Commit 71713081 authored by Dries's avatar Dries

- Patch #723802 by pwolanin, grendzy: convert to sha-256 and hmac from md5 and sha1.

parent 2a2f4cc0
......@@ -197,7 +197,7 @@ function actions_get_all_actions() {
}
/**
* Creates an associative array keyed by md5 hashes of function names or IDs.
* Creates an associative array keyed by hashes of function names or IDs.
*
* Hashes are used to prevent actual function names from going out into HTML
* forms and coming back.
......@@ -207,14 +207,14 @@ function actions_get_all_actions() {
* and associative arrays with keys 'label', 'type', etc. as values.
* This is usually the output of actions_list() or actions_get_all_actions().
* @return
* An associative array whose keys are md5 hashes of the input array keys, and
* An associative array whose keys are hashes of the input array keys, and
* whose corresponding values are associative arrays with components
* 'callback', 'label', 'type', and 'configurable' from the input array.
*/
function actions_actions_map($actions) {
$actions_map = array();
foreach ($actions as $callback => $array) {
$key = md5($callback);
$key = drupal_hash_base64($callback);
$actions_map[$key]['callback'] = isset($array['callback']) ? $array['callback'] : $callback;
$actions_map[$key]['label'] = $array['label'];
$actions_map[$key]['type'] = $array['type'];
......@@ -224,12 +224,12 @@ function actions_actions_map($actions) {
}
/**
* Given an md5 hash of an action array key, returns the key (function or ID).
* Given a hash of an action array key, returns the key (function or ID).
*
* Faster than actions_actions_map() when you only need the function name or ID.
*
* @param $hash
* MD5 hash of a function name or action ID array key. The array key
* Hash of a function name or action ID array key. The array key
* is a key into the return value of actions_list() (array key is the action
* function name) or actions_get_all_actions() (array key is the action ID).
* @return
......@@ -239,13 +239,20 @@ function actions_function_lookup($hash) {
// Check for a function name match.
$actions_list = actions_list();
foreach ($actions_list as $function => $array) {
if (md5($function) == $hash) {
if (drupal_hash_base64($function) == $hash) {
return $function;
}
}
$aid = FALSE;
// Must be a configurable action; check database.
return db_query("SELECT aid FROM {actions} WHERE MD5(aid) = :hash AND parameters <> ''", array(':hash' => $hash))->fetchField();
$result = db_query("SELECT aid FROM {actions} WHERE parameters <> ''")->fetchAll(PDO::FETCH_ASSOC);
foreach ($result as $row) {
if (drupal_hash_base64($row['aid']) == $hash) {
$aid = $row['aid'];
break;
}
}
return $aid;
}
/**
......
......@@ -622,7 +622,7 @@ function drupal_settings_initialize() {
ini_set('session.cookie_secure', TRUE);
}
$prefix = ini_get('session.cookie_secure') ? 'SSESS' : 'SESS';
session_name($prefix . md5($session_name));
session_name($prefix . substr(hash('sha256', $session_name), 0, 32));
}
/**
......@@ -1697,6 +1697,91 @@ function drupal_block_denied($ip) {
}
}
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random source.
*
* @param $count
* The number of characters (bytes) to return in the string.
*/
function drupal_random_bytes($count) {
// $random_state does not use drupal_static as it stores random bytes.
static $random_state, $bytes;
// Initialize on the first call. The contents of $_SERVER includes a mix of
// user-specific and system information that varies a little with each page.
if (!isset($random_state)) {
$random_state = print_r($_SERVER, TRUE);
if (function_exists('getmypid')) {
// further initialize with the somewhat random PHP process ID.
$random_state .= getmypid();
}
$bytes = '';
}
if (strlen($bytes) < $count) {
// /dev/urandom is available on many *nix systems and is considered the
// best commonly available pseudo-random source.
if ($fh = @fopen('/dev/urandom', 'rb')) {
// PHP only performs buffered reads, so in reality it will always read
// at least 4096 bytes. Thus, it costs nothing extra to read and store
// that much so as to speed any additional invocations.
