Fix #889

Mon, 24 Apr 2017 20:56:56 +0200

author
tmolitor <thilo@eightysoft.de>
date
Mon, 24 Apr 2017 20:56:56 +0200
changeset 2701
d96831e46b64
parent 2674
c971b2cee2cc
child 2702
caabb980d1d8

Fix #889

Some buggy clients try to resume unauthenticated sessions and
session.username is nil in this case (that caused the bug).

mod_smacks/mod_smacks.lua file | annotate | diff | comparison | revisions
--- a/mod_smacks/mod_smacks.lua	Fri Apr 07 23:34:40 2017 +0200
+++ b/mod_smacks/mod_smacks.lua	Mon Apr 24 20:56:56 2017 +0200
@@ -49,8 +49,16 @@
 	if not cache then
 		local store = {};
 		return {
-			get = function(user, key) return store[key]; end;
-			set = function(user, key, value) store[key] = value; end;
+			get = function(user, key)
+				if not user then return nil; end
+				if not key then return nil; end
+				return store[key];
+			end;
+			set = function(user, key, value)
+				if not user then return nil; end
+				if not key then return nil; end
+				store[key] = value;
+			end;
 		};
 	end
 	
@@ -58,12 +66,16 @@
 	local stores = {};
 	return {
 			get = function(user, key)
+				if not user then return nil; end
+				if not key then return nil; end
 				if not stores[user] then
 					stores[user] = cache.new(max_entries, evict_callback);
 				end
 				return stores[user]:get(key);
 			end;
 			set = function(user, key, value)
+				if not user then return nil; end
+				if not key then return nil; end
 				if not stores[user] then stores[user] = cache.new(max_entries, evict_callback); end
 				stores[user]:set(key, value);
 				-- remove empty caches completely
@@ -73,7 +85,7 @@
 end
 local old_session_registry = init_session_cache(max_old_sessions, nil);
 local session_registry = init_session_cache(max_hibernated_sessions, function(resumption_token, session)
-	if session.destroyed then return; end
+	if session.destroyed then return true; end		-- destroyed session can always be removed from cache
 	session.log("warn", "User has too much hibernated sessions, removing oldest session (token: %s)", resumption_token);
 	-- store old session's h values on force delete
 	-- save only actual h value and username/host (for security)

mercurial