.net/manual/en/session.configuration.php#ini.session.hash-function and by default it's md5
| * Returns a merge/upsert (i.e. insert or update) statement when supported by the database for writing session data. | ||
| */ | ||
| privatefunctiongetMergeStatement(string$sessionId,string$data,int$maxlifetime): ?\PDOStatement | ||
| privatefunctiongetMergeStatement(string$sessionId,string$data,int$maxlifetime): ?\PDOStatement |
Contributor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This has already been fixed in4f3afd5 and will be merge upwards in later branches automatically. So please remove this change.
ContributorAuthor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Will rebase branch
Contributor
Tobion commentedMay 14, 2018
To me this is a bugfix and should be opened against 2.7 branch. |
ContributorAuthor
oleg-andreyev commentedMay 14, 2018
@Tobion agree, let's rebase on 2.7 |
1555e16 to4e057b8Compareoleg-andreyev added a commit to oleg-andreyev/symfony that referenced this pull requestMay 14, 2018
…ySQL 5.7.5 and later
4e057b8 tod7d4e41Compareoleg-andreyev added a commit to oleg-andreyev/symfony that referenced this pull requestMay 14, 2018
…ySQL 5.7.5 and later
…ySQL 5.7.5 and later
4c52bc6 to9cda96bComparenicolas-grekas approved these changesMay 14, 2018
Tobion approved these changesMay 14, 2018
fabpot approved these changesMay 15, 2018
Member
fabpot commentedMay 15, 2018
Thank you@oleg-andreyev. |
fabpot added a commit that referenced this pull requestMay 15, 2018
…reyev)This PR was merged into the 2.7 branch.Discussion----------[Session] limiting :key for GET_LOCK to 64 chars| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | -| License | MIT> MySQL 5.7.5 and later enforces a maximum length on lock names of 64 characters. Previously, no limit was enforced.Cases:- `session_id` is set by developers manually- `session.sid_length` is configuredRef.:-https://dev.mysql.com/doc/refman/5.7/en/miscellaneous-functions.html#function_get-lock-http://php.net/manual/en/session.configuration.php#ini.session.sid-lengthOther issues:-go-sql-driver/mysql#385-stefangabos/Zebra_Session#16Commits-------9cda96b#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later
nicolas-grekas added a commit that referenced this pull requestMay 15, 2018
* 2.7: [Security] Fix logout#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors Suppress warnings when open_basedir is non-empty
nicolas-grekas added a commit that referenced this pull requestMay 16, 2018
* 2.8: [Security] Fix logout#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors Suppress warnings when open_basedir is non-empty
nicolas-grekas added a commit that referenced this pull requestMay 16, 2018
* 3.4: fix merge [Security] Fix logout Cleanup 2 tests for the HttpException classes#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Config] Fix tests when path contains UTF chars [DI] Shared services should not be inlined in non-shared ones [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Cache][Lock] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors [DI] Display previous error messages when throwing unused bindings Suppress warnings when open_basedir is non-empty
nicolas-grekas added a commit that referenced this pull requestMay 16, 2018
* 4.0: (21 commits) [PropertyInfo] fix resolving parent|self type hints fixed CS fix merge [Security] Fix logout Cleanup 2 tests for the HttpException classes#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Config] Fix tests when path contains UTF chars [DI] Shared services should not be inlined in non-shared ones [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Cache][Lock] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors fixed CS fixed CS fixed CS [FrameworkBundle] Fix cache:clear on vagrant [HttpKernel] Handle NoConfigurationException "onKernelException()" Fix misses calculation when calling getItems [DI] Display previous error messages when throwing unused bindings Fixed return type ...
nicolas-grekas added a commit that referenced this pull requestMay 16, 2018
* 4.1: (22 commits) Fix CS [PropertyInfo] fix resolving parent|self type hints fixed CS fix merge [Security] Fix logout Cleanup 2 tests for the HttpException classes#27250 limiting GET_LOCK key up to 64 char due to changes in MySQL 5.7.5 and later [Config] Fix tests when path contains UTF chars [DI] Shared services should not be inlined in non-shared ones [Profiler] Remove propel & event_listener_loading category identifiers [Filesystem] Fix usages of error_get_last() [Cache][Lock] Fix usages of error_get_last() [Debug] Fix populating error_get_last() for handled silent errors fixed CS fixed CS fixed CS [FrameworkBundle] Fix cache:clear on vagrant [HttpKernel] Handle NoConfigurationException "onKernelException()" Fix misses calculation when calling getItems [DI] Display previous error messages when throwing unused bindings ...
This was referencedMay 21, 2018
Merged
Merged
Merged
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
Cases:
session_idis set by developers manuallysession.sid_lengthis configuredRef.:
Other issues: