Merge pull request #1 from twistor/try-our-best

Do our best do defend against unfortunate serialized strings.

Author: dustindoiron

src/Decoder.php

@@ -15,13 +15,28 @@ public function __invoke(string $encodedSessionData): array
             return [];
         }
 
-        preg_match_all('/(^|;|\})(\w+)\|/i', $encodedSessionData, $matchesarray, PREG_OFFSET_CAPTURE);
+        $serializeTypes = [
+            'N',                  // null
+            'b\:[0-1]',           // boolean
+            'a\:[0-9]+\:\{',      // array
+            's\:[0-9]+\:"',       // string
+            'd\:[0-9]+\.?[0-9]*', // float
+            'i\:[0-9]+',          // integer/resource
+            'O\:[0-9]+\:"',       // object
+            // We can't support references even though PHP's native session encoder does
+            // since we deserialize each key in a separate step.
+            // 'r\:[0-9]+',        // resource
+        ];
+
+        $serializeTypesString = '(?:' . implode('|', $serializeTypes) . ')';
+
+        preg_match_all('/(?:^|;|\})(\w+)\|' . $serializeTypesString . '/', $encodedSessionData, $matchesarray, PREG_OFFSET_CAPTURE);
 
         $decodedData = [];
 
         $lastOffset = null;
         $currentKey = '';
-        foreach ($matchesarray[2] as $value) {
+        foreach ($matchesarray[1] as $value) {
             $offset = $value[1];
             if (null !== $lastOffset) {
                 $valueText = substr($encodedSessionData, $lastOffset, $offset - $lastOffset);

test/unit/DecodeTest.php

@@ -63,6 +63,14 @@ public function provideEncodeAndExpectedDecodedData() : array
                     ],
                 ]
             ],
+            [
+                'evil_string|s:5:";foo|";',
+                ['evil_string' => ';foo|'],
+            ],
+            [
+                'null|N;',
+                ['null' => null],
+            ],
         ];
     }
 }