Merge pull request #41006 from nextcloud/backport/40879/stable27

1 files changed, 19 insertions, 7 deletions

diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php
index 1eb6987fc18..ae4b80209d5 100644
--- a/lib/private/Session/CryptoSessionData.php
+++ b/lib/private/Session/CryptoSessionData.php
@@ -32,6 +32,8 @@ namespace OC\Session;
 use OCP\ISession;
 use OCP\Security\ICrypto;
 use OCP\Session\Exceptions\SessionNotAvailableException;
+use function json_decode;
+use function OCP\Log\logger;
 
 /**
  * Class CryptoSessionData
@@ -79,14 +81,24 @@ class CryptoSessionData implements \ArrayAccess, ISession {
 
 	protected function initializeSession() {
 		$encryptedSessionData = $this->session->get(self::encryptedSessionName) ?: '';
-		try {
-			$this->sessionValues = json_decode(
-				$this->crypto->decrypt($encryptedSessionData, $this->passphrase),
-				true
-			);
-		} catch (\Exception $e) {
+		if ($encryptedSessionData === '') {
+			// Nothing to decrypt
 			$this->sessionValues = [];
-			$this->regenerateId(true, false);
+		} else {
+			try {
+				$this->sessionValues = json_decode(
+					$this->crypto->decrypt($encryptedSessionData, $this->passphrase),
+					true,
+					512,
+					JSON_THROW_ON_ERROR,
+				);
+			} catch (\Exception $e) {
+				logger('core')->critical('Could not decrypt or decode encrypted session data', [
+					'exception' => $e,
+				]);
+				$this->sessionValues = [];
+				$this->regenerateId(true, false);
+			}
 		}
 	}