diff options
| author | Dries Buytaert <dries@buytaert.net> | 2010-01-14 18:45:17 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2010-01-14 18:45:17 +0000 |
| commit | f818dfe90847f350167055f6207befdc2e4e0f14 (patch) | |
| tree | 69dbd521a79b971912f53bca339fa5060c62cbb8 /includes | |
| parent | 913f2c3a3e3ed55b33f2fffeeec407520aa5d62a (diff) | |
| download | brdo-f818dfe90847f350167055f6207befdc2e4e0f14.tar.gz brdo-f818dfe90847f350167055f6207befdc2e4e0f14.tar.bz2 | |
- Patch #590656 by pwolanin, Pasqualle: harden one-time login links against vulnerability from disclosure of SQL backups, or SQL 'SELECT' injection.
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 2 | ||||
| -rw-r--r-- | includes/common.inc | 19 | ||||
| -rw-r--r-- | includes/update.inc | 3 |
3 files changed, 20 insertions, 4 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 7bc180ef5..eddfd555a 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -532,7 +532,7 @@ function drupal_settings_initialize() { global $base_url, $base_path, $base_root; // Export the following settings.php variables to the global namespace - global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $is_https, $base_secure_url, $base_insecure_url; + global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url; $conf = array(); if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) { diff --git a/includes/common.inc b/includes/common.inc index 75dbe5685..e04c71303 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -4461,6 +4461,19 @@ function drupal_random_bytes($count) { } /** + * Get a salt useful for hardening against SQL injection. + * + * @return + * A salt based on information in settings.php, not in the database. + */ +function drupal_get_hash_salt() { + global $drupal_hash_salt, $databases; + // If the $drupal_hash_salt variable is empty, a hash of the serialized + // database credentials is used as a fallback salt. + return empty($drupal_hash_salt) ? sha1(serialize($databases)) : $drupal_hash_salt; +} + +/** * Ensure the private key variable used to generate tokens is set. * * @return @@ -4482,7 +4495,9 @@ function drupal_get_private_key() { */ function drupal_get_token($value = '') { $private_key = drupal_get_private_key(); - return md5(session_id() . $value . $private_key); + // A single md5() is vulnerable to length-extension attacks, so use it twice. + // @todo: add md5 and sha1 hmac functions to core. + return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key)); } /** @@ -4500,7 +4515,7 @@ function drupal_get_token($value = '') { */ function drupal_valid_token($token, $value = '', $skip_anonymous = FALSE) { global $user; - return (($skip_anonymous && $user->uid == 0) || ($token == md5(session_id() . $value . variable_get('drupal_private_key', '')))); + return (($skip_anonymous && $user->uid == 0) || ($token == drupal_get_token($value))); } function _drupal_bootstrap_full() { diff --git a/includes/update.inc b/includes/update.inc index 805857c43..a7f3f64b6 100644 --- a/includes/update.inc +++ b/includes/update.inc @@ -262,7 +262,8 @@ function update_fix_d7_requirements() { global $update_rewrite_settings, $db_url; if (!empty($update_rewrite_settings)) { $databases = update_parse_db_url($db_url); - file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ';', FILE_APPEND); + $salt = sha1(drupal_random_bytes(64)); + file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ";\n\$drupal_hash_salt = '$salt';", FILE_APPEND); } if (drupal_get_installed_schema_version('system') < 7000 && !variable_get('update_d7_requirements', FALSE)) { // Add the cache_path table. |