Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
71713081
Commit
71713081
authored
May 01, 2010
by
Dries
Browse files
- Patch
#723802
by pwolanin, grendzy: convert to sha-256 and hmac from md5 and sha1.
parent
2a2f4cc0
Changes
37
Hide whitespace changes
Inline
Side-by-side
includes/actions.inc
View file @
71713081
...
...
@@ -197,7 +197,7 @@ function actions_get_all_actions() {
}
/**
* Creates an associative array keyed by
md5
hashes of function names or IDs.
* Creates an associative array keyed by hashes of function names or IDs.
*
* Hashes are used to prevent actual function names from going out into HTML
* forms and coming back.
...
...
@@ -207,14 +207,14 @@ function actions_get_all_actions() {
* and associative arrays with keys 'label', 'type', etc. as values.
* This is usually the output of actions_list() or actions_get_all_actions().
* @return
* An associative array whose keys are
md5
hashes of the input array keys, and
* An associative array whose keys are hashes of the input array keys, and
* whose corresponding values are associative arrays with components
* 'callback', 'label', 'type', and 'configurable' from the input array.
*/
function
actions_actions_map
(
$actions
)
{
$actions_map
=
array
();
foreach
(
$actions
as
$callback
=>
$array
)
{
$key
=
md5
(
$callback
);
$key
=
drupal_hash_base64
(
$callback
);
$actions_map
[
$key
][
'callback'
]
=
isset
(
$array
[
'callback'
])
?
$array
[
'callback'
]
:
$callback
;
$actions_map
[
$key
][
'label'
]
=
$array
[
'label'
];
$actions_map
[
$key
][
'type'
]
=
$array
[
'type'
];
...
...
@@ -224,12 +224,12 @@ function actions_actions_map($actions) {
}
/**
* Given a
n md5
hash of an action array key, returns the key (function or ID).
* Given a hash of an action array key, returns the key (function or ID).
*
* Faster than actions_actions_map() when you only need the function name or ID.
*
* @param $hash
*
MD5 h
ash of a function name or action ID array key. The array key
*
H
ash of a function name or action ID array key. The array key
* is a key into the return value of actions_list() (array key is the action
* function name) or actions_get_all_actions() (array key is the action ID).
* @return
...
...
@@ -239,13 +239,20 @@ function actions_function_lookup($hash) {
// Check for a function name match.
$actions_list
=
actions_list
();
foreach
(
$actions_list
as
$function
=>
$array
)
{
if
(
md5
(
$function
)
==
$hash
)
{
if
(
drupal_hash_base64
(
$function
)
==
$hash
)
{
return
$function
;
}
}
$aid
=
FALSE
;
// Must be a configurable action; check database.
return
db_query
(
"SELECT aid FROM
{
actions
}
WHERE MD5(aid) = :hash AND parameters <> ''"
,
array
(
':hash'
=>
$hash
))
->
fetchField
();
$result
=
db_query
(
"SELECT aid FROM
{
actions
}
WHERE parameters <> ''"
)
->
fetchAll
(
PDO
::
FETCH_ASSOC
);
foreach
(
$result
as
$row
)
{
if
(
drupal_hash_base64
(
$row
[
'aid'
])
==
$hash
)
{
$aid
=
$row
[
'aid'
];
break
;
}
}
return
$aid
;
}
/**
...
...
includes/bootstrap.inc
View file @
71713081
...
...
@@ -622,7 +622,7 @@ function drupal_settings_initialize() {
ini_set
(
'session.cookie_secure'
,
TRUE
);
}
$prefix
=
ini_get
(
'session.cookie_secure'
)
?
'SSESS'
:
'SESS'
;
session_name
(
$prefix
.
md5
(
$session_name
));
session_name
(
$prefix
.
substr
(
hash
(
'sha256'
,
$session_name
)
,
0
,
32
)
);
}
/**
...
...
@@ -1697,6 +1697,91 @@ function drupal_block_denied($ip) {
}
}
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random source.
*
* @param $count
* The number of characters (bytes) to return in the string.
