diff options
author | David Rothstein <drothstein@gmail.com> | 2013-06-03 18:06:36 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2013-06-03 18:06:36 -0400 |
commit | 30a95c80f3a1f0259c388f2b07cab171ac9ba223 (patch) | |
tree | ce0ef466f5002d59429f36faabf6cfc49826551c /includes | |
parent | 43c8918f96612d6ab37e8ca122e0f7c0ac4520a1 (diff) | |
download | brdo-30a95c80f3a1f0259c388f2b07cab171ac9ba223.tar.gz brdo-30a95c80f3a1f0259c388f2b07cab171ac9ba223.tar.bz2 |
Issue #1739986 by RobLoach, pwolanin, sun, Berdir, moshe weitzman, andypost, dcam: Fixed fallback in drupal_get_hash_salt(), move it to bootstrap.inc, use instead of $GLOBALS['drupal_hash_salt()'].
Diffstat (limited to 'includes')
-rw-r--r-- | includes/bootstrap.inc | 19 | ||||
-rw-r--r-- | includes/common.inc | 17 |
2 files changed, 18 insertions, 18 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 80563eff7..90b5765d9 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -2233,6 +2233,19 @@ function drupal_get_user_timezone() { } /** + * Gets a salt useful for hardening against SQL injection. + * + * @return + * A salt based on information in settings.php, not in the database. + */ +function drupal_get_hash_salt() { + global $drupal_hash_salt, $databases; + // If the $drupal_hash_salt variable is empty, a hash of the serialized + // database credentials is used as a fallback salt. + return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt; +} + +/** * Provides custom PHP error handling. * * @param $error_level @@ -2452,7 +2465,6 @@ function drupal_get_bootstrap_phase() { * HMAC and timestamp. */ function drupal_valid_test_ua() { - global $drupal_hash_salt; // No reason to reset this. static $test_prefix; @@ -2466,7 +2478,7 @@ function drupal_valid_test_ua() { // We use the salt from settings.php to make the HMAC key, since // the database is not yet initialized and we can't access any Drupal variables. // The file properties add more entropy not easily accessible to others. - $key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__); + $key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__); $time_diff = REQUEST_TIME - $time; // Since we are making a local request a 5 second time window is allowed, // and the HMAC must match. @@ -2484,14 +2496,13 @@ function drupal_valid_test_ua() { * Generates a user agent string with a HMAC and timestamp for simpletest. */ function drupal_generate_test_ua($prefix) { - global $drupal_hash_salt; static $key; if (!isset($key)) { // We use the salt from settings.php to make the HMAC key, since // the database is not yet initialized and we can't access any Drupal variables. // The file properties add more entropy not easily accessible to others. - $key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__); + $key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__); } // Generate a moderately secure HMAC based on the database credentials. $salt = uniqid('', TRUE); diff --git a/includes/common.inc b/includes/common.inc index 31923f28b..3ec68636c 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -5035,19 +5035,6 @@ function drupal_json_output($var = NULL) { } /** - * Gets a salt useful for hardening against SQL injection. - * - * @return - * A salt based on information in settings.php, not in the database. - */ -function drupal_get_hash_salt() { - global $drupal_hash_salt, $databases; - // If the $drupal_hash_salt variable is empty, a hash of the serialized - // database credentials is used as a fallback salt. - return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt; -} - -/** * Ensures the private key variable used to generate tokens is set. * * @return @@ -5069,8 +5056,10 @@ function drupal_get_private_key() { * * @return string * A 43-character URL-safe token for validation, based on the user session ID, - * the global $drupal_hash_salt variable from settings.php, and the + * the hash salt provided from drupal_get_hash_salt(), and the * 'drupal_private_key' configuration variable. + * + * @see drupal_get_hash_salt() */ function drupal_get_token($value = '') { return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt()); |