Wrong login/password since v0.5.2

[dper]

If I upgrade to v0.5.2, whenever I try to log in I get the popup window showing the error message, The page at [my domain] says: Wrong login/password. This started happening recently. If I check out v0.5.1 or earlier, the login process works normally as it has in the past.

• My web server is Dreamhost.com, a commercial web host. (I can to some degree provide more details of the setup on Dreamhost, but since it's a third party host, there are things outside of my control even if we know what's going wrong. If things seem to be heading in that direction, we might be better off not spending much time on this.)
• PHP 5.4.42.
• Apache 2.2.22-21.

I take a browser and clear the memory. I load my instance of Shaarli. Let's suppose it's "mydomain.org". Before trying to log in, I examine the cookies. There are two, shaarli and shaarli_staySignedIn.

Here is access.log when I try to log in and fail.

xxx.xxx.xxx.xxx - - [02/Sep/2015:06:19:11 -0700] "GET /bookmarks/?do=login HTTP/1.1" 200 5718 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" 
xxx.xxx.xxx.xxx - - [02/Sep/2015:06:19:19 -0700] "POST /bookmarks/?do=login HTTP/1.1" 200 849 "https://mydomain.org/bookmarks/?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" 
xxx.xxx.xxx.xxx - - [02/Sep/2015:06:19:29 -0700] "GET /bookmarks/?do=login HTTP/1.1" 200 3252 "https://mydomain.org/bookmarks/?do=login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"

Nothing posts to error.log.

I have tried using both Iceweasel (Firefox) and Chromium. I have also tried enabling 3rd party cookies. The results are the same. Let me know if there's any other information I can provide.

[ArthurHoaro]

Can you make sure that you're shaarli cookie is attached to the hostname you're visiting in your browser?

EDIT: also, what's its value?

[dper]

Name: shaarli
Content: LEVQF9tKKPN6oBX4wShqh2
Domain: .mydomain.org
Path: /bookmarks/
Send for: Any kind of connection
...

The content of the cookie changes each time I open the browser. (I also have the browser set to clear cookies on exit.) In the web browser, I can see no substantive differences between the cookies when switching between v0.5.1 and v0.5.2.

[ArthurHoaro]

Holy crap! In application/Utils.php, line 159, add i at the end of the regexp

if (!preg_match('/^[a-z0-9]{2,32}$/i', $sessionId)) {

And let me know if it's working.

[dper]

@ArthurHoaro If I add the i as you wrote, then it works. (Also, that was some quick work. Thanks!)

[virtualtam]

Thanks @dper for the feedback & @ArthurHoaro for the quick fix ;-)

[nodiscc]

👍 well done (? I don't understand what the problem was)

[dper]

@nodiscc I believe the situation was this... The trailing /i (instead of just /) makes the regular expression case insensitive. The value of the cookie in my browser contained numbers and upper case letters, and as a security measure Shaarli was expecting it to be numbers and only lower case letters, so it was rejecting login attempts. Since upper case letters are valid, the fix is to accept them, too.

[ArthurHoaro]

Exactly.

[Cy4n1d3]

Sadly the latest release didn't fix it for me.
I've bisected the commits and identified 06b6660 to be the cause (as @ArthurHoaro already pointed out) - 0.5.1 is the latest working release for me. The latest hotfix however still does not allow me to log in again.

L388 @ index.php (tokenOk($_POST['token'])) is where the login fails.
I'll dig into the code and see if I can find what exactly goes wrong.

€dit:
The culprit is still L159 @ Utils.php. The regex fails.

[Cy4n1d3]

I guess I've figured out why the check is failing for me.
My PHP is configured to use SHA512 as hash function for the $_SESSION-id, instead of the default md5 / sha1.
The corresponding setting is
session.hash_function = sha512
inside php.ini.

I've temporarily commented that setting out and was able to log in again.

What does that give us?
First and foremost: that regex is not really error proof :)

Have a look at the following PHP setting: https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character

By settings session.hash_function = sha512 and session.hash_bits_per_character = 6 the resulting session id would look something along the lines of iJXJWB-H1w-QhXGZlJsBPQnaeAGaG,SmZFcYxYsxtjXdlslXQn8UbeyHB0ZkGZeiN5ZAsUsRc4W38YcICkTe11.
That string has a length of 88 (fails {2,32}) and even contains special characters (fails [a-z0-9]).
Depending on the server configuration the string can have a length of up to 128 chars it seems.

A regex which is working for my configuration would be /^[-,a-zA-Z0-9]{1,128}$/.

You might also construct the regex on the fly, depending on php.ini settings. strlen(session_id()) should also retrieve the length of the servers' session id in most cases.

[virtualtam]

Hello @Cy4n1d3 and thanks for reporting and root-causing the regression :)

Possible solutions:

• implement a UUID generator
• use sha1(uniqid()) for the shaarli cookie

[Cy4n1d3]

Thank you guys, for keeping this project up and running ;)
An error report is the least I can do!

[virtualtam]

PR #338 should fix this issue

(by the way, sha1(uniqid()) is already used in several places in index.php)