*/
function
drupal_random_bytes
(
$count
)
{
// $random_state does not use drupal_static as it stores random bytes.
static
$random_state
,
$bytes
;
// Initialize on the first call. The contents of $_SERVER includes a mix of
// user-specific and system information that varies a little with each page.
if
(
!
isset
(
$random_state
))
{
$random_state
=
print_r
(
$_SERVER
,
TRUE
);
if
(
function_exists
(
'getmypid'
))
{
// further initialize with the somewhat random PHP process ID.
$random_state
.
=
getmypid
();
}
$bytes
=
''
;
}
if
(
strlen
(
$bytes
)
<
$count
)
{
// /dev/urandom is available on many *nix systems and is considered the
// best commonly available pseudo-random source.
if
(
$fh
=
@
fopen
(
'/dev/urandom'
,
'rb'
))
{
// PHP only performs buffered reads, so in reality it will always read
// at least 4096 bytes. Thus, it costs nothing extra to read and store
// that much so as to speed any additional invocations.
$bytes
.
=
fread
(
$fh
,
max
(
4096
,
$count
));
fclose
(
$fh
);
}
// If /dev/urandom is not available or returns no bytes, this loop will
// generate a good set of pseudo-random bytes on any system.
// Note that it may be important that our $random_state is passed
// through hash() prior to being rolled into $output, that the two hash()
// invocations are different, and that the extra input into the first one -
// the microtime() - is prepended rather than appended. This is to avoid
// directly leaking $random_state via the $output stream, which could
// allow for trivial prediction of further "random" numbers.
while
(
strlen
(
$bytes
)
<
$count
)
{
$random_state
=
hash
(
'sha256'
,
microtime
()
.
mt_rand
()
.
$random_state
);
$bytes
.
=
hash
(
'sha256'
,
mt_rand
()
.
$random_state
,
TRUE
);
}
}
$output
=
substr
(
$bytes
,
0
,
$count
);
$bytes
=
substr
(
$bytes
,
$count
);
return
$output
;
}
/**
* Calculate a base-64 encoded, URL-safe sha-256 hmac.
*
* @param $data
* String to be validated with the hmac.
* @param $key
* A secret string key.
*
* @return
* A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
* any = padding characters removed.
*/
function
drupal_hmac_base64
(
$data
,
$key
)
{
$hmac
=
base64_encode
(
hash_hmac
(
'sha256'
,
$data
,
$key
,
TRUE
));
// Modify the hmac so it's safe to use in URLs.
return
strtr
(
$hmac
,
array
(
'+'
=>
'-'
,
'/'
=>
'_'
,
'='
=>
''
));
}
/**
* Calculate a base-64 encoded, URL-safe sha-256 hash.
*
* @param $data
* String to be hashed.
*
* @return
* A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
* any = padding characters removed.
*/
function
drupal_hash_base64
(
$data
)
{
$hash
=
base64_encode
(
hash
(
'sha256'
,
$data
,
TRUE
));
// Modify the hash so it's safe to use in URLs.
return
strtr
(
$hash
,
array
(
'+'
=>
'-'
,
'/'
=>
'_'
,
'='
=>
''
));
}
/**
* Generates a default anonymous $user object.
*
...
...
@@ -2024,9 +2109,9 @@ function drupal_valid_test_ua($user_agent) {
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
$filepath
=
DRUPAL_ROOT
.
'/includes/bootstrap.inc'
;
$key
=
sha1
(
serialize
(
$databases
)
.
filectime
(
$filepath
)
.
fileinode
(
$filepath
)
,
TRUE
)
;
$key
=
serialize
(
$databases
)
.
filectime
(
$filepath
)
.
fileinode
(
$filepath
);
// The HMAC must match.
return
$hmac
==
base64_encode
(
hash_hmac
(
'sha1'
,
$check_string
,
$key
,
TRUE
)
);
return
$hmac
==
drupal_hmac_base64
(
$check_string
,
$key
);
}
/**
...
...
@@ -2041,12 +2126,12 @@ function drupal_generate_test_ua($prefix) {
// check the HMAC before the database is initialized. filectime()
// and fileinode() are not easily determined from remote.
