Commit 7061f3b3 authored by Dries's avatar Dries

- Issue #1739986 by pwolanin, sun, moshe weitzman: Fixed fallback in...

- Issue #1739986 by pwolanin, sun, moshe weitzman: Fixed fallback in drupal_get_hash_salt(), move it to bootstrap.inc, use instead of ['drupal_hash_salt()'].
parent bb3b4b99
......@@ -1997,14 +1997,12 @@ function drupal_hash_base64($data) {
/**
* Gets a salt useful for hardening against SQL injection.
*
* @return
* @return string
* A salt based on information in settings.php, not in the database.
*/
function drupal_get_hash_salt() {
global $drupal_hash_salt;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return empty($drupal_hash_salt) ? hash('sha256', serialize(Database::getConnectionInfo('default'))) : $drupal_hash_salt;
return !empty($drupal_hash_salt) ? $drupal_hash_salt : '';
}
/**
......@@ -2256,12 +2254,12 @@ function _drupal_bootstrap_configuration() {
// Initialize the configuration, including variables from settings.php.
drupal_settings_initialize();
// Make sure we are using the test database prefix in child Drupal sites.
_drupal_initialize_db_test_prefix();
// Activate the class loader.
drupal_classloader();
// Make sure we are using the test database prefix in child Drupal sites.
_drupal_initialize_db_test_prefix();
// Load the procedural configuration system helper functions.
require_once DRUPAL_ROOT . '/core/includes/config.inc';
// Redirect the user to the installation script if Drupal has not been
......@@ -2550,9 +2548,9 @@ function drupal_valid_test_ua($new_prefix = NULL) {
if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^(simpletest\d+);(.+);(.+);(.+)$/", $_SERVER['HTTP_USER_AGENT'], $matches)) {
list(, $prefix, $time, $salt, $hmac) = $matches;
$check_string = $prefix . ';' . $time . ';' . $salt;
// We use the salt from settings.php to make the HMAC key, since
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
// Use the salt from settings.php to create the HMAC key, since no services
// are available yet. The file properties add more entropy not easily
// accessible to others.
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
$time_diff = REQUEST_TIME - $time;
// Since we are making a local request a 5 second time window is allowed,
......@@ -2574,9 +2572,9 @@ function drupal_generate_test_ua($prefix) {
static $key;
if (!isset($key)) {
// We use the salt from settings.php to make the HMAC key, since
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
// Use the salt from settings.php to create the HMAC key, since no services
// are available yet. The file properties add more entropy not easily
// accessible to others.
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
}
// Generate a moderately secure HMAC based on the database credentials.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment