From 90c51b9047b59c54c9a564916e56e2679622c748 Mon Sep 17 00:00:00 2001
From: Dave Long <dave@longwaveconsulting.com>
Date: Thu, 16 Feb 2023 22:18:03 +0000
Subject: [PATCH] Issue #3296293 by andypost, amjad1233, mfb, smustgrave,
_utsavsharma, jordanpagewhite, longwave, geek-merlin: Apply
SensitiveParameter attribute
---
core/lib/Drupal/Core/FileTransfer/FTP.php | 2 +-
core/lib/Drupal/Core/FileTransfer/SSH.php | 2 +-
core/lib/Drupal/Core/Password/PasswordInterface.php | 4 ++--
core/lib/Drupal/Core/Password/PhpassHashedPassword.php | 8 ++++----
core/lib/Drupal/Core/PrivateKey.php | 2 +-
core/lib/Drupal/Core/Session/SessionHandler.php | 6 +++---
core/modules/user/src/Entity/User.php | 4 ++--
core/modules/user/src/UserAuth.php | 2 +-
core/modules/user/src/UserAuthInterface.php | 2 +-
core/modules/user/src/UserInterface.php | 4 ++--
core/profiles/demo_umami/demo_umami.profile | 2 +-
11 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/core/lib/Drupal/Core/FileTransfer/FTP.php b/core/lib/Drupal/Core/FileTransfer/FTP.php
index 83cf66bed483..a7adcab2f444 100644
--- a/core/lib/Drupal/Core/FileTransfer/FTP.php
+++ b/core/lib/Drupal/Core/FileTransfer/FTP.php
@@ -10,7 +10,7 @@ abstract class FTP extends FileTransfer {
/**
* {@inheritdoc}
*/
- public function __construct($jail, $username, $password, $hostname, $port) {
+ public function __construct($jail, $username, #[\SensitiveParameter] $password, $hostname, $port) {
$this->username = $username;
$this->password = $password;
$this->hostname = $hostname;
diff --git a/core/lib/Drupal/Core/FileTransfer/SSH.php b/core/lib/Drupal/Core/FileTransfer/SSH.php
index e6b883f32b01..3fd719021317 100644
--- a/core/lib/Drupal/Core/FileTransfer/SSH.php
+++ b/core/lib/Drupal/Core/FileTransfer/SSH.php
@@ -10,7 +10,7 @@ class SSH extends FileTransfer implements ChmodInterface {
/**
* {@inheritdoc}
*/
- public function __construct($jail, $username, $password, $hostname = "localhost", $port = 22) {
+ public function __construct($jail, $username, #[\SensitiveParameter] $password, $hostname = "localhost", $port = 22) {
$this->username = $username;
$this->password = $password;
$this->hostname = $hostname;
diff --git a/core/lib/Drupal/Core/Password/PasswordInterface.php b/core/lib/Drupal/Core/Password/PasswordInterface.php
index b38cc79f89e4..f9fcfa849e44 100644
--- a/core/lib/Drupal/Core/Password/PasswordInterface.php
+++ b/core/lib/Drupal/Core/Password/PasswordInterface.php
@@ -21,7 +21,7 @@ interface PasswordInterface {
* @return string
* A string containing the hashed password, or FALSE on failure.
*/
- public function hash($password);
+ public function hash(#[\SensitiveParameter] $password);
/**
* Check whether a plain text password matches a hashed password.
@@ -34,7 +34,7 @@ public function hash($password);
* @return bool
* TRUE if the password is valid, FALSE if not.
*/
- public function check($password, $hash);
+ public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash);
/**
* Check whether a hashed password needs to be replaced with a new hash.
diff --git a/core/lib/Drupal/Core/Password/PhpassHashedPassword.php b/core/lib/Drupal/Core/Password/PhpassHashedPassword.php
index de702d3ff572..68426066e045 100644
--- a/core/lib/Drupal/Core/Password/PhpassHashedPassword.php
+++ b/core/lib/Drupal/Core/Password/PhpassHashedPassword.php
@@ -155,7 +155,7 @@ protected function enforceLog2Boundaries($count_log2) {
* A string containing the hashed password (and salt) or FALSE on failure.
* The return string will be truncated at HASH_LENGTH characters max.
*/
- protected function crypt($algo, $password, $setting) {
+ protected function crypt($algo, #[\SensitiveParameter] $password, $setting) {
// Prevent DoS attacks by refusing to hash large passwords.
if (strlen($password) > PasswordInterface::PASSWORD_MAX_LENGTH) {
return FALSE;
@@ -213,14 +213,14 @@ public function getCountLog2($setting) {
/**
* {@inheritdoc}
*/
- public function hash($password) {
+ public function hash(#[\SensitiveParameter] $password) {
return $this->crypt('sha512', $password, $this->generateSalt());
}
/**
* {@inheritdoc}
*/
- public function check($password, $hash) {
+ public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash) {
if (substr($hash, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5() (see the
@@ -258,7 +258,7 @@ public function check($password, $hash) {
/**
* {@inheritdoc}
*/
- public function needsRehash($hash) {
+ public function needsRehash(#[\SensitiveParameter] $hash) {
// Check whether this was an updated password.
if ((substr($hash, 0, 3) != '$S$') || (strlen($hash) != static::HASH_LENGTH)) {
return TRUE;
diff --git a/core/lib/Drupal/Core/PrivateKey.php b/core/lib/Drupal/Core/PrivateKey.php
index 38d0d336dba3..2ff9cf2ca87d 100644
--- a/core/lib/Drupal/Core/PrivateKey.php
+++ b/core/lib/Drupal/Core/PrivateKey.php
@@ -48,7 +48,7 @@ public function get() {
* @param string $key
* The private key to set.