$filepath
=
DRUPAL_ROOT
.
'/includes/bootstrap.inc'
;
$key
=
sha1
(
serialize
(
$databases
)
.
filectime
(
$filepath
)
.
fileinode
(
$filepath
)
,
TRUE
)
;
$key
=
serialize
(
$databases
)
.
filectime
(
$filepath
)
.
fileinode
(
$filepath
);
}
// Generate a moderately secure HMAC based on the database credentials.
$salt
=
uniqid
(
''
,
TRUE
);
$check_string
=
$prefix
.
';'
.
time
()
.
';'
.
$salt
;
return
$check_string
.
';'
.
base64_encode
(
hash_hmac
(
'sha1'
,
$check_string
,
$key
,
TRUE
)
);
return
$check_string
.
';'
.
drupal_hmac_base64
(
$check_string
,
$key
);
}
/**
...
...
includes/common.inc
View file @
71713081
...
...
@@ -2895,7 +2895,7 @@ function drupal_aggregate_css(&$css_groups) {
if
(
$group
[
'preprocess'
]
&&
$preprocess_css
)
{
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
$filename
=
'css_'
.
md5
(
serialize
(
$group
[
'items'
]))
.
'.css'
;
$filename
=
'css_'
.
drupal_hash_base64
(
serialize
(
$group
[
'items'
]))
.
'.css'
;
$css_groups
[
$key
][
'data'
]
=
drupal_build_css_cache
(
$group
[
'items'
],
$filename
);
}
break
;
...
...
@@ -3767,7 +3767,7 @@ function drupal_get_js($scope = 'header', $javascript = NULL) {
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
foreach
(
$files
as
$key
=>
$file_set
)
{
$filename
=
'js_'
.
md5
(
serialize
(
$file_set
))
.
'.js'
;
$filename
=
'js_'
.
drupal_hash_base64
(
serialize
(
$file_set
))
.
'.js'
;
$uri
=
drupal_build_js_cache
(
$file_set
,
$filename
);
// Only include the file if was written successfully. Errors are logged
// using watchdog.
...
...
@@ -4340,45 +4340,6 @@ function drupal_json_output($var = NULL) {
}
}
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random source.
*
* @param $count
* The number of characters (bytes) to return in the string.
*/
function
drupal_random_bytes
(
$count
)
{
// $random_state does not use drupal_static as it stores random bytes.
static
$random_state
;
// We initialize with the somewhat random PHP process ID on the first call.
if
(
empty
(
$random_state
))
{
$random_state
=
getmypid
();
}
$output
=
''
;
// /dev/urandom is available on many *nix systems and is considered the best
// commonly available pseudo-random source.
if
(
$fh
=
@
fopen
(
'/dev/urandom'
,
'rb'
))
{
$output
=
fread
(
$fh
,
$count
);
fclose
(
$fh
);
}
// If /dev/urandom is not available or returns no bytes, this loop will
// generate a good set of pseudo-random bytes on any system.
// Note that it may be important that our $random_state is passed
// through md5() prior to being rolled into $output, that the two md5()
// invocations are different, and that the extra input into the first one -
// the microtime() - is prepended rather than appended. This is to avoid
// directly leaking $random_state via the $output stream, which could
// allow for trivial prediction of further "random" numbers.
while
(
strlen
(
$output
)
<
$count
)
{
$random_state
=
md5
(
microtime
()
.
mt_rand
()
.
$random_state
);
$output
.
=
md5
(
mt_rand
()
.
$random_state
,
TRUE
);
}
return
substr
(
$output
,
0
,
$count
);
}
/**
* Get a salt useful for hardening against SQL injection.
*
...
...
@@ -4389,7 +4350,7 @@ function drupal_get_hash_salt() {
global
$drupal_hash_salt
,
$databases
;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return
empty
(
$drupal_hash_salt
)
?
sha1
(
serialize
(
$databases
))
:
$drupal_hash_salt
;
return
empty
(
$drupal_hash_salt
)
?
hash
(
'sha256'
,
serialize
(
$databases
))
:
$drupal_hash_salt
;
}
/**
...
...
@@ -4400,7 +4361,7 @@ function drupal_get_hash_salt() {
*/
function
drupal_get_private_key
()
{
if
(
!
(
$key
=
variable_get
(
'drupal_private_key'
,
0
)))
{
$key
=
md5
(
drupal_random_bytes
(
64
));
$key
=
drupal_hash_base64
(
drupal_random_bytes
(
55
));
variable_set
(
'drupal_private_key'
,
$key
);
}
return
$key
;
...
...
@@ -4413,10 +4374,7 @@ function drupal_get_private_key() {
* An additional value to base the token on.
*/
function
drupal_get_token
(
$value
=
''
)
{
$private_key
=
drupal_get_private_key
();
// A single md5() is vulnerable to length-extension attacks, so use it twice.
// @todo: add md5 and sha1 hmac functions to core.
return
md5
(
drupal_get_hash_salt
()
.
md5
(
session_id
()
.
$value
.
$private_key
));
return
drupal_hmac_base64
(
$value
,
session_id
()
.
drupal_get_private_key
()
.
drupal_get_hash_salt
());
}
/**
...
...
@@ -5247,7 +5205,7 @@ function drupal_render_cache_set(&$markup, $elements) {
function
drupal_render_cache_by_query
(
$query
,
$function
,
$expire
=
CACHE_TEMPORARY
,
$granularity
=
NULL
)
{
$cache_keys
=
array_merge
(
array
(
$function
),
drupal_render_cid_parts
(
$granularity
));
$query
->
preExecute
();
$cache_keys
[]
=
md5
(
serialize
(
array
((
string
)
$query
,
$query
->
getArguments
())));
$cache_keys
[]
=
hash
(
'sha256'
,
serialize
(
array
((
string
)
$query
,
$query
->
getArguments
())));
return
array
(
'#query'
=>
$query
,
'#pre_render'
=>
array
(
$function
.
'_pre_render'
),
...
...
includes/form.inc
View file @
71713081
...
...
@@ -203,7 +203,7 @@ function drupal_build_form($form_id, &$form_state) {
}
$form
=
drupal_retrieve_form
(
$form_id
,
$form_state
);
$form_build_id
=
'form-'
.
md5
(
uniqid
(
mt_rand
(),
TRUE
));
$form_build_id
=
'form-'
.
drupal_hash_base64
(
uniqid
(
mt_rand
(),
TRUE
)
.
mt_rand
()
);
$form
[
'#build_id'
]
=
$form_build_id
;
// Fix the form method, if it is 'get' in $form_state, but not in $form.
...
...
@@ -331,7 +331,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) {
// Otherwise, a new #build_id is generated, to not clobber the previous
// build's data in the form cache; also allowing the user to go back to an
// earlier build, make changes, and re-submit.
$form
[
'#build_id'
]
=
isset
(
$old_form
[
'#build_id'
])
?
$old_form
[
'#build_id'
]
:
'form-'
.
md5
(
mt_rand
());
$form
[
'#build_id'
]
=
isset
(
$old_form
[
'#build_id'
])
?
$old_form
[
'#build_id'
]
:
'form-'
.
drupal_hash_base64
(
uniqid
(
mt_rand
(),
TRUE
)
.
mt_rand
());
// #action defaults to request_uri(), but in case of AJAX and other partial
// rebuilds, the form is submitted to an alternate URL, and the original
...
...
includes/install.core.inc
View file @
71713081
...
...
@@ -1011,7 +1011,7 @@ function install_settings_form_submit($form, &$form_state) {
'required'
=>
TRUE
,
);
$settings
[
'drupal_hash_salt'
]
=
array
(
'value'
=>
sha1
(
drupal_random_bytes
(
64
)),
'value'
=>
drupal_hash_base64
(
drupal_random_bytes
(
55
)),
'required'
=>
TRUE
,
);
drupal_rewrite_settings
(
$settings
);
...
...
includes/locale.inc
View file @
71713081
...
...
@@ -1680,7 +1680,7 @@ function _locale_rebuild_js($langcode = NULL) {
}
$data
.
=
"'strings': "
.
drupal_json_encode
(
$translations
)
.
" };"
;
$data_hash
=
md5
(
$data
);
$data_hash
=
drupal_hash_base64
(
$data
);
}
// Construct the filepath where JS translation files are stored.
...
...
includes/menu.inc
View file @
71713081
...
...
@@ -407,9 +407,9 @@ function menu_get_item($path = NULL, $router_item = NULL) {
$parts
=
array_slice
(
$original_map
,
0
,
MENU_MAX_PARTS
);
$ancestors
=
menu_get_ancestors
(
$parts
);
// Since there is no limit to the length of $path,
but the cids are
//
restricted to 255 characters, use md5() to keep it
short yet unique.
$cid
=
'menu_item:'
.
md5
(
$path
);
// Since there is no limit to the length of $path,
use a hash to keep it
// short yet unique.
$cid
=
'menu_item:'
.
hash
(
'sha256'
,
$path
);
if
(
$cached
=
cache_get
(
$cid
,
'cache_menu'
))
{
$router_item
=
$cached
->
data
;
}
...
...
@@ -1238,7 +1238,7 @@ function menu_tree_page_data($menu_name, $max_depth = NULL) {
* Helper function - compute the real cache ID for menu tree data.
*/
function
_menu_tree_cid
(
$menu_name
,
$data
)
{
return
'links:'
.
$menu_name
.
':tree-data:'
.
$GLOBALS
[
'language'
]
->
language
.
':'
.
md5
(
serialize
(
$data
));
return
'links:'
.
$menu_name
.
':tree-data:'
.
$GLOBALS
[
'language'
]
->
language
.
':'
.
hash
(
'sha256'
,
serialize
(
$data
));
}
/**
...
...
includes/password.inc
View file @
71713081
...
...
@@ -16,8 +16,8 @@
/**
* The standard log2 number of iterations for password stretching. This should
* increase by 1
at least every other
Drupal version in order to counteract
*
increases in the
speed and power of computers available to crack the hashes.
* increase by 1
every
Drupal version in order to counteract
increases in the
* speed and power of computers available to crack the hashes.
*/
define
(
'DRUPAL_HASH_COUNT'
,
14
);
...
...
@@ -31,6 +31,11 @@
*/
define
(
'DRUPAL_MAX_HASH_COUNT'
,
30
);
/**
* The expected (and maximum) number of characters in a hashed password.
*/
define
(
'DRUPAL_HASH_LENGTH'
,
55
);
/**
* Returns a string for mapping an int to the corresponding base 64 character.
*/
...
...
@@ -49,7 +54,7 @@ function _password_itoa64() {
* @return
* Encoded string
*/
function
_password_base64_encode
(
$input
,
$count
)
{
function
_password_base64_encode
(
$input
,
$count
)
{
$output
=
''
;
$i
=
0
;
$itoa64
=
_password_itoa64
();
...
...
@@ -93,7 +98,7 @@ function _password_base64_encode($input, $count) {
* A 12 character string containing the iteration count and a random salt.
*/
function
_password_generate_salt
(
$count_log2
)
{
$output
=
'$
P
$'
;
$output
=
'$
S
$'
;
// Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT.
$count_log2
=
max
(
$count_log2
,
DRUPAL_MIN_HASH_COUNT
);
// Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT.
...
...
@@ -113,19 +118,23 @@ function _password_generate_salt($count_log2) {
* for an attacker to try to break the hash by brute-force computation of the
* hashes of a large number of plain-text words or strings to find a match.
*
* @param $algo
* The string name of a hashing algorithm usable by hash(), like 'sha256'.
* @param $password
* The plain-text password to hash.
* @param $setting
* An existing hash or the output of _password_generate_salt().
* An existing hash or the output of _password_generate_salt(). Must be
* at least 12 characters (the settings and salt).
*
* @return
* A string containing the hashed password (and salt) or FALSE on failure.
* The return string will be truncated at DRUPAL_HASH_LENGTH characters max.
*/
function
_password_crypt
(
$password
,
$setting
)
{
function
_password_crypt
(
$algo
,
$password
,
$setting
)
{
// The first 12 characters of an existing hash are its setting string.
