diff options
author | Dries Buytaert <dries@buytaert.net> | 2010-01-14 18:45:17 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2010-01-14 18:45:17 +0000 |
commit | f818dfe90847f350167055f6207befdc2e4e0f14 (patch) | |
tree | 69dbd521a79b971912f53bca339fa5060c62cbb8 /includes/common.inc | |
parent | 913f2c3a3e3ed55b33f2fffeeec407520aa5d62a (diff) | |
download | brdo-f818dfe90847f350167055f6207befdc2e4e0f14.tar.gz brdo-f818dfe90847f350167055f6207befdc2e4e0f14.tar.bz2 |
- Patch #590656 by pwolanin, Pasqualle: harden one-time login links against vulnerability from disclosure of SQL backups, or SQL 'SELECT' injection.
Diffstat (limited to 'includes/common.inc')
-rw-r--r-- | includes/common.inc | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/includes/common.inc b/includes/common.inc index 75dbe5685..e04c71303 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -4461,6 +4461,19 @@ function drupal_random_bytes($count) { } /** + * Get a salt useful for hardening against SQL injection. + * + * @return + * A salt based on information in settings.php, not in the database. + */ +function drupal_get_hash_salt() { + global $drupal_hash_salt, $databases; + // If the $drupal_hash_salt variable is empty, a hash of the serialized + // database credentials is used as a fallback salt. + return empty($drupal_hash_salt) ? sha1(serialize($databases)) : $drupal_hash_salt; +} + +/** * Ensure the private key variable used to generate tokens is set. * * @return @@ -4482,7 +4495,9 @@ function drupal_get_private_key() { */ function drupal_get_token($value = '') { $private_key = drupal_get_private_key(); - return md5(session_id() . $value . $private_key); + // A single md5() is vulnerable to length-extension attacks, so use it twice. + // @todo: add md5 and sha1 hmac functions to core. + return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key)); } /** @@ -4500,7 +4515,7 @@ function drupal_get_token($value = '') { */ function drupal_valid_token($token, $value = '', $skip_anonymous = FALSE) { global $user; - return (($skip_anonymous && $user->uid == 0) || ($token == md5(session_id() . $value . variable_get('drupal_private_key', '')))); + return (($skip_anonymous && $user->uid == 0) || ($token == drupal_get_token($value))); } function _drupal_bootstrap_full() { |