diff options
| author | Dries Buytaert <dries@buytaert.net> | 2010-01-14 18:45:17 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2010-01-14 18:45:17 +0000 |
| commit | f818dfe90847f350167055f6207befdc2e4e0f14 (patch) | |
| tree | 69dbd521a79b971912f53bca339fa5060c62cbb8 /includes/update.inc | |
| parent | 913f2c3a3e3ed55b33f2fffeeec407520aa5d62a (diff) | |
| download | brdo-f818dfe90847f350167055f6207befdc2e4e0f14.tar.gz brdo-f818dfe90847f350167055f6207befdc2e4e0f14.tar.bz2 | |
- Patch #590656 by pwolanin, Pasqualle: harden one-time login links against vulnerability from disclosure of SQL backups, or SQL 'SELECT' injection.
Diffstat (limited to 'includes/update.inc')
| -rw-r--r-- | includes/update.inc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/includes/update.inc b/includes/update.inc index 805857c43..a7f3f64b6 100644 --- a/includes/update.inc +++ b/includes/update.inc @@ -262,7 +262,8 @@ function update_fix_d7_requirements() { global $update_rewrite_settings, $db_url; if (!empty($update_rewrite_settings)) { $databases = update_parse_db_url($db_url); - file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ';', FILE_APPEND); + $salt = sha1(drupal_random_bytes(64)); + file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ";\n\$drupal_hash_salt = '$salt';", FILE_APPEND); } if (drupal_get_installed_schema_version('system') < 7000 && !variable_get('update_d7_requirements', FALSE)) { // Add the cache_path table. |