$setting
=
substr
(
$setting
,
0
,
12
);
if
(
substr
(
$setting
,
0
,
3
)
!=
'$
P$
'
)
{
if
(
$setting
[
0
]
!=
'$'
||
$setting
[
2
]
!=
'$'
)
{
return
FALSE
;
}
$count_log2
=
_password_get_count_log2
(
$setting
);
...
...
@@ -139,22 +148,21 @@ function _password_crypt($password, $setting) {
return
FALSE
;
}
// We must use md5() or sha1() here since they are the only cryptographic
// primitives always available in PHP 5. To implement our own low-level
// cryptographic function in PHP would result in much worse performance and
// consequently in lower iteration counts and hashes that are quicker to crack
// (by non-PHP code).
// Convert the base 2 logrithm into an integer.
$count
=
1
<<
$count_log2
;
$hash
=
md5
(
$salt
.
$password
,
TRUE
);
// We rely on the hash() function being available in PHP 5.2+.
$hash
=
hash
(
$algo
,
$salt
.
$password
,
TRUE
);
do
{
$hash
=
md5
(
$hash
.
$password
,
TRUE
);
$hash
=
hash
(
$algo
,
$hash
.
$password
,
TRUE
);
}
while
(
--
$count
);
$output
=
$setting
.
_password_base64_encode
(
$hash
,
16
);
$len
=
strlen
(
$hash
);
$output
=
$setting
.
_password_base64_encode
(
$hash
,
$len
);
// _password_base64_encode() of a 16 byte MD5 will always be 22 characters.
return
(
strlen
(
$output
)
==
34
)
?
$output
:
FALSE
;
// _password_base64_encode() of a 64 byte sha512 will always be 86 characters.
$expected
=
12
+
ceil
((
8
*
$len
)
/
6
);
return
(
strlen
(
$output
)
==
$expected
)
?
substr
(
$output
,
0
,
DRUPAL_HASH_LENGTH
)
:
FALSE
;
}
/**
...
...
@@ -182,7 +190,7 @@ function user_hash_password($password, $count_log2 = 0) {
// Use the standard iteration count.
$count_log2
=
variable_get
(
'password_count_log2'
,
DRUPAL_HASH_COUNT
);
}
return
_password_crypt
(
$password
,
_password_generate_salt
(
$count_log2
));
return
_password_crypt
(
'sha512'
,
$password
,
_password_generate_salt
(
$count_log2
));
}
/**
...
...
@@ -201,7 +209,7 @@ function user_hash_password($password, $count_log2 = 0) {
* TRUE or FALSE.
*/
function
user_check_password
(
$password
,
$account
)
{
if
(
substr
(
$account
->
pass
,
0
,
3
)
==
'U$
P
'
)
{
if
(
substr
(
$account
->
pass
,
0
,
2
)
==
'U$'
)
{
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5().
$stored_hash
=
substr
(
$account
->
pass
,
1
);
...
...
@@ -210,7 +218,23 @@ function user_check_password($password, $account) {
else
{
$stored_hash
=
$account
->
pass
;
}
$hash
=
_password_crypt
(
$password
,
$stored_hash
);
$type
=
substr
(
$stored_hash
,
0
,
3
);
switch
(
$type
)
{
case
'$S$'
:
// A normal Drupal 7 password using sha512.
$hash
=
_password_crypt
(
'sha512'
,
$password
,
$stored_hash
);
break
;
case
'$H$'
:
// phpBB3 uses "$H$" for the same thing as "$P$".
case
'$P$'
:
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$hash
=
_password_crypt
(
'md5'
,
$password
,
$stored_hash
);
break
;
default
:
return
FALSE
;
}
return
(
$hash
&&
$stored_hash
==
$hash
);
}
...
...
@@ -234,7 +258,7 @@ function user_check_password($password, $account) {
*/
function
user_needs_new_hash
(
$account
)
{
// Check whether this was an updated password.
if
((
substr
(
$account
->
pass
,
0
,
3
)
!=
'$
P
$'
)
||
(
strlen
(
$account
->
pass
)
!=
34
))
{
if
((
substr
(
$account
->
pass
,
0
,
3
)
!=
'$
S
$'
)
||
(
strlen
(
$account
->
pass
)
!=
DRUPAL_HASH_LENGTH
))
{
return
TRUE
;
}
// Check whether the iteration count used differs from the standard number.
...
...
includes/session.inc
View file @
71713081
...
...
@@ -206,7 +206,10 @@ function drupal_session_initialize() {
// processes (like drupal_get_token()) needs to know the future
// session ID in advance.
$user
=
drupal_anonymous_user
();
session_id
(
md5
(
uniqid
(
''
,
TRUE
)));
// Less random sessions (which are much faster to generate) are used for
// anonymous users than are generated in drupal_session_regenerate() when
// a user becomes authenticated.
session_id
(
drupal_hash_base64
(
uniqid
(
mt_rand
(),
TRUE
)));
}
date_default_timezone_set
(
drupal_get_user_timezone
());
}
...
...
@@ -284,7 +287,7 @@ function drupal_session_regenerate() {
if
(
$is_https
&&
variable_get
(
'https'
,
FALSE
))
{
$insecure_session_name
=
substr
(
session_name
(),
1
);
$params
=
session_get_cookie_params
();
$session_id
=
md5
(
uniqid
(
mt_rand
(),
TRUE
));
$session_id
=
drupal_hash_base64
(
uniqid
(
mt_rand
(),
TRUE
)
.
drupal_random_bytes
(
55
)
);
setcookie
(
$insecure_session_name
,
$session_id
,
REQUEST_TIME
+
$params
[
'lifetime'
],
$params
[
'path'
],
$params
[
'domain'
],
FALSE
,
$params
[
'httponly'
]);
$_COOKIE
[
$insecure_session_name
]
=
$session_id
;
}
...
...
includes/update.inc
View file @
71713081
...
...
@@ -294,7 +294,7 @@ function update_fix_d7_requirements() {
global
$update_rewrite_settings
,
$db_url
;
if
(
!
empty
(
$update_rewrite_settings
))
{
$databases
=
update_parse_db_url
(
$db_url
);
$salt
=
sha1
(
drupal_random_bytes
(
64
));
$salt
=
drupal_hash_base64
(
drupal_random_bytes
(
55
));
file_put_contents
(
conf_path
()
.
'/settings.php'
,
"
\n
"
.
'$databases = '
.
var_export
(
$databases
,
TRUE
)
.
";
\n\$
drupal_hash_salt = '
$salt
';"
,
FILE_APPEND
);
}
if
(
drupal_get_installed_schema_version
(
'system'
)
<
7000
&&
!
variable_get
(
'update_d7_requirements'
,
FALSE
))
{
...
...
modules/aggregator/aggregator.install
View file @
71713081
...
...
@@ -170,10 +170,10 @@ function aggregator_schema() {
),
'hash'
=>
array
(
'type'
=>
'varchar'
,
'length'
=>
32
,
'length'
=>
64
,
'not null'
=>
TRUE
,
'default'
=>
''
,
'description'
=>
'Calculated
md5
hash of the feed data, used for validating cache.'
,
'description'
=>
'Calculated hash of the feed data, used for validating cache.'
,
),
'etag'
=>
array
(
'type'
=>
'varchar'
,
...
...
@@ -275,7 +275,7 @@ function aggregator_schema() {
* Add hash column to aggregator_feed table.
*/
function
aggregator_update_7000
()
{
db_add_field
(
'aggregator_feed'
,
'hash'
,
array
(
'type'
=>
'varchar'
,
'length'
=>
32
,
'not null'
=>
TRUE
,
'default'
=>
''
));
db_add_field
(
'aggregator_feed'
,
'hash'
,
array
(
'type'
=>
'varchar'
,
'length'
=>
64
,
'not null'
=>
TRUE
,
'default'
=>
''
));
}
/**
...
...