$bytes .= fread($fh, max(4096, $count));
fclose($fh);
}
// If /dev/urandom is not available or returns no bytes, this loop will
// generate a good set of pseudo-random bytes on any system.
// Note that it may be important that our $random_state is passed
// through hash() prior to being rolled into $output, that the two hash()
// invocations are different, and that the extra input into the first one -
// the microtime() - is prepended rather than appended. This is to avoid
// directly leaking $random_state via the $output stream, which could
// allow for trivial prediction of further "random" numbers.
while (strlen($bytes) < $count) {
$random_state = hash('sha256', microtime() . mt_rand() . $random_state);
$bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
}
}
$output = substr($bytes, 0, $count);
$bytes = substr($bytes, $count);
return $output;
}
/**
* Calculate a base-64 encoded, URL-safe sha-256 hmac.
*
* @param $data
* String to be validated with the hmac.
* @param $key
* A secret string key.
*
* @return
* A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
* any = padding characters removed.
*/
function drupal_hmac_base64($data, $key) {
$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
// Modify the hmac so it's safe to use in URLs.
return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
}
/**
* Calculate a base-64 encoded, URL-safe sha-256 hash.
*
* @param $data
* String to be hashed.
*
* @return
* A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
* any = padding characters removed.
*/
function drupal_hash_base64($data) {
$hash = base64_encode(hash('sha256', $data, TRUE));
// Modify the hash so it's safe to use in URLs.
return strtr($hash, array('+' => '-', '/' => '_', '=' => ''));
}
/**
* Generates a default anonymous $user object.
*
......@@ -2024,9 +2109,9 @@ function drupal_valid_test_ua($user_agent) {
// the database is not yet initialized and we can't access any Drupal variables.
// The file properties add more entropy not easily accessible to others.
$filepath = DRUPAL_ROOT . '/includes/bootstrap.inc';
$key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE);
$key = serialize($databases) . filectime($filepath) . fileinode($filepath);
// The HMAC must match.
return $hmac == base64_encode(hash_hmac('sha1', $check_string, $key, TRUE));
return $hmac == drupal_hmac_base64($check_string, $key);
}
/**
......@@ -2041,12 +2126,12 @@ function drupal_generate_test_ua($prefix) {
// check the HMAC before the database is initialized. filectime()
// and fileinode() are not easily determined from remote.
$filepath = DRUPAL_ROOT . '/includes/bootstrap.inc';
$key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE);
$key = serialize($databases) . filectime($filepath) . fileinode($filepath);
}
// Generate a moderately secure HMAC based on the database credentials.
$salt = uniqid('', TRUE);
$check_string = $prefix . ';' . time() . ';' . $salt;
return $check_string . ';' . base64_encode(hash_hmac('sha1', $check_string, $key, TRUE));
return $check_string . ';' . drupal_hmac_base64($check_string, $key);
}
/**
......
......@@ -2895,7 +2895,7 @@ function drupal_aggregate_css(&$css_groups) {
if ($group['preprocess'] && $preprocess_css) {
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
$filename = 'css_' . md5(serialize($group['items'])) . '.css';
$filename = 'css_' . drupal_hash_base64(serialize($group['items'])) . '.css';
$css_groups[$key]['data'] = drupal_build_css_cache($group['items'], $filename);
}
break;
......@@ -3767,7 +3767,7 @@ function drupal_get_js($scope = 'header', $javascript = NULL) {
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
foreach ($files as $key => $file_set) {
$filename = 'js_' . md5(serialize($file_set)) . '.js';
$filename = 'js_' . drupal_hash_base64(serialize($file_set)) . '.js';
$uri = drupal_build_js_cache($file_set, $filename);
// Only include the file if was written successfully. Errors are logged
// using watchdog.
......@@ -4340,45 +4340,6 @@ function drupal_json_output($var = NULL) {
}
}
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random source.
*
* @param $count
* The number of characters (bytes) to return in the string.
*/
function drupal_random_bytes($count) {
// $random_state does not use drupal_static as it stores random bytes.
static $random_state;
// We initialize with the somewhat random PHP process ID on the first call.
if (empty($random_state)) {
$random_state = getmypid();
}
$output = '';
// /dev/urandom is available on many *nix systems and is considered the best
// commonly available pseudo-random source.
if ($fh = @fopen('/dev/urandom', 'rb')) {
$output = fread($fh, $count);
fclose($fh);
}
// If /dev/urandom is not available or returns no bytes, this loop will
// generate a good set of pseudo-random bytes on any system.
// Note that it may be important that our $random_state is passed
// through md5() prior to being rolled into $output, that the two md5()
// invocations are different, and that the extra input into the first one -
// the microtime() - is prepended rather than appended. This is to avoid
// directly leaking $random_state via the $output stream, which could
// allow for trivial prediction of further "random" numbers.
while (strlen($output) < $count) {
$random_state = md5(microtime() . mt_rand() . $random_state);
$output .= md5(mt_rand() . $random_state, TRUE);
}
return substr($output, 0, $count);
}
/**
* Get a salt useful for hardening against SQL injection.
*
......@@ -4389,7 +4350,7 @@ function drupal_get_hash_salt() {
global $drupal_hash_salt, $databases;
// If the $drupal_hash_salt variable is empty, a hash of the serialized
// database credentials is used as a fallback salt.
return empty($drupal_hash_salt) ? sha1(serialize($databases)) : $drupal_hash_salt;
return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt;
}
/**
......@@ -4400,7 +4361,7 @@ function drupal_get_hash_salt() {
*/
function drupal_get_private_key() {
if (!($key = variable_get('drupal_private_key', 0))) {
$key = md5(drupal_random_bytes(64));
$key = drupal_hash_base64(drupal_random_bytes(55));
variable_set('drupal_private_key', $key);
}
return $key;
......@@ -4413,10 +4374,7 @@ function drupal_get_private_key() {
* An additional value to base the token on.
*/
function drupal_get_token($value = '') {
$private_key = drupal_get_private_key();
// A single md5() is vulnerable to length-extension attacks, so use it twice.
// @todo: add md5 and sha1 hmac functions to core.
return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key));
return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
}
/**
......@@ -5247,7 +5205,7 @@ function drupal_render_cache_set(&$markup, $elements) {
function drupal_render_cache_by_query($query, $function, $expire = CACHE_TEMPORARY, $granularity = NULL) {
$cache_keys = array_merge(array($function), drupal_render_cid_parts($granularity));
$query->preExecute();
$cache_keys[] = md5(serialize(array((string) $query, $query->getArguments())));
$cache_keys[] = hash('sha256', serialize(array((string) $query, $query->getArguments())));
return array(
'#query' => $query,
'#pre_render' => array($function . '_pre_render'),
......
......@@ -203,7 +203,7 @@ function drupal_build_form($form_id, &$form_state) {
}
$form = drupal_retrieve_form($form_id, $form_state);
$form_build_id = 'form-' . md5(uniqid(mt_rand(), TRUE));
$form_build_id = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
$form['#build_id'] = $form_build_id;
// Fix the form method, if it is 'get' in $form_state, but not in $form.
......@@ -331,7 +331,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) {
// Otherwise, a new #build_id is generated, to not clobber the previous
// build's data in the form cache; also allowing the user to go back to an
// earlier build, make changes, and re-submit.
$form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . md5(mt_rand());
$form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
// #action defaults to request_uri(), but in case of AJAX and other partial
// rebuilds, the form is submitted to an alternate URL, and the original
......
......@@ -1011,7 +1011,7 @@ function install_settings_form_submit($form, &$form_state) {
'required' => TRUE,
);
$settings['drupal_hash_salt'] = array(
'value' => sha1(drupal_random_bytes(64)),
'value' => drupal_hash_base64(drupal_random_bytes(55)),
'required' => TRUE,
);
drupal_rewrite_settings($settings);
......
......@@ -1680,7 +1680,7 @@ function _locale_rebuild_js($langcode = NULL) {
}
$data .= "'strings': " . drupal_json_encode($translations) . " };";
$data_hash = md5($data);
$data_hash = drupal_hash_base64($data);
}
// Construct the filepath where JS translation files are stored.
......
......@@ -407,9 +407,9 @@ function menu_get_item($path = NULL, $router_item = NULL) {
$parts = array_slice($original_map, 0, MENU_MAX_PARTS);
$ancestors = menu_get_ancestors($parts);
// Since there is no limit to the length of $path, but the cids are
// restricted to 255 characters, use md5() to keep it short yet unique.
$cid = 'menu_item:' . md5($path);
// Since there is no limit to the length of $path, use a hash to keep it
// short yet unique.
$cid = 'menu_item:' . hash('sha256', $path);
if ($cached = cache_get($cid, 'cache_menu')) {
$router_item = $cached->data;
}
......@@ -1238,7 +1238,7 @@ function menu_tree_page_data($menu_name, $max_depth = NULL) {
* Helper function - compute the real cache ID for menu tree data.
*/
function _menu_tree_cid($menu_name, $data) {
return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . md5(serialize($data));
return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . hash('sha256', serialize($data));
}
/**
......
......@@ -16,8 +16,8 @@
/**
* The standard log2 number of iterations for password stretching. This should
* increase by 1 at least every other Drupal version in order to counteract
* increases in the speed and power of computers available to crack the hashes.
* increase by 1 every Drupal version in order to counteract increases in the
* speed and power of computers available to crack the hashes.
*/
define('DRUPAL_HASH_COUNT', 14);
......@@ -31,6 +31,11 @@
*/
define('DRUPAL_MAX_HASH_COUNT', 30);
/**
* The expected (and maximum) number of characters in a hashed password.
*/
define('DRUPAL_HASH_LENGTH', 55);
/**
* Returns a string for mapping an int to the corresponding base 64 character.
*/
......@@ -49,7 +54,7 @@ function _password_itoa64() {
* @return
* Encoded string
*/
function _password_base64_encode($input, $count) {
function _password_base64_encode($input, $count) {
$output = '';
$i = 0;
$itoa64 = _password_itoa64();
......@@ -93,7 +98,7 @@ function _password_base64_encode($input, $count) {
* A 12 character string containing the iteration count and a random salt.
*/
function _password_generate_salt($count_log2) {
$output = '$P$';
$output = '$S$';
// Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT.
$count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT);
// Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT.
......@@ -113,19 +118,23 @@ function _password_generate_salt($count_log2) {
* for an attacker to try to break the hash by brute-force computation of the
* hashes of a large number of plain-text words or strings to find a match.
*
* @param $algo
* The string name of a hashing algorithm usable by hash(), like 'sha256'.
* @param $password
* The plain-text password to hash.
* @param $setting
* An existing hash or the output of _password_generate_salt().
* An existing hash or the output of _password_generate_salt(). Must be
* at least 12 characters (the settings and salt).
*
* @return
* A string containing the hashed password (and salt) or FALSE on failure.
* The return string will be truncated at DRUPAL_HASH_LENGTH characters max.
*/
function _password_crypt($password, $setting) {
function _password_crypt($algo, $password, $setting) {
// The first 12 characters of an existing hash are its setting string.
$setting = substr($setting, 0, 12);
if (substr($setting, 0, 3) != '$P$') {
if ($setting[0] != '$' || $setting[2] != '$') {
return FALSE;
}
$count_log2 = _password_get_count_log2($setting);
......@@ -139,22 +148,21 @@ function _password_crypt($password, $setting) {
return FALSE;
}
// We must use md5() or sha1() here since they are the only cryptographic
// primitives always available in PHP 5. To implement our own low-level
// cryptographic function in PHP would result in much worse performance and
// consequently in lower iteration counts and hashes that are quicker to crack
// (by non-PHP code).
// Convert the base 2 logrithm into an integer.
