Apply patch for session fixation vulnerability (CVE-2009-3585)

bestpractical · Nov 30, 2009 · a8f7dcc · a8f7dcc
1 parent b157bae
commit a8f7dcc
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/html/Elements/SetupSessionCookie b/html/Elements/SetupSessionCookie
@@ -50,7 +50,7 @@ return if $m->is_subrequest; # avoid reentrancy, as suggested by masonbook
 
 my %cookies    = CGI::Cookie->fetch();
 my $cookiename = "RT_SID_" . $RT::rtname . "." . $ENV{'SERVER_PORT'};
-$SessionCookie ||= $cookies{$cookiename} ? $cookies{$cookiename}->value : undef;
+$SessionCookie = $cookies{$cookiename} ? $cookies{$cookiename}->value : undef;
 
 my %backends   = (
     mysql => 'Apache::Session::MySQL',
@@ -97,6 +97,13 @@ if ($@) {
         undef $cookies{$cookiename};
     };
 }
+elsif ( !($session{'CurrentUser'} && $session{'CurrentUser'}->id) ) {
+    eval {
+        undef $cookies{$cookiename};
+        tied(%session)->delete;
+        tie %session, $session_class, undef, $session_properties;
+    }
+}
 
 if ($@) {
     die loc("RT couldn't store your session.") . "\n"