diff options
| author | David Rothstein <drothstein@gmail.com> | 2013-11-20 15:45:59 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2013-11-20 15:45:59 -0500 |
| commit | 782d1155c62c0a879bf587c7e40c3a13bcf6879c (patch) | |
| tree | 380060c81a7ebd76870cfd7fb566933b3a7c6efd /includes/common.inc | |
| parent | bf704d6ffe55d66a440a55a9d43e8846d46d2440 (diff) | |
| download | brdo-782d1155c62c0a879bf587c7e40c3a13bcf6879c.tar.gz brdo-782d1155c62c0a879bf587c7e40c3a13bcf6879c.tar.bz2 | |
Drupal 7.24
Diffstat (limited to 'includes/common.inc')
| -rw-r--r-- | includes/common.inc | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/includes/common.inc b/includes/common.inc index 262e1c57b..0ab9c39e2 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -5042,7 +5042,7 @@ function drupal_json_output($var = NULL) { */ function drupal_get_private_key() { if (!($key = variable_get('drupal_private_key', 0))) { - $key = drupal_hash_base64(drupal_random_bytes(55)); + $key = drupal_random_key(); variable_set('drupal_private_key', $key); } return $key; @@ -5081,7 +5081,7 @@ function drupal_get_token($value = '') { */ function drupal_valid_token($token, $value = '', $skip_anonymous = FALSE) { global $user; - return (($skip_anonymous && $user->uid == 0) || ($token == drupal_get_token($value))); + return (($skip_anonymous && $user->uid == 0) || ($token === drupal_get_token($value))); } function _drupal_bootstrap_full() { @@ -5114,6 +5114,10 @@ function _drupal_bootstrap_full() { module_load_all(); // Make sure all stream wrappers are registered. file_get_stream_wrappers(); + // Ensure mt_rand is reseeded, to prevent random values from one page load + // being exploited to predict random values in subsequent page loads. + $seed = unpack("L", drupal_random_bytes(4)); + mt_srand($seed[1]); $test_info = &$GLOBALS['drupal_test_info']; if (!empty($test_info['in_child_site'])) { |