$count = 1 << $count_log2;
$hash = md5($salt . $password, TRUE);
// We rely on the hash() function being available in PHP 5.2+.
$hash = hash($algo, $salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
$hash = hash($algo, $hash . $password, TRUE);
} while (--$count);
$output = $setting . _password_base64_encode($hash, 16);
$len = strlen($hash);
$output = $setting . _password_base64_encode($hash, $len);
// _password_base64_encode() of a 16 byte MD5 will always be 22 characters.
return (strlen($output) == 34) ? $output : FALSE;
// _password_base64_encode() of a 64 byte sha512 will always be 86 characters.
$expected = 12 + ceil((8 * $len) / 6);
return (strlen($output) == $expected) ? substr($output, 0, DRUPAL_HASH_LENGTH) : FALSE;
}
/**
......@@ -182,7 +190,7 @@ function user_hash_password($password, $count_log2 = 0) {
// Use the standard iteration count.
$count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT);
}
return _password_crypt($password, _password_generate_salt($count_log2));
return _password_crypt('sha512', $password, _password_generate_salt($count_log2));
}
/**
......@@ -201,7 +209,7 @@ function user_hash_password($password, $count_log2 = 0) {
* TRUE or FALSE.
*/
function user_check_password($password, $account) {
if (substr($account->pass, 0, 3) == 'U$P') {
if (substr($account->pass, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5().
$stored_hash = substr($account->pass, 1);
......@@ -210,7 +218,23 @@ function user_check_password($password, $account) {
else {
$stored_hash = $account->pass;
}
$hash = _password_crypt($password, $stored_hash);
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$hash = _password_crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$hash = _password_crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
return ($hash && $stored_hash == $hash);
}
......@@ -234,7 +258,7 @@ function user_check_password($password, $account) {
*/
function user_needs_new_hash($account) {
// Check whether this was an updated password.
if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) {
if ((substr($account->pass, 0, 3) != '$S$') || (strlen($account->pass) != DRUPAL_HASH_LENGTH)) {
return TRUE;
}
// Check whether the iteration count used differs from the standard number.
......
......@@ -206,7 +206,10 @@ function drupal_session_initialize() {
// processes (like drupal_get_token()) needs to know the future
// session ID in advance.
$user = drupal_anonymous_user();
session_id(md5(uniqid('', TRUE)));
// Less random sessions (which are much faster to generate) are used for
// anonymous users than are generated in drupal_session_regenerate() when
// a user becomes authenticated.
session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
}
date_default_timezone_set(drupal_get_user_timezone());
}
......@@ -284,7 +287,7 @@ function drupal_session_regenerate() {
if ($is_https && variable_get('https', FALSE)) {
$insecure_session_name = substr(session_name(), 1);
$params = session_get_cookie_params();
$session_id = md5(uniqid(mt_rand(), TRUE));
$session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
setcookie($insecure_session_name, $session_id, REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], FALSE, $params['httponly']);
$_COOKIE[$insecure_session_name] = $session_id;
}
......
......@@ -294,7 +294,7 @@ function update_fix_d7_requirements() {
global $update_rewrite_settings, $db_url;
if (!empty($update_rewrite_settings)) {
$databases = update_parse_db_url($db_url);
$salt = sha1(drupal_random_bytes(64));
$salt = drupal_hash_base64(drupal_random_bytes(55));
file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ";\n\$drupal_hash_salt = '$salt';", FILE_APPEND);
}
if (drupal_get_installed_schema_version('system') < 7000 && !variable_get('update_d7_requirements', FALSE)) {
......
......@@ -170,10 +170,10 @@ function aggregator_schema() {
),
'hash' => array(
'type' => 'varchar',
'length' => 32,
'length' => 64,
'not null' => TRUE,
'default' => '',
'description' => 'Calculated md5 hash of the feed data, used for validating cache.',
'description' => 'Calculated hash of the feed data, used for validating cache.',
),
'etag' => array(
'type' => 'varchar',
......@@ -275,7 +275,7 @@ function aggregator_schema() {
* Add hash column to aggregator_feed table.
*/
function aggregator_update_7000() {
db_add_field('aggregator_feed', 'hash', array('type' => 'varchar', 'length' => 32, 'not null' => TRUE, 'default' => ''));
db_add_field('aggregator_feed', 'hash', array('type' => 'varchar', 'length' => 64, 'not null' => TRUE, 'default' => ''));
}
/**
......@@ -297,3 +297,4 @@ function aggregator_update_7002() {
));
db_add_index('aggregator_feed', 'queued', array('queued'));
}
......@@ -614,12 +614,12 @@ function aggregator_refresh($feed) {
list($fetcher, $parser, $processors) = _aggregator_get_variables();
$success = module_invoke($fetcher, 'aggregator_fetch', $feed);
// We store the md5 hash of feed data in the database. When refreshing a
// We store the hash of feed data in the database. When refreshing a
// feed we compare stored hash and new hash calculated from downloaded
// data. If both are equal we say that feed is not updated.
$md5 = md5($feed->source_string);
$hash = hash('sha256', $feed->source_string);
if ($success && ($feed->hash != $md5)) {
if ($success && ($feed->hash != $hash)) {
// Parse the feed.
if (module_invoke($parser, 'aggregator_parse', $feed)) {
// Update feed with parsed data.
......@@ -630,7 +630,7 @@ function aggregator_refresh($feed) {
'link' => empty($feed->link) ? $feed->url : $feed->link,
'description' => empty($feed->description) ? '' : $feed->description,
'image' => empty($feed->image) ? '' : $feed->image,
'hash' => $md5,
'hash' => $hash,
'etag' => empty($feed->etag) ? '' : $feed->etag,
'modified' => empty($feed->modified) ? 0 : $feed->modified,
))
......
......@@ -25,7 +25,7 @@ function aggregator_test_menu() {
*/
function aggregator_test_feed($use_last_modified = FALSE, $use_etag = FALSE) {
$last_modified = strtotime('Sun, 19 Nov 1978 05:00:00 GMT');
$etag = md5($last_modified);
$etag = drupal_hash_base64($last_modified);
$if_modified_since = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) : FALSE;
$if_none_match = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : FALSE;
......
......@@ -154,7 +154,7 @@ function _book_admin_table($node, &$form) {
$tree = book_menu_subtree_data($node->book);
$tree = array_shift($tree); // Do not include the book item itself.
if ($tree['below']) {
$hash = sha1(serialize($tree['below']));
$hash = drupal_hash_base64(serialize($tree['below']));
// Store the hash value as a hidden form element so that we can detect
// if another user changed the book hierarchy.
$form['tree_hash'] = array(
......
......@@ -1273,7 +1273,7 @@ function book_menu_subtree_data($link) {
$data['node_links'] = array();
menu_tree_collect_node_links($data['tree'], $data['node_links']);
// Compute the real cid for book subtree data.
$tree_cid = 'links:' . $item['menu_name'] . ':subtree-data:' . md5(serialize($data));
$tree_cid = 'links:' . $item['menu_name'] . ':subtree-data:' . hash('sha256', serialize($data));
// Cache the data, if it is not already in the cache.
if (!cache_get($tree_cid, 'cache_menu')) {
......
......@@ -329,7 +329,7 @@ function color_scheme_form_submit($form, &$form_state) {
}
// Prepare target locations for generated files.
$id = $theme . '-' . substr(md5(serialize($palette) . microtime()), 0, 8);
$id = $theme . '-' . substr(hash('sha256', serialize($palette) . microtime()), 0, 8);
$paths['color'] = 'public://color';
$paths['target'] = $paths['color'] . '/' . $id;
foreach ($paths as $path) {
......
......@@ -2715,7 +2715,7 @@ class FieldTranslationsTestCase extends FieldTestCase {
$results = _field_invoke('test_op', $entity_type, $entity);
foreach ($results as $langcode => $result) {
$hash = md5(serialize(array($entity_type, $entity, $this->field_name, $langcode, $values[$langcode])));
$hash = hash('sha256', serialize(array($entity_type, $entity, $this->field_name, $langcode, $values[$langcode])));
// Check whether the parameters passed to _field_invoke() were correctly
// forwarded to the callback function.
