Bug #90744
closed
RedisSessionBackend throws exception if session data empty or cannot be decoded
100%
Description
The RedisSessionBackend (typo3/sysext/core/Classes/Session/Backend/RedisSessionBackend.php) throws an error if the data stored in Redis cannot be decoded. There is a bug in the get method. An array is expected as return value. But if the function "json_decode" returns null, TYPO3 throws the error: "Core: Exception handler (WEB): Uncaught TYPO3 Exception: Return value of TYPO3\CMS\Core\Session\Backend\RedisSessionBackend::get() must be of the type array, null returned".
Current
/**
* Read session data
*
* @param string $sessionId
* @return array Returns the session data
* @throws SessionNotFoundException
*/
public function get(string $sessionId): array
{
$this->initializeConnection();
$key = $this->getSessionKeyName($sessionId);
$rawData = $this->redis->get($key);
if ($rawData !== false) {
return json_decode(
$rawData,
true
);
}
throw new SessionNotFoundException('Session could not be fetched from redis', 1481885583);
}
Fix
/**
* Read session data
*
* @param string $sessionId
* @return array Returns the session data
* @throws SessionNotFoundException
*/
public function get(string $sessionId): array
{
$this->initializeConnection();
$key = $this->getSessionKeyName($sessionId);
$rawData = $this->redis->get($key);
if ($rawData !== false) {
$sessionData = json_decode(
$rawData,
true
);
if(!is_null($sessionData)) {
return $sessionData;
}
}
throw new SessionNotFoundException('Session could not be fetched from redis', 1481885583);
}
Updated by Matthias Krams over 4 years ago
- Subject changed from RedisSessionBackend throws exception if serialized session data empty or cannot be decoded to RedisSessionBackend throws exception if session data empty or cannot be decoded
Updated by Markus Klein over 4 years ago
How do you get invalid JSON data into the session backend in the first place?
Updated by Matthias Krams over 4 years ago
A session was created in the redis, but it only consisted of an empty string. Why this happens I can't say at the moment. But I think that this possible error should be caught at the mentioned place.
Updated by Markus Klein over 4 years ago
While I generally agree about checking for errors of json_decode, I really wonder what is wrong with your system.
The JSON data can never be empty, because both "set" and "update" function do at least set "ses_id" and "ses_tstamp".
Updated by Matthias Krams over 4 years ago
I agree with you. I'm still looking for the cause right now. However, this should not be part of this issue. I only wanted to point out the problem within the mentioned method.
Updated by Markus Klein over 4 years ago
Either already the json_encode() is failing for you, or "NULL is returned if the json cannot be decoded or if the encoded data is deeper than the recursion limit. " kicks in. (taken from PHP docs)
Updated by Gerrit Code Review over 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63713
Updated by Markus Klein over 4 years ago
@Matthias: Please review the patch on our review system and vote, if it works for you! thank you.
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63740
Updated by Markus Klein over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 78785091410002eb46988e864014385ab039d06e.
Updated by