diff options
| author | David Rothstein <drothstein@gmail.com> | 2014-11-19 15:26:08 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2014-11-19 15:26:08 -0500 |
| commit | 84092f3d051c7d8904a63d38c81eb5f671b6e71b (patch) | |
| tree | f46e2445757354aca51c46fe94e8b66fde943ecc /includes | |
| parent | 76faa7de48e759cff770269c25d6ed6f92cf6b29 (diff) | |
| parent | 81586d9e9d04dcee487c50de426c04221899b6d0 (diff) | |
| download | brdo-84092f3d051c7d8904a63d38c81eb5f671b6e71b.tar.gz brdo-84092f3d051c7d8904a63d38c81eb5f671b6e71b.tar.bz2 | |
Merge tag '7.34' into 7.x
7.34 release
Conflicts:
CHANGELOG.txt
includes/bootstrap.inc
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 2 | ||||
| -rw-r--r-- | includes/password.inc | 6 | ||||
| -rw-r--r-- | includes/session.inc | 2 |
3 files changed, 7 insertions, 3 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index b6c531c3b..9f37dfcf1 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.34-dev'); +define('VERSION', '7.35-dev'); /** * Core API compatibility. diff --git a/includes/password.inc b/includes/password.inc index 3d5a400d2..8228e6111 100644 --- a/includes/password.inc +++ b/includes/password.inc @@ -140,7 +140,7 @@ function _password_enforce_log2_boundaries($count_log2) { * @param $algo * The string name of a hashing algorithm usable by hash(), like 'sha256'. * @param $password - * The plain-text password to hash. + * Plain-text password up to 512 bytes (128 to 512 UTF-8 characters) to hash. * @param $setting * An existing hash or the output of _password_generate_salt(). Must be * at least 12 characters (the settings and salt). @@ -150,6 +150,10 @@ function _password_enforce_log2_boundaries($count_log2) { * The return string will be truncated at DRUPAL_HASH_LENGTH characters max. */ function _password_crypt($algo, $password, $setting) { + // Prevent DoS attacks by refusing to hash large passwords. + if (strlen($password) > 512) { + return FALSE; + } // The first 12 characters of an existing hash are its setting string. $setting = substr($setting, 0, 12); diff --git a/includes/session.inc b/includes/session.inc index 9589e06fc..84d1983b4 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -79,7 +79,7 @@ function _drupal_session_read($sid) { // Handle the case of first time visitors and clients that don't store // cookies (eg. web crawlers). $insecure_session_name = substr(session_name(), 1); - if (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name])) { + if (empty($sid) || (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) { $user = drupal_anonymous_user(); return ''; } |