Commit 30a95c80 authored by David_Rothstein's avatar David_Rothstein

Issue #1739986 by RobLoach, pwolanin, sun, Berdir, moshe weitzman, andypost,...

Issue #1739986 by RobLoach, pwolanin, sun, Berdir, moshe weitzman, andypost, dcam: Fixed fallback in drupal_get_hash_salt(), move it to bootstrap.inc, use instead of $GLOBALS['drupal_hash_salt()'].
parent 43c8918f
Drupal 7.23, xxxx-xx-xx (development version)
-----------------------
- Moved the drupal_get_hash_salt() function to bootstrap.inc and used it in
additional places in the code, for added security in the case where there is
no hash salt in settings.php.
- Fixed a regression in Drupal 7.22 that caused internal server errors for
sites running on very old Apache 1.x web servers.
......
......@@ -2232,6 +2232,19 @@ function drupal_get_user_timezone() {
}
}
/**
* Gets a salt useful for hardening against SQL injection.
*
* @return
* A salt based on information in settings.php, not in the database.
*/
function drupal_get_hash_salt() {
global $drupal_hash_salt, $databases;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt;
}
/**
* Provides custom PHP error handling.
*
......@@ -2452,7 +2465,6 @@ function drupal_get_bootstrap_phase() {
* HMAC and timestamp.
*/
function drupal_valid_test_ua() {
global $drupal_hash_salt;
// No reason to reset this.
static $test_prefix;
......@@ -2466,7 +2478,7 @@ function drupal_valid_test_ua() {
// We use the salt from settings.php to make the HMAC key, since
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
$key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__);
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
$time_diff = REQUEST_TIME - $time;
// Since we are making a local request a 5 second time window is allowed,
// and the HMAC must match.
......@@ -2484,14 +2496,13 @@ function drupal_valid_test_ua() {
* Generates a user agent string with a HMAC and timestamp for simpletest.
*/
function drupal_generate_test_ua($prefix) {
global $drupal_hash_salt;
static $key;
if (!isset($key)) {
// We use the salt from settings.php to make the HMAC key, since
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
$key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__);
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
}
// Generate a moderately secure HMAC based on the database credentials.
$salt = uniqid('', TRUE);
......
......@@ -5034,19 +5034,6 @@ function drupal_json_output($var = NULL) {
}
}
/**
* Gets a salt useful for hardening against SQL injection.
*
* @return
* A salt based on information in settings.php, not in the database.
*/
function drupal_get_hash_salt() {
global $drupal_hash_salt, $databases;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt;
}
/**
* Ensures the private key variable used to generate tokens is set.
*
......@@ -5069,8 +5056,10 @@ function drupal_get_private_key() {
*
* @return string
* A 43-character URL-safe token for validation, based on the user session ID,
* the global $drupal_hash_salt variable from settings.php, and the
* the hash salt provided from drupal_get_hash_salt(), and the
* 'drupal_private_key' configuration variable.
*
* @see drupal_get_hash_salt()
*/
function drupal_get_token($value = '') {
return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment