From 8eeffefcc1bd22254ac17e12d0cbed30b227930e Mon Sep 17 00:00:00 2001
From: George Clark <geonwiki@fenachrone.com>
Date: Wed, 29 Jul 2015 15:36:51 -0400
Subject: [PATCH] Item13563: Change CGI::Session to use Storable

====  DO NOT APPLY THIS CHANGE WITHOUT READING THIS NOTE ====

This patch changes the format of the working/tmp/cgisess_* files.
They are changing from a portable format based upon Data::Dumper to
the Perl "Storable" format.

You MUST remove all cgisess_* files from the working/tmp directory after
applying this change.   Users will lose their sessions and need to log
in again to Foswiki.

This change is needed to prevent corrupted user identity for users with
any character in the range from 0x7f - 0xff.  For example users with the
Umlat in their user name.
---
 core/data/System/ReleaseNotes02x00.txt | 18 ++++++++++-
 core/lib/Foswiki/LoginManager.pm       | 44 +++++++++++++++-----------
 2 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/core/data/System/ReleaseNotes02x00.txt b/core/data/System/ReleaseNotes02x00.txt
index 44fd6700eb..769ed78bc5 100644
--- a/core/data/System/ReleaseNotes02x00.txt
+++ b/core/data/System/ReleaseNotes02x00.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1438012719" format="1.1"  version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1438198562" format="1.1"  version="1"}%
 %META:TOPICPARENT{name="ReleaseHistory"}%
 ---+!! Foswiki Release 2.0.1 RC1 
 
@@ -57,6 +57,22 @@ Foswiki 2.0 is shipped with the following: ( __New to Foswiki 2.0__ )
    * *Compatibility support* - TWikiCompatibilityPlugin
 </noautolink>
 #Release02x00Changes
+
+---++ Important changes in 2.0.1
+
+Foswiki 2.0.1 has changed how the =working/tmp/cgisess_*= files are stored.
+This is needed to better accommodate user names with international
+characters. If old files exist and users still have a matching session cookie,
+then their access attempts will fail with a 500 internal server error.
+
+<div class="foswikiHelp">%X% *ACTION REQUIRED:*  After applying the changes in
+Foswiki 2.0.1, *you must delete all =cgisess_*= files from the =working/tmp= directory.* </div>
+
+If you are unable to access the server to do this, users will have to clear
+their cookies to gain access to Foswiki.
+
+This change addresses [[%BUGS%/Item13563][Item13563]]
+
 ---++ Changes in requirements
 
 <div class='foswikiHelp'>
diff --git a/core/lib/Foswiki/LoginManager.pm b/core/lib/Foswiki/LoginManager.pm
index fe1fa2e084..5b5ccd2ac6 100644
--- a/core/lib/Foswiki/LoginManager.pm
+++ b/core/lib/Foswiki/LoginManager.pm
@@ -54,6 +54,7 @@ use Assert;
 use Error qw( :try );
 
 use Foswiki::Sandbox ();
+use CGI::Session     ();
 
 BEGIN {
     if ( $Foswiki::cfg{UseLocale} ) {
@@ -74,6 +75,8 @@ our %readOnlySK = ( %secretSK, AUTHUSER => 1, SUDOFROMAUTHUSER => 1 );
 
 use constant TRACE => $Foswiki::cfg{Trace}{LoginManager} || 0;
 
+use constant CGIDRIVER => 'driver:File;serializer:Storable';
+
 # GusestSessions should default to enabled, since much of Foswiki depends on
 # having a valid session.
 my $guestSessions =
@@ -1095,8 +1098,11 @@ sub _loadCreateCGISession {
         oct(777) - ( ( $Foswiki::cfg{Session}{filePermission} + 0 ) ) &
           oct(777) );
 
-    my $newsess = Foswiki::LoginManager::Session->new(
-        undef, $sid,
+    my $newsess;
+
+    $newsess = Foswiki::LoginManager::Session->new(
+        CGIDRIVER,
+        $sid,
         {
             Directory => $sessionDir,
             UMask     => $Foswiki::cfg{Session}{filePermission}
@@ -1562,24 +1568,26 @@ sub removeUserSessions {
     ASSERT($user) if DEBUG;
 
     my $msg = '';
+    CGI::Session->find(
+        CGIDRIVER,
+        sub { purge_user( @_, $user, $msg ) },
+        {
+            Directory => "$Foswiki::cfg{WorkingDir}/tmp",
+            UMask     => $Foswiki::cfg{Session}{filePermission},
+        }
+    );
 
-    opendir( my $tmpdir, "$Foswiki::cfg{WorkingDir}/tmp" ) || return '';
-    foreach my $fn ( grep( /^cgisess_/, readdir($tmpdir) ) ) {
-        my ($file) = $fn =~ m/^(cgisess_.*)$/;
-
-        open my $sessfile, '<', "$Foswiki::cfg{WorkingDir}/tmp/$file"
-          or next;
-        while (<$sessfile>) {
-            if (m/'AUTHUSER' => '$user'/) {
-                close $sessfile;
-                unlink "$Foswiki::cfg{WorkingDir}/tmp/$file";
-                $msg .= $file . ', ';
-                last;
-            }
+    sub purge_user {
+
+        #my ($session, $user, $msg) = @_;
+        next if $_[0]->is_empty;    # <-- already expired?!
+        if ( $_[0]->param('AUTHUSER') && $_[0]->param('AUTHUSER') eq $_[1] ) {
+            $_[2] .= 'cgisess_' . $_[0]->id() . ',';
+            $_[0]->delete();
+            $_[0]->flush()
+              ;    # Recommended practice says use flush() after delete().
         }
-        close $sessfile if $sessfile;
     }
-    closedir $tmpdir;
     return $msg;
 }
 
@@ -1587,7 +1595,7 @@ sub removeUserSessions {
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 
-Copyright (C) 2008-2014 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2015 Foswiki Contributors. Foswiki Contributors
 are listed in the AUTHORS file in the root of this distribution.
 NOTE: Please extend that file, not this notice.