- Patch #590656 by pwolanin, Pasqualle: harden one-time login links against vulnerability from disclosure of SQL backups, or SQL 'SELECT' injection.

1 files changed, 2 insertions, 1 deletions

diff --git a/modules/user/user.module b/modules/user/user.module
index ee9e5287f..993b13f58 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -2029,7 +2029,8 @@ function user_cancel_url($account) {
 }
 
 function user_pass_rehash($password, $timestamp, $login) {
-  return md5($timestamp . $password . $login);
+  // A single md5() is vulnerable to length-extension attacks, so use it twice.
+  return md5(drupal_get_hash_salt() . md5($timestamp . $password . $login));
 }
 
 /**