@@ -297,3 +297,4 @@ function aggregator_update_7002() {
));
db_add_index
(
'aggregator_feed'
,
'queued'
,
array
(
'queued'
));
}
modules/aggregator/aggregator.module
View file @
71713081
...
...
@@ -614,12 +614,12 @@ function aggregator_refresh($feed) {
list
(
$fetcher
,
$parser
,
$processors
)
=
_aggregator_get_variables
();
$success
=
module_invoke
(
$fetcher
,
'aggregator_fetch'
,
$feed
);
// We store the
md5
hash of feed data in the database. When refreshing a
// We store the hash of feed data in the database. When refreshing a
// feed we compare stored hash and new hash calculated from downloaded
// data. If both are equal we say that feed is not updated.
$
md5
=
md5
(
$feed
->
source_string
);
$
hash
=
hash
(
'sha256'
,
$feed
->
source_string
);
if
(
$success
&&
(
$feed
->
hash
!=
$
md5
))
{
if
(
$success
&&
(
$feed
->
hash
!=
$
hash
))
{
// Parse the feed.
if
(
module_invoke
(
$parser
,
'aggregator_parse'
,
$feed
))
{
// Update feed with parsed data.
...
...
@@ -630,7 +630,7 @@ function aggregator_refresh($feed) {
'link'
=>
empty
(
$feed
->
link
)
?
$feed
->
url
:
$feed
->
link
,
'description'
=>
empty
(
$feed
->
description
)
?
''
:
$feed
->
description
,
'image'
=>
empty
(
$feed
->
image
)
?
''
:
$feed
->
image
,
'hash'
=>
$
md5
,
'hash'
=>
$
hash
,
'etag'
=>
empty
(
$feed
->
etag
)
?
''
:
$feed
->
etag
,
'modified'
=>
empty
(
$feed
->
modified
)
?
0
:
$feed
->
modified
,
))
...
...
modules/aggregator/tests/aggregator_test.module
View file @
71713081
...
...
@@ -25,7 +25,7 @@ function aggregator_test_menu() {
*/
function
aggregator_test_feed
(
$use_last_modified
=
FALSE
,
$use_etag
=
FALSE
)
{
$last_modified
=
strtotime
(
'Sun, 19 Nov 1978 05:00:00 GMT'
);
$etag
=
md5
(
$last_modified
);
$etag
=
drupal_hash_base64
(
$last_modified
);
$if_modified_since
=
isset
(
$_SERVER
[
'HTTP_IF_MODIFIED_SINCE'
])
?
strtotime
(
$_SERVER
[
'HTTP_IF_MODIFIED_SINCE'
])
:
FALSE
;
$if_none_match
=
isset
(
$_SERVER
[
'HTTP_IF_NONE_MATCH'
])
?
stripslashes
(
$_SERVER
[
'HTTP_IF_NONE_MATCH'
])
:
FALSE
;
...
...
modules/book/book.admin.inc
View file @
71713081
...
...
@@ -154,7 +154,7 @@ function _book_admin_table($node, &$form) {
$tree
=
book_menu_subtree_data
(
$node
->
book
);
$tree
=
array_shift
(
$tree
);
// Do not include the book item itself.
if
(
$tree
[
'below'
])
{
$hash
=
sha1
(
serialize
(
$tree
[
'below'
]));
$hash
=
drupal_hash_base64
(
serialize
(
$tree
[
'below'
]));
// Store the hash value as a hidden form element so that we can detect
// if another user changed the book hierarchy.
$form
[
'tree_hash'
]
=
array
(
...
...
modules/book/book.module
View file @
71713081
...
...
@@ -1273,7 +1273,7 @@ function book_menu_subtree_data($link) {
$data
[
'node_links'
]
=
array
();
menu_tree_collect_node_links
(
$data
[
'tree'
],
$data
[
'node_links'
]);
// Compute the real cid for book subtree data.
$tree_cid
=
'links:'
.
$item
[
'menu_name'
]
.
':subtree-data:'
.
md5
(
serialize
(
$data
));
$tree_cid
=
'links:'
.
$item
[
'menu_name'
]
.
':subtree-data:'
.
hash
(
'sha256'
,
serialize
(
$data
));