Ensure instanceid contains a letter

instanceid is generated by uniqid() and then used as the
session_name. Because session_name requires at least one letter
and uniqid() does not guarantee to provide that, in the case that
uniqid() generates a string of only digits, the user will be stuck
in an infinite login loop because every request will generate a
new PHP session.

diff --git a/lib/util.php b/lib/util.php
index e8d4e56ef178ac526f07024d6f04f3dd12bbf77f..1fa3ad765d0c0e5c4d2683687472862e8630b9d9 100755 (executable)
--- a/lib/util.php
+++ b/lib/util.php
@@ -418,7 +418,8 @@ class OC_Util {
     public static function getInstanceId() {
         $id = OC_Config::getValue('instanceid', null);
         if(is_null($id)) {
-            $id = uniqid();
+            // We need to guarantee at least one letter in instanceid so it can be used as the session_name
+            $id = 'oc' . uniqid();
             OC_Config::setValue('instanceid', $id);
         }
         return $id;

diff --git a/tests/lib/util.php b/tests/lib/util.php
index 1c9054264c9c7e1ac34d212f3aea7e8d8683f6f0..1f253825920cb6860b4ab5c0c549640268dce3b6 100644 (file)
--- a/tests/lib/util.php
+++ b/tests/lib/util.php
@@ -54,4 +54,9 @@ class Test_Util extends PHPUnit_Framework_TestCase {
                $this->assertEquals('no-reply@example.com', $email);
                OC_Config::deleteKey('mail_domain');
        }
+
+  function testGetInstanceIdGeneratesValidId() {
+    OC_Config::deleteKey('instanceid');
+    $this->assertStringStartsWith('oc', OC_Util::getInstanceId());
+  }
 }