*/
- public function set($key) {
+ public function set(#[\SensitiveParameter] $key) {
return $this->state->set('system.private_key', $key);
}
diff --git a/core/lib/Drupal/Core/Session/SessionHandler.php b/core/lib/Drupal/Core/Session/SessionHandler.php
index 420864e62345..9917cdb079d1 100644
--- a/core/lib/Drupal/Core/Session/SessionHandler.php
+++ b/core/lib/Drupal/Core/Session/SessionHandler.php
@@ -55,7 +55,7 @@ public function open($save_path, $name) {
* {@inheritdoc}
*/
#[\ReturnTypeWillChange]
- public function read($sid) {
+ public function read(#[\SensitiveParameter] $sid) {
$data = '';
if (!empty($sid)) {
// Read the session data from the database.
@@ -70,7 +70,7 @@ public function read($sid) {
* {@inheritdoc}
*/
#[\ReturnTypeWillChange]
- public function write($sid, $value) {
+ public function write(#[\SensitiveParameter] $sid, $value) {
// The exception handler is not active at this point, so we need to do it
// manually.
try {
@@ -111,7 +111,7 @@ public function close() {
* {@inheritdoc}
*/
#[\ReturnTypeWillChange]
- public function destroy($sid) {
+ public function destroy(#[\SensitiveParameter] $sid) {
// Delete session data.
$this->connection->delete('sessions')
->condition('sid', Crypt::hashBase64($sid))
diff --git a/core/modules/user/src/Entity/User.php b/core/modules/user/src/Entity/User.php
index 145a80dc4028..1ea54bf04a81 100644
--- a/core/modules/user/src/Entity/User.php
+++ b/core/modules/user/src/Entity/User.php
@@ -230,7 +230,7 @@ public function getPassword() {
/**
* {@inheritdoc}
*/
- public function setPassword($password) {
+ public function setPassword(#[\SensitiveParameter] $password) {
$this->get('pass')->value = $password;
return $this;
}
@@ -400,7 +400,7 @@ public function setUsername($username) {
/**
* {@inheritdoc}
*/
- public function setExistingPassword($password) {
+ public function setExistingPassword(#[\SensitiveParameter] $password) {
$this->get('pass')->existing = $password;
return $this;
}
diff --git a/core/modules/user/src/UserAuth.php b/core/modules/user/src/UserAuth.php
index e0df09714ee0..03ad41af3c03 100644
--- a/core/modules/user/src/UserAuth.php
+++ b/core/modules/user/src/UserAuth.php
@@ -40,7 +40,7 @@ public function __construct(EntityTypeManagerInterface $entity_type_manager, Pas
/**
* {@inheritdoc}
*/
- public function authenticate($username, $password) {
+ public function authenticate($username, #[\SensitiveParameter] $password) {
$uid = FALSE;
if (!empty($username) && strlen($password) > 0) {
diff --git a/core/modules/user/src/UserAuthInterface.php b/core/modules/user/src/UserAuthInterface.php
index 91f2cc342c69..7c3bfcfad413 100644
--- a/core/modules/user/src/UserAuthInterface.php
+++ b/core/modules/user/src/UserAuthInterface.php
@@ -18,6 +18,6 @@ interface UserAuthInterface {
* @return int|bool
* The user's uid on success, or FALSE on failure to authenticate.
*/
- public function authenticate($username, $password);
+ public function authenticate($username, #[\SensitiveParameter] $password);
}
diff --git a/core/modules/user/src/UserInterface.php b/core/modules/user/src/UserInterface.php
index 5e571a58fd45..bbbacff52311 100644
--- a/core/modules/user/src/UserInterface.php
+++ b/core/modules/user/src/UserInterface.php
@@ -112,7 +112,7 @@ public function getPassword();
* @return $this
* The called user entity.
*/
- public function setPassword($password);
+ public function setPassword(#[\SensitiveParameter] $password);
/**
* Sets the email address of the user.
@@ -213,7 +213,7 @@ public function getInitialEmail();
*
* @return $this
*/
- public function setExistingPassword($password);
+ public function setExistingPassword(#[\SensitiveParameter] $password);
/**
* Checks the existing password if set.
diff --git a/core/profiles/demo_umami/demo_umami.profile b/core/profiles/demo_umami/demo_umami.profile
index 8fd785736335..e1f880595f93 100644
--- a/core/profiles/demo_umami/demo_umami.profile
+++ b/core/profiles/demo_umami/demo_umami.profile
@@ -32,7 +32,7 @@ function demo_umami_form_install_configure_submit($form, FormStateInterface $for
/**
* Sets the password of admin to be the password for all users.
*/
-function demo_umami_set_users_passwords($admin_password) {
+function demo_umami_set_users_passwords(#[\SensitiveParameter] $admin_password) {
// Collect the IDs of all users with roles editor or author.
$ids = \Drupal::entityQuery('user')
->accessCheck(FALSE)
--
GitLab