Ensure to truncate any extra data

Fixes issue #15

Author: thekid

ChangeLog.md

@@ -3,6 +3,9 @@ Sessions for the XP Framework ChangeLog
 
 ## ?.?.? / ????-??-??
 
+* Fixed issue #15: unserialize(): Extra data starting at offset [...]
+  (@thekid)
+
 ## 3.2.0 / 2024-03-24
 
 * Made compatible with XP 12 - @thekid

src/main/php/web/session/filesystem/Session.class.php

@@ -162,7 +162,12 @@ public function close() {
       $modification($name);
     }
     $this->modifications= [];
-    $this->file->write(serialize($this->values));
+
+    // Write file, ensuring to truncate any extra data
+    $length= $this->file->write(serialize($this->values));
+    if ($length < $size) {
+      $this->file->truncate($length);
+    }
 
     $this->file->unLock();
     $this->file->close();

src/test/php/web/session/unittest/InFileSystemTest.class.php

@@ -39,4 +39,24 @@ public function session_identifiers_consist_of_32_lowercase_hex_digits() {
     $id= $sessions->create()->id();
     Assert::matches('/^[a-f0-9]{32}$/i', $id);
   }
+
+  #[Test]
+  public function issue_15_extra_data_during_unserialize() {
+    $sessions= $this->fixture();
+
+    // Create session and register value
+    $a= $sessions->create();
+    $a->register('name', 'initial');
+    $a->close();
+
+    // Overwrite initial value with a shorter one, this should truncate
+    $b= $sessions->open($a->id());
+    $b->register('name', 'test');
+    $b->close();
+
+    // Modify session again, should not trigger the "extra data" warning
+    $c= $sessions->open($a->id());
+    $c->register('name', 'irrelevant');
+    $c->close();
+  }
 }