Iterating over all session keys is interrupted by corrupted sessions

LemonLDAPNG / Apache-Session-Browseable

Apache::Session::Browseable Perl module

http://search.cpan.org/dist/Apache-Session-Browseable/

Other

3 stars 5 forks source link

Iterating over all session keys is interrupted by corrupted sessions #40

Closed jeremie-pierson closed 1 year ago

jeremie-pierson commented 1 year ago

When calling Lemonldap::NG::Common::Apache::Session->get_key_from_all_sessions() on a Redis store, unserialize() (from Apache::Session::Serialize::JSON) is called on each session content.

If session content is not valid JSON, unserialize() calls die and this error is not caught, so get_key_from_all_sessions() exits before having visited every session.

Looking at LDAP session store for example, it seems that errors in unserialize() are caught in get_key_from_all_sessions().

maxbes commented 1 year ago

I don't reproduce this, can you provide a sample script that reproduces the issue on latest Apache::Session::Browseable ?

jeremie-pierson commented 1 year ago

OK, you're perfectly right, the eval at a higher level does the job (better).

I happen to use LemonLDAP::NG on an older version of Debian (Buster). Since we use the community repository, our installed version of LemonLDAP::NG is up-to-date. But this package implementing sessions is definitely not up-to-date (v1.3.0, 5 years ago).

Now I see that the bug I stumbled upon was corrected more than 4 years ago... C'est un peu embarrassant 😅

I'll now close this issue and the pull request. Sorry that I didn't see this earlier.