$this->assertEqual($hash, $result, t('The result for %language is correctly stored.', array('%language' => $langcode)));
......@@ -2757,7 +2757,7 @@ class FieldTranslationsTestCase extends FieldTestCase {
$grouped_results = _field_invoke_multiple('test_op_multiple', $entity_type, $entities);
foreach ($grouped_results as $id => $results) {
foreach ($results as $langcode => $result) {
$hash = md5(serialize(array($entity_type, $entities[$id], $this->field_name, $langcode, $values[$id][$langcode])));
$hash = hash('sha256', serialize(array($entity_type, $entities[$id], $this->field_name, $langcode, $values[$id][$langcode])));
// Check whether the parameters passed to _field_invoke() were correctly
// forwarded to the callback function.
$this->assertEqual($hash, $result, t('The result for entity %id/%language is correctly stored.', array('%id' => $id, '%language' => $langcode)));
......
......@@ -69,7 +69,7 @@ function field_test_menu() {
* This simulates a field operation callback to be invoked by _field_invoke().
*/
function field_test_field_test_op($entity_type, $entity, $field, $instance, $langcode, &$items) {
return array($langcode => md5(serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items))));
return array($langcode => hash('sha256', serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items))));
}
/**
......@@ -81,7 +81,7 @@ function field_test_field_test_op($entity_type, $entity, $field, $instance, $lan
function field_test_field_test_op_multiple($entity_type, $entities, $field, $instances, $langcode, &$items) {
$result = array();
foreach ($entities as $id => $entity) {
$result[$id] = array($langcode => md5(serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items[$id]))));
$result[$id] = array($langcode => hash('sha256', serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items[$id]))));
}
return $result;
}
......
......@@ -410,7 +410,7 @@ function file_managed_file_process($element, &$form_state, $form) {
// Add progress bar support to the upload if possible.
if ($element['#progress_indicator'] == 'bar' && $implementation = file_progress_implementation()) {
$upload_progress_key = md5(mt_rand());
$upload_progress_key = mt_rand();
if ($implementation == 'uploadprogress') {
$element['UPLOAD_IDENTIFIER'] = array(
......
......@@ -98,7 +98,7 @@ function filter_schema() {
);
$schema['cache_filter'] = drupal_get_schema_unprocessed('system', 'cache');
$schema['cache_filter']['description'] = 'Cache table for the Filter module to store already filtered pieces of text, identified by text format and md5 hash of the text.';
$schema['cache_filter']['description'] = 'Cache table for the Filter module to store already filtered pieces of text, identified by text format and hash of the text.';
return $schema;
}
......
......@@ -681,7 +681,7 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE)
$cache = $cache && !empty($format->cache);
$cache_id = '';
if ($cache) {
$cache_id = $format->format . ':' . $langcode . ':' . md5($text);
$cache_id = $format->format . ':' . $langcode . ':' . hash('sha256', $text);
if ($cached = cache_get($cache_id, 'cache_filter')) {
return $cached->data;
}
......
......@@ -632,19 +632,19 @@ function image_style_generate() {
$path = implode('/', $args);
$path = $scheme . '://' . $path;
$path_md5 = md5($path);
$path_hash = drupal_hash_base64($path);
$destination = image_style_path($style['name'], $path);
// Check that it's a defined style and that access was granted by
// image_style_url().
if (!$style || !cache_get('access:' . $style_name . ':' . $path_md5, 'cache_image')) {
if (!$style || !cache_get('access:' . $style_name . ':' . $path_hash, 'cache_image')) {
drupal_access_denied();
drupal_exit();
}
// Don't start generating the image if the derivate already exists or if
// generation is in progress in another thread.
$lock_name = 'image_style_generate:' . $style_name . ':' . $path_md5;