From f818dfe90847f350167055f6207befdc2e4e0f14 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Thu, 14 Jan 2010 18:45:17 +0000
Subject: - Patch #590656 by pwolanin, Pasqualle: harden one-time login links
 against vulnerability from disclosure of SQL backups, or SQL 'SELECT'
 injection.

---
 modules/user/user.module | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/user/user.module b/modules/user/user.module
index ee9e5287f..993b13f58 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -2029,7 +2029,8 @@ function user_cancel_url($account) {
 }
 
 function user_pass_rehash($password, $timestamp, $login) {
-  return md5($timestamp . $password . $login);
+  // A single md5() is vulnerable to length-extension attacks, so use it twice.
+  return md5(drupal_get_hash_salt() . md5($timestamp . $password . $login));
 }
 
 /**
-- 
cgit v1.2.3