diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2010-07-07 17:53:28 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2010-07-07 17:53:28 +0000 |
| commit | d38b5b804c98a1bc7251642b412da17e1e184170 (patch) | |
| tree | a94cca1d7b2b24949f9d2a72e1ea0eef0f9a7d02 /includes | |
| parent | 9e6313e84f7397889950bef0b870bf91749acca4 (diff) | |
| download | brdo-d38b5b804c98a1bc7251642b412da17e1e184170.tar.gz brdo-d38b5b804c98a1bc7251642b412da17e1e184170.tar.bz2 | |
#554106 follow-up by pwolanin: Restore timeboxing for SimpleTest runs, for security.
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 6503d6db0..bf553a053 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -2261,8 +2261,10 @@ function drupal_valid_test_ua($user_agent) { // The file properties add more entropy not easily accessible to others. $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc'; $key = $drupal_hash_salt . filectime($filepath) . fileinode($filepath); - // The HMAC must match. - return $hmac == drupal_hmac_base64($check_string, $key); + $time_diff = REQUEST_TIME - $time; + // Since we are making a local request a 5 second time window is allowed, + // and the HMAC must match. + return ($time_diff >= 0) && ($time_diff <= 5) && ($hmac == drupal_hmac_base64($check_string, $key)); } /** |