Commit f3966d6c authored by alexpott's avatar alexpott

Issue #1739986 by RobLoach, pwolanin, sun, moshe weitzman, andypost: Fix...

Issue #1739986 by RobLoach, pwolanin, sun, moshe weitzman, andypost: Fix fallback in drupal_get_hash_salt(), move it to bootstrap.inc, use instead of ['drupal_hash_salt()'].
parent 229872b3
......@@ -2232,6 +2232,19 @@ function drupal_get_user_timezone() {
}
}
/**
* Gets a salt useful for hardening against SQL injection.
*
* @return
* A salt based on information in settings.php, not in the database.
*/
function drupal_get_hash_salt() {
global $drupal_hash_salt, $databases;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt;
}
/**
* Provides custom PHP error handling.
*
......@@ -2591,7 +2604,6 @@ function typed_data() {
* HMAC and timestamp.
*/
function drupal_valid_test_ua($new_prefix = NULL) {
global $drupal_hash_salt;
static $test_prefix;
if (isset($new_prefix)) {
......@@ -2607,7 +2619,7 @@ function drupal_valid_test_ua($new_prefix = NULL) {
// We use the salt from settings.php to make the HMAC key, since
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
$key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__);
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
$time_diff = REQUEST_TIME - $time;
// Since we are making a local request a 5 second time window is allowed,
// and the HMAC must match.
......@@ -2663,14 +2675,13 @@ function _drupal_load_test_overrides($test_prefix) {
* Generates a user agent string with a HMAC and timestamp for simpletest.
*/
function drupal_generate_test_ua($prefix) {
global $drupal_hash_salt;
static $key;
if (!isset($key)) {
// We use the salt from settings.php to make the HMAC key, since
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
$key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__);
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
}
// Generate a moderately secure HMAC based on the database credentials.
$salt = uniqid('', TRUE);
......@@ -3186,7 +3197,7 @@ function drupal_classloader($class_loader = NULL) {
}
if ($class_loader === 'apc') {
require_once DRUPAL_ROOT . '/core/vendor/symfony/class-loader/Symfony/Component/ClassLoader/ApcClassLoader.php';
$apc_loader = new ApcClassLoader('drupal.' . $GLOBALS['drupal_hash_salt'], $loader);
$apc_loader = new ApcClassLoader('drupal.' . drupal_get_hash_salt(), $loader);
$apc_loader->register();
}
else {
......
......@@ -4841,19 +4841,6 @@ function drupal_json_decode($var) {
return json_decode($var, TRUE);
}
/**
* Gets a salt useful for hardening against SQL injection.
*
* @return
* A salt based on information in settings.php, not in the database.
*/
function drupal_get_hash_salt() {
global $drupal_hash_salt, $databases;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt;
}
/**
* Ensures the private key variable used to generate tokens is set.
*
......@@ -4876,8 +4863,10 @@ function drupal_get_private_key() {
*
* @return string
* A 43-character URL-safe token for validation, based on the user session ID,
* the global $drupal_hash_salt variable from settings.php, and the
* the hash salt provided from drupal_get_hash_salt(), and the
* 'drupal_private_key' configuration variable.
*
* @see drupal_get_hash_salt()
*/
function drupal_get_token($value = '') {
return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
......
......@@ -41,7 +41,7 @@ static function get($name) {
else {
$configuration = array(
'class' => 'Drupal\Component\PhpStorage\MTimeProtectedFileStorage',
'secret' => $GLOBALS['drupal_hash_salt'],
'secret' => drupal_get_hash_salt(),
);
}
$class = isset($configuration['class']) ? $configuration['class'] : 'Drupal\Component\PhpStorage\MTimeProtectedFileStorage';
......
......@@ -33,7 +33,7 @@ function setUp() {
'bin' => 'service_container',
'class' => 'Drupal\Component\PhpStorage\MTimeProtectedFileStorage',
'directory' => DRUPAL_ROOT . '/' . $this->public_files_directory . '/php',
'secret' => $GLOBALS['drupal_hash_salt'],
'secret' => drupal_get_hash_salt(),
);
// Use a non-persistent cache to avoid queries to non-existing tables.
$this->settingsSet('cache', array('default' => 'cache.backend.memory'));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment