Release 2.21

Author: bungle

Changes.md

@@ -2,13 +2,22 @@
 
 All notable changes to `lua-resty-session` will be documented in this file.
 
+## [2.21] - 2018-03-16
+### Screwed
+- Forgot to bump version number.
+
+## [2.20] - 2018-03-16
+### Fixed
+- Fixes issue where check addr and check scheme could be faked.
+  See also: https://github.com/bungle/lua-resty-session/issues/47
+  Thanks @nielsole
+
 ## [2.19] - 2017-09-19
 ### Fixed
 - Fixes small bug where aes could generate invalid salt on invalid input
   that further crashes Lua with error: bad argument #2 to 'salt' (number
   expected, got no value)
 
-
 ## [2.18] - 2017-07-10
 ### Fixed
 - Automatically creates exactly 64 bits salt as required by the latest

lib/resty/session.lua

@@ -93,7 +93,7 @@ local function setcookie(session, value, expires)
         else
             n[2] = "="
         end
-        local n = concat(n)
+        n = concat(n)
         k[1] = n
         if expires then
             k[2] = ""
@@ -110,9 +110,9 @@ local function setcookie(session, value, expires)
         if t == "table" then
             local f = false
             local z = #s
-            for i=1, z do
-                if find(s[i], n, 1, true) == 1 then
-                    s[i] = y
+            for a=1, z do
+                if find(s[a], n, 1, true) == 1 then
+                    s[a] = y
                     f = true
                     break
                 end
@@ -203,7 +203,7 @@ local function init()
 end
 
 local session = {
-    _VERSION = "2.19"
+    _VERSION = "2.21"
 }
 
 session.__index = session
@@ -267,41 +267,13 @@ function session.open(opts)
     else
         self = session.new(opts)
     end
-    local scheme = header["X-Forwarded-Proto"]
-    if self.cookie.secure == nil then
-        if scheme then
-            self.cookie.secure = scheme == "https"
-        else
-            self.cookie.secure = var.https == "on"
-        end
-    end
-    scheme = self.check.scheme and (scheme or var.scheme or "") or ""
-    local addr = ""
-    if self.check.addr then
-        addr = header["CF-Connecting-IP"] or
-               header["Fastly-Client-IP"] or
-               header["Incap-Client-IP"]  or
-               header["X-Real-IP"]
-        if not addr then
-            addr = header["X-Forwarded-For"]
-            if addr then
-                -- We shouldn't really get the left-most address, because of spoofing,
-                -- but this is better handled with a module, like nginx realip module,
-                -- anyway (see also: http://goo.gl/Z6u2oR).
-                local s = find(addr, ',', 1, true)
-                if s then
-                    addr = addr:sub(1, s - 1)
-                end
-            else
-                addr = var.remote_addr
-            end
-        end
-    end
+
+    self.cookie.secure = var.scheme == "https" or var.https == "on"
     self.key = concat{
-        self.check.ssi and (var.ssl_session_id  or "") or "",
-        self.check.ua  and (var.http_user_agent or "") or "",
-        addr,
-        scheme
+        self.check.ssi    and var.ssl_session_id  or "",
+        self.check.ua     and var.http_user_agent or "",
+        self.check.addr   and var.remote_addr     or "",
+        self.check.scheme and var.scheme          or "",
     }
     self.opened = true
     local cookie = getcookie(self)

lib/resty/session/ciphers/none.lua

@@ -11,12 +11,12 @@ function cipher.new()
     return singleton
 end
 
-function cipher:encrypt(d)
+function cipher.encrypt(_, d)
     return d
 end
 
-function cipher:decrypt(d)
+function cipher.decrypt(_, d)
     return d
 end
 
-return cipher
+return cipher

lib/resty/session/storage/cookie.lua

@@ -32,8 +32,8 @@ function cookie:cookie(c)
     return r
 end
 
-function cookie:open(cookie)
-    local r = self:cookie(cookie)
+function cookie:open(c)
+    local r = self:cookie(c)
     if r and r[1] and r[2] and r[3] and r[4] then
         return self.decode(r[1]), tonumber(r[2]), self.decode(r[3]), self.decode(r[4])
     end
@@ -44,4 +44,4 @@ function cookie:save(i, e, d, h)
     return concat({ self.encode(i), e, self.encode(d), self.encode(h) }, self.delimiter)
 end
 
-return cookie
+return cookie

lib/resty/session/storage/redis.lua

@@ -65,17 +65,17 @@ function redis.new(config)
 end
 
 function redis:connect()
-    local redis = self.redis
+    local r = self.redis
     local ok, err
     if self.socket then
-        ok, err = redis:connect(self.socket)
+        ok, err = r:connect(self.socket)
     else
-        ok, err = redis:connect(self.host, self.port)
+        ok, err = r:connect(self.host, self.port)
     end
     if ok and self.auth then
-        ok, err = redis:get_reused_times()
+        ok, err = r:get_reused_times()
         if ok == 0 then
-            ok, err = redis:auth(self.auth)
+            ok, err = r:auth(self.auth)
         end
     end
     return ok, err
@@ -229,4 +229,4 @@ function redis:destroy(i)
     return ok, err
 end
 
-return redis
+return redis