From 57ab100044d54b7198857add981c643deda54822 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Sat, 5 Sep 2020 10:52:02 +0200
Subject: [PATCH] Harden check when using token from memcache

Explicitly comparing never hurt anybody.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/Service/SessionService.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/Service/SessionService.php b/lib/Service/SessionService.php
index d02d2ad0b43..16d1fcabb5f 100644
--- a/lib/Service/SessionService.php
+++ b/lib/Service/SessionService.php
@@ -152,7 +152,14 @@ public function getSession($documentId, $sessionId, $token) {
 
 		$data = $this->cache->get($token);
 		if ($data !== null) {
-			return Session::fromRow(json_decode($data, true));
+			$session = Session::fromRow(json_decode($data, true));
+			if ($session->getId() !== $sessionId || $session->getDocumentId() !== $documentId) {
+				$this->cache->remove($token);
+				$this->session = false;
+				return false;
+			}
+
+			return $session;
 		}
 
 		try {