[commits] Horde branch master updated. 3127c619e8e518ea6116b348b02fba3011322d3e

[Jan Schneider]

The branch "master" has been updated.
The following is a summary of the commits.

from: 1d5952823f746b23363b9af6050dcfca8ba7762f

3127c61 Fix unpacking encrypted session data.

Summary: http://github.com/horde/horde/compare/1d5952823f746b23363b9af6050dcfca8ba7762f...3127c619e8e518ea6116b348b02fba3011322d3e

-----------------------------------------------------------------------

commit 3127c619e8e518ea6116b348b02fba3011322d3e
Author: Jan Schneider <jan at horde.org>
Date:   Wed Mar 29 10:44:34 2017 +0200

    Fix unpacking encrypted session data.
    
    This should fix the "User not authorized for ..." log messages.
    
    When storing data in the session, we pack, i.e. compress and/or
    serialize it, if it's non-scalar data, and encrypt it, if it's
    sensitive data. We store a mask prefix with the data, specifying the
    packing method, or indicating no packing by using a NUL char. When
    retrieving data back from the session we incorrectly checked for the
    mask *first* and only *then* decrypted the data, if necessary. But,
    every once in a while, the data encryption produced a byte stream with
    a leading NUL character. So we mistakenly assumed it was not packed,
    returned the unpacked data, and the downstream authentication code
    could no longer retrieve the authentication credentials array from the
    session.

 framework/Core/lib/Horde/Session.php | 6 ++++--
 framework/Core/package.xml           | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

http://github.com/horde/horde/commit/3127c619e8e518ea6116b348b02fba